credentials Credentials Offer parameter values identifying credentials_supported object(s) in the issuer's metadata.
#86
Conversation
Sakurann
requested review from
awoie,
c2bo,
jogu,
mdobrinic,
paulbastian,
pmhsfelix,
rohe and
tlodderstedt
Sakurann
changed the title
credentials Credentials Offer parameter values identifying credentials_supported object(s) in the issuer's metadata.
| This section defines the structure of the objects that appear in the `credentials_supported` metadata parameter. | ||
|
|
||
| * `format`: REQUIRED. A JSON string identifying the format of this credential, i.e., `jwt_vc_json` or `ldp_vc`. Depending on the format value, the object contains further elements defining the type and (optionally) particular claims the credential MAY contain and information about how to display the credential. (#format_profiles) defines Credential Format Profiles introduced by this specification. | ||
| * `credentials_supported_identifier`: REQUIRED when Credential Offer is used. A JSON string uniquely identifying this object within the `credentials_supported` array. It is used in the Credential Offer as defined in (#credential_offer_parameters) to enable the Wallet to discover the information about the Credential being offered. |
There was a problem hiding this comment.
Since this is a unique identifier could we consider renaming this to id and moving it above format in this definition to signify the importance?
There was a problem hiding this comment.
Within VCI, there are two different identifiers: 1) identifier that points to a credentials_supported object in the issuer metadata, and 2) identifier that identifies a credential instance during issuance (PR #65), so I was trying to differentiate those.
Having said that, there is only one identifier within issuer metadata, so maybe just "id" is ok...
There are so many "id" claims in the Credential space: in the DIF presentation exchange, in W3C VCDM, that i would prefer differentiating from those, but maybe no need...
On the order, I usually like putting mandatory parameters at the top, but in this case, logically, identifier should probably be at the top.
There was a problem hiding this comment.
I agree with @cobward , it is the primary identifier and belongs to the top. I was also wondering why its not named id but I'm fine with the explanation
There was a problem hiding this comment.
with credentials_subject structure changing to a map, there will be no more credentials_supported_identifier :)
@cobward I think this data structure change of a credentials_supported_identifier is a breaking change for your implementation.. please check.
|
|
||
| * `credential_issuer`: REQUIRED. The URL of the Credential Issuer, as defined in (#credential-issuer-identifier), from which the Wallet is requested to obtain one or more Credentials. The Wallet uses it to obtain the Credential Issuer's Metadata following the steps defined in (#credential-issuer-wellknown). | ||
| * `credentials`: REQUIRED. A JSON array, where every entry is a JSON object or a JSON string. If the entry is an object, the object contains the data related to a certain credential type the Wallet MAY request. Each object MUST contain a `format` Claim determining the format of the credential to be requested and further parameters characterizing the type of the credential to be requested as defined in (#format_profiles). If the entry is a string, the string value MUST be one of the `scope` values in one of the objects in the `credentials_supported` Credential Issuer metadata parameter. When processing, the Wallet MUST resolve this string value to the respective object. | ||
| * `credentials`: REQUIRED. A JSON array of JSON strings that each uniquely identify one of the objects in the `credentials_supported` array included in the Credential Issuer metadata as defined in (#credential-issuer-parameters). The Wallet resolves this string value to the respective object to obtain information about the Credential being offered defined in (credential-metadata-object). For example, this string value can be used to obtain `scope` value to be used in the Authorization Request. |
There was a problem hiding this comment.
Could this be reworded to make it clear which element in the credentials_supported object it is supposed to match against? I also think it is redundant to say uniquely identify here, as the definition of the identifier already includes that.
Maybe something like:
| * `credentials`: REQUIRED. A JSON array of JSON strings that each uniquely identify one of the objects in the `credentials_supported` array included in the Credential Issuer metadata as defined in (#credential-issuer-parameters). The Wallet resolves this string value to the respective object to obtain information about the Credential being offered defined in (credential-metadata-object). For example, this string value can be used to obtain `scope` value to be used in the Authorization Request. | |
| * `credentials`: REQUIRED. A JSON array of JSON strings that each can be matched against the `credentials_supported_identifier` parameter of the objects in the `credentials_supported` array included in the Credential Issuer metadata as defined in (#credential-issuer-parameters). The Wallet resolves this string value to the respective object to identify and obtain information about the Credential being offered defined in (credential-metadata-object). For example, this string value can be used to obtain `scope` value to be used in the Authorization Request. |
There was a problem hiding this comment.
| * `credentials`: REQUIRED. A JSON array of JSON strings that each uniquely identify one of the objects in the `credentials_supported` array included in the Credential Issuer metadata as defined in (#credential-issuer-parameters). The Wallet resolves this string value to the respective object to obtain information about the Credential being offered defined in (credential-metadata-object). For example, this string value can be used to obtain `scope` value to be used in the Authorization Request. | |
| * `credentials`: REQUIRED. An array of strings that each can be matched against the `credentials_supported_identifier` parameter of the objects in the `credentials_supported` array included in the Credential Issuer metadata as defined in (#credential-issuer-parameters). The Wallet resolves this string value to the respective object to identify and obtain information about the Credential being offered defined in (credential-metadata-object). For example, this string value can be used to obtain `scope` value to be used in the Authorization Request. |
There was a problem hiding this comment.
