Skip to content

add verifier_attestations parameter to authz req #482

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 33 commits into from
Apr 11, 2025
Merged

add verifier_attestations parameter to authz req #482

merged 33 commits into from
Apr 11, 2025

Conversation

@cre8
Copy link
Contributor

@cre8 cre8 commented Mar 31, 2025

Closes #396

@Sakurann
Copy link
Collaborator

Sakurann commented Mar 31, 2025

Please add a change log :)

@cre8
Copy link
Contributor Author

cre8 commented Apr 1, 2025

Please add a change log :)

done :)

jogu
jogu requested changes Apr 1, 2025
View reviewed changes
@cre8 cre8 requested a review from jogu April 1, 2025 19:39
@Sakurann Sakurann added this to the Final 1.0 milestone Apr 2, 2025
Sakurann
Sakurann reviewed Apr 2, 2025
View reviewed changes
TimoGlastra
TimoGlastra reviewed Apr 3, 2025
View reviewed changes
TimoGlastra
TimoGlastra reviewed Apr 3, 2025
View reviewed changes
jogu
jogu approved these changes Apr 3, 2025
View reviewed changes
c2bo
c2bo reviewed Apr 3, 2025
View reviewed changes
cre8 and others added 10 commits April 4, 2025 11:39
@cre8
add attachment parameter to authz req
a6de8c8 
Signed-off-by: Mirko Mollik <mirko.mollik@eudi.sprind.org>
@cre8
add changelog entry
6b23534 
Signed-off-by: Mirko Mollik <mirko.mollik@eudi.sprind.org>
@cre8 @jogu
Update openid-4-verifiable-presentations-1_0.md
198c987 
Co-authored-by: Joseph Heenan <joseph@heenan.me.uk>
@cre8
add iana entry
6a06b38 
Signed-off-by: Mirko Mollik <mirko.mollik@eudi.sprind.org>
@cre8
add to dc api
d9c4cc1 
Signed-off-by: Mirko Mollik <mirko.mollik@eudi.sprind.org>
@cre8 @jogu
Update openid-4-verifiable-presentations-1_0.md
1617816 
Co-authored-by: Joseph Heenan <joseph@heenan.me.uk>
@cre8
update data type
a4fcbf3 
Signed-off-by: Mirko Mollik <mirko.mollik@eudi.sprind.org>
@cre8
remove replay protection
cfd2841 
Signed-off-by: Mirko Mollik <mirko.mollik@eudi.sprind.org>
@cre8
update paragraph structure
68b1c9d 
Signed-off-by: Mirko Mollik <mirko.mollik@eudi.sprind.org>
@cre8
move to v26
3f95d7f 
Signed-off-by: Mirko Mollik <mirko.mollik@eudi.sprind.org>
tlodderstedt
tlodderstedt requested changes Apr 6, 2025
View reviewed changes
@cre8 @TimoGlastra
Update openid-4-verifiable-presentations-1_0.md
010bf8a 
Co-authored-by: Timo Glastra <timo@animo.id>
@cre8
Copy link
Contributor Author

cre8 commented Apr 6, 2025

I think this PR is in a decent state.

The only thing that worries me a bit is the question if we should add some form of ID on the root level of attachments to help a Wallet make a decision whether it needs to parse an attachment or not. I don't think it is a good idea to force a wallet to parse all attachments (in formats it understands) before being able to make a decision if it needs or understands them or not. Would feel cleaner to me if we added said id parameter to entries of attachments. Ecosystems would then need to define ids in a collision-resistant fashion.

I think the best approach would be to follow the JWT approach where the typ field defines the type of JWT and then there is a registry for the eco system or a global one where the values and how to deal with the attachment is defined. Since this field is on the root level of the attachment, the Wallet only needs to parse this value without anything else and can then decide how to continue.

@cre8
add various changes
5288e43 
Signed-off-by: Mