clarify credential error response can be authorization or credential request error #64
Conversation
thank you! Co-authored-by: Brian Campbell <71398439+bc-pi@users.noreply.github.com>
Co-authored-by: Brian Campbell <71398439+bc-pi@users.noreply.github.com>
| The following additional error codes are specified: | ||
| * `error`: REQUIRED. A key at the top level of a JSON object, the value of which SHOULD be a single ASCII [@!USASCII] error code from the following: | ||
| * `invalid_credential_request`: The Credential Request is missing a required parameter, includes an unsupported parameter or parameter value, repeats the same parameter, or is otherwise malformed. | ||
| * `unsupported_credential_type`: Requested credential type is not supported. |
There was a problem hiding this comment.
type is specific to the *_vc_* (W3C) formats, right? So, probably it shouldn't be in these format-independent error values.
There was a problem hiding this comment.
A more general error could be unsupported_credential. This could be used to target non format related credential errors of this klnd.
There was a problem hiding this comment.
type is not specific to W3C formats :) it is used to refer to a claimset to be included in a credential. the definition of doctype in ISO 18013-5 is docType is the requested document type. and we use the following definition of doctype in VCI too
doctype: REQUIRED. JSON string identifying the credential type as defined in [ISO.18013-5].
so I think the current text is ok
There was a problem hiding this comment.
That's a slippery slope as the spec treats any credential type information as format specific. In addition, W3C has an array of type values. I assume the issuer would like to indicate which of them is unsupported.
There was a problem hiding this comment.
how should your comment be interpreted? are you agreeing with Jacob and Pedro that a generic use of a term type in the spec should be revisited? i do not disagree but that should be a separate issue.
There was a problem hiding this comment.
I agree with Jacob and Pedro that types are format specific. Whether we go for the more generic error code (as sugested by Jacob) or use format specific error codes depends on whether what wallets can reasonably process. If wallets anyway treat it generically, I would be in favor of the generic error code.
jacobideskog
left a comment
jacobideskog
left a comment
There was a problem hiding this comment.
My only concern is the same as @pmhsfelix 's to name the unsupported_credential_type value after a W3C specific item.
| The following additional error codes are specified: | ||
| * `error`: REQUIRED. A key at the top level of a JSON object, the value of which SHOULD be a single ASCII [@!USASCII] error code from the following: | ||
| * `invalid_credential_request`: The Credential Request is missing a required parameter, includes an unsupported parameter or parameter value, repeats the same parameter, or is otherwise malformed. | ||
| * `unsupported_credential_type`: Requested credential type is not supported. |
There was a problem hiding this comment.
A more general error could be unsupported_credential. This could be used to target non format related credential errors of this klnd.
Co-authored-by: Giuseppe De Marco <giuseppe.demarco@teamdigitale.governo.it>
Co-authored-by: Giuseppe De Marco <giuseppe.demarco@teamdigitale.governo.it>
bc-pi
left a comment
bc-pi
left a comment
There was a problem hiding this comment.
authorization error response can't mandate the auth-scheme value "Bearer
Co-authored-by: Brian Campbell <71398439+bc-pi@users.noreply.github.com>
| If the Credential Request does not contain an Access Token that enables issuance of a requested credential, the Credential Endpoint returns an authorization error response such as defined in section 3 of [@!RFC6750]. | ||
|
|
||
| - Credential Request was malformed. One or more of the parameters (i.e., `format`, `proof`) are missing or malformed. | ||
| For the errors specific to the Credential Request such as those caused by `type`, `format`, `proof`, or encryption parameters in the request, the error codes values defined in (#credential-request-errors) SHOULD be used instead of a generic `invalid_request` parameter defined in section 3.1 of [@!RFC6750]. |
There was a problem hiding this comment.
I find this paragraph underneath #### Authorization Errors {#authorization-errors} misleading. Suggest to remove the section heading and just have two paragraphs or to move the second section into the credential issuance errors section.
There was a problem hiding this comment.
I think it would be more misleading to have two separate paragraphs talking about errors for credential endpoint. we can change section titles (credential error response; authorization errors; credential request errors) if they are misleading, but I really do not think we need to change the structure.
There was a problem hiding this comment.
Ok. Let's try the current text.
There was a problem hiding this comment.
discussed in the WG call, agreed to move line 889 under 891.
| The following additional error codes are specified: | ||
| * `error`: REQUIRED. A key at the top level of a JSON object, the value of which SHOULD be a single ASCII [@!USASCII] error code from the following: | ||
| * `invalid_credential_request`: The Credential Request is missing a required parameter, includes an unsupported parameter or parameter value, repeats the same parameter, or is otherwise malformed. | ||
| * `unsupported_credential_type`: Requested credential type is not supported. |
There was a problem hiding this comment.
That's a slippery slope as the spec treats any credential type information as format specific. In addition, W3C has an array of type values. I assume the issuer would like to indicate which of them is unsupported.
Co-authored-by: Kristina <52878547+Sakurann@users.noreply.github.com>
Co-authored-by: Giuseppe De Marco <giuseppe.demarco@teamdigitale.governo.it>
…ential-error-response
|
@tlodderstedt we restructured as you suggested, please re-review. the WG was not clear on your second comment regarding "type" |
| The following additional error codes are specified: | ||
| * `error`: REQUIRED. A key at the top level of a JSON object, the value of which SHOULD be a single ASCII [@!USASCII] error code from the following: | ||
| * `invalid_credential_request`: The Credential Request is missing a required parameter, includes an unsupported parameter or parameter value, repeats the same parameter, or is otherwise malformed. | ||
| * `unsupported_credential_type`: Requested credential type is not supported. |
There was a problem hiding this comment.
I agree with Jacob and Pedro that types are format specific. Whether we go for the more generic error code (as sugested by Jacob) or use format specific error codes depends on whether what wallets can reasonably process. If wallets anyway treat it generically, I would be in favor of the generic error code.
| The following additional error codes are specified: | ||
| * `error`: REQUIRED. A key at the top level of a JSON object, the value of which SHOULD be a single ASCII [@!USASCII] error code from the following: | ||
| * `invalid_credential_request`: The Credential Request is missing a required parameter, includes an unsupported parameter or parameter value, repeats the same parameter, or is otherwise malformed. | ||
| * `unsupported_credential_type`: Requested credential type is not supported. |
| If the Credential Request does not contain an Access Token that enables issuance of a requested credential, the Credential Endpoint returns an authorization error response such as defined in section 3 of [@!RFC6750]. | ||
|
|
||
| - Credential Request was malformed. One or more of the parameters (i.e., `format`, `proof`) are missing or malformed. | ||
| For the errors specific to the Credential Request such as those caused by `type`, `format`, `proof`, or encryption parameters in the request, the error codes values defined in (#credential-request-errors) SHOULD be used instead of a generic `invalid_request` parameter defined in section 3.1 of [@!RFC6750]. |
There was a problem hiding this comment.
Ok. Let's try the current text.
|
agreed with torsten to open an issue to rename |
|
6 approvals. open for more than a week. no objection to merge during the WG call. |
addresses issue #40.
Moved from Bitbucket: https://bitbucket.org/openid/connect/pull-requests/590
I wonder if batch credential endpoint needs additional error codes...