the structure has changed to map, please check an updated language..
|
IMO, this proposal can be greatly simplified by changing the type of Example for {
"UniversityDegreeCredential":{
"format":"jwt_vc_json",
"cryptographic_binding_methods_supported":[
]
},
"Example2":{
"format":"mso_mdoc",
"doctype":"org.iso.18013.5.1.mDL"
}
}In the credential offer would then contain |
|
@danielfett and I jsut realized the potential of this PR is even bigger. We could simplify Token Request and Credential Request as well and get rid off alomst all credential-format specific things |
paulbastian
left a comment
paulbastian
left a comment
There was a problem hiding this comment.
I would like to understand the reasoning behind Authorization Details.
If I look at the Credential Request, it currently includes format and additional credential-format specific data, e.g.:
{
"format": "jwt_vc_json",
"credential_definition": {
"type": [
"VerifiableCredential",
"UniversityDegreeCredential"
],
"credentialSubject": {
"given_name": {},
"family_name": {},
"degree": {}
}
},
"proof": {
"proof_type": "jwt",
"jwt":"eyJraWQiOiJkaWQ6ZXhhbXBsZTplYmZlYjFmNzEyZWJjNmYxYzI3NmUxMmVjMjEva2V5cy8
xIiwiYWxnIjoiRVMyNTYiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJzNkJoZFJrcXQzIiwiYXVkIjoiaHR
0cHM6Ly9zZXJ2ZXIuZXhhbXBsZS5jb20iLCJpYXQiOiIyMDE4LTA5LTE0VDIxOjE5OjEwWiIsIm5vbm
NlIjoidFppZ25zbkZicCJ9.ewdkIkPV50iOeBUqMXCC_aZKPxgihac0aW9EkL1nOzM"
}
}
or
{
"format": "mso_mdoc",
"doctype": "org.iso.18013.5.1.mDL",
"claims": {
"org.iso.18013.5.1": {
"given_name": {},
"family_name": {},
"birth_date": {}
},
"org.iso.18013.5.1.aamva": {
"organ_donor": {}
}
},
"proof": {
"proof_type": "jwt",
"jwt": "eyJraWQiOiJkaWQ6ZXhhbXBsZ...KPxgihac0aW9EkL1nOzM"
}
}
Both could be changed to include only the id from the Issuer Metadata, similar to what I proposed to the simplification of Credential Offer. In that way we get rid of almost all Credential-format specific data in the Appendix E:
{
"id": "UniversityDegreeCredential",
"proof": {
"proof_type": "jwt",
"jwt": "eyJraWQiOiJkaWQ6ZXhhbXBsZ...KPxgihac0aW9EkL1nOzM"
}
}
@paulbastian that is already addressed in PR #65. it is out of scope of this PR because two identifiers need to be clearly distinguished: this PR talks only about the identifier used to match against an object within issuer metadata, while PR #65 talks about an identifier of a credential instance that is being issued. PR #65 allows to use To prevent further confusion, summarizing current E2E flows we will have in the spec if both this and PR #65 get merged.
(steps 1a and 1b can obviously be used stand-alone without 1a and 2a.) so in short, I think there is no further simplification needed in this PR. |
I agree changing to a map looks cleaner, but I don't have a strong opinion - would like feedback from the WG. |
|
@TimoGlastra @nklomp can you please review if you get a chance..? |
paulbastian
left a comment
paulbastian
left a comment
There was a problem hiding this comment.
This is a great improvement.
It seems to me that there is some redundancy between credentials_supported_identifier , scope , c_instance_identifier and authorization_details but that become clearer once both PRs are merged.
…entials_supported_identifier
|
as part of changing the data structure to a map, I also merged two sub-sections within the issuer metadata section. so there is no more section dedicated to explaining parameters comprising also, originally, |
| * `text_color`: OPTIONAL. String value of a text color of the Credential represented as numerical color values defined in CSS Color Module Level 37 [@!CSS-Color]. | ||
|
|
||
| It is dependent on the Credential format where the available claims will appear and how they are represented (see (#format_profiles)). | ||
| * `credentials_supported`: REQUIRED. An object that describes specifics of the Credential that the Credential Issuer supports issuance of. This object contains a list of name/value pairs, where each name is an identifier of the credential being described. This identifier is used in the Credential Offer as defined in (#credential_offer_parameters) to communicate to the Wallet which Credential is being offered. The value is an object that contains metadata about specific credential and contains the following parameters defined by this specification: |
There was a problem hiding this comment.
If we have a breaking change here, it is a convenient opportunity for any renaming from #91 . This would also enable some backwards-compatiblity
TimoGlastra
left a comment
TimoGlastra
left a comment
There was a problem hiding this comment.
These changes look good to me 👍
Co-authored-by: Timo Glastra <timo@animo.id>
nklomp
left a comment
nklomp
left a comment
There was a problem hiding this comment.
Overall liking the change. Have some small comments to make it more clear the keys need to be unique and a remark about the scope, for which the lookup now has a bit of different behaviour.
But these are non-blocking
| In addition to a mechanism defined in (#credential-authz-request), Credential Issuers MAY support requesting authorization to issue a credential using OAuth 2.0 scope parameter. | ||
|
|
||
| When the Wallet does not know which scope value to use to request issuance of a certain credential, it can discover it using the `scope` Credential Issuer metadata parameter defined in (#credential-metadata-object). When the flow starts with a Credential Offer, the Wallet can use the information in the `credentials` Credential Offer parameter. When the entry of the `credentials` parameter is a string, it can be used as a scope value. When the entry of the `credentials` parameter is an object, it can be used to discover the desired scope value from the Credential Issuer metadata that can be obtained using `credential_issuer` Credential Offer parameter as defined in (#credential-issuer-wellknown). | ||
| When the Wallet does not know which scope value to use to request issuance of a certain credential, it can discover it using the `scope` Credential Issuer metadata parameter defined in (#credential-issuer-parameters). When the flow starts with a Credential Offer, the Wallet can use the `credentials` parameter values to identify object(s) in the `credentials_supported` map in the Credential Issuer metadata parameter and use `scope` parameter value from that object. |
There was a problem hiding this comment.
Previously it allowed for the param to either be a string, which then needed to be used as a scope, or it was the object, from which you then had to lookup the scope in the respective credentials_supported object.
scopes are however completely optional in credentials_supported. Since the string will now always map onto the respective key of the credentials_supported map, this change means we now always need to look at the scrope value. Is that desired, or should the text be reworked that you need to lookup the scope and if not present use the string value?
There was a problem hiding this comment.
I think it is a desired/intended behavior that if the wallet needs to look up the scope value, it uses the identifier to look it up. if it does not need scope value, it just uses the parameters other than scope values to formulate authorization_details request. allowing to use identifier as a scope value will lead to ambiguities when that is allowed and when it is not. and will also prevent using the same scope values across multiple credentials_supported entries
There was a problem hiding this comment.
Agreed, just pointing out the difference with previous version
pmhsfelix
left a comment
pmhsfelix
left a comment
There was a problem hiding this comment.
Approved with minor comments.
| In addition to a mechanism defined in (#credential-authz-request), Credential Issuers MAY support requesting authorization to issue a credential using OAuth 2.0 scope parameter. | ||
|
|
||
| When the Wallet does not know which scope value to use to request issuance of a certain credential, it can discover it using the `scope` Credential Issuer metadata parameter defined in (#credential-metadata-object). When the flow starts with a Credential Offer, the Wallet can use the information in the `credentials` Credential Offer parameter. When the entry of the `credentials` parameter is a string, it can be used as a scope value. When the entry of the `credentials` parameter is an object, it can be used to discover the desired scope value from the Credential Issuer metadata that can be obtained using `credential_issuer` Credential Offer parameter as defined in (#credential-issuer-wellknown). | ||
| When the Wallet does not know which scope value to use to request issuance of a certain credential, it can discover it using the `scope` Credential Issuer metadata parameter defined in (#credential-issuer-parameters). When the flow starts with a Credential Offer, the Wallet can use the `credentials` parameter values to identify object(s) in the `credentials_supported` map in the Credential Issuer metadata parameter and use `scope` parameter value from that object. |
There was a problem hiding this comment.
Suggest "credentials_supported object in" instead of "credentials_supported map in" (i.e. use object instead of map).
There was a problem hiding this comment.
it used to say object and Timo suggested to change to map and I agreed. happy to change back if this comes up again..
This is the only mention of credentials_supported_identifier in the whole specificaiton, I believe this was just overlooked in #86
This is the only mention of credentials_supported_identifier in the whole specification, I believe this was just overlooked in #86
) editorial. approval of one of the editors. This is the only mention of credentials_supported_identifier in the whole specification, I believe this was just overlooked in #86
As discussed during IIW week, changing the structure of credentials parameter in the credential offer back to the identifier that can be used to obtain specific
credentials_supportedobject from the issuer metadata. Also removing an option to pass format/type in the credential offer. Also agreed that inline metadata in the credential offer will not be supported. Addresses issues #83, #82, #77, #53.During pre-IIW DCP WG mtg, we discussed enabling
credentials_supportedobject being hosted not necessarily at.well-known/openid-credential-issueras currently defined in the specification but at the private location that is known privately between the wallet and the Issuer. Current textA JSON array of JSON strings that each uniquely identify one of the objects in thecredentials_supportedarray included in the Credential Issuer metadata as defined in (#credential-issuer-parameters).should be open enough to allow this.There are separate issues like #42 on how the wallet could potentially add this identifier as query to the issuer metadata location so that the issuer returns part of the maya data instead of the wallet needing to search potentially large metadata file, but that is probably a separate PR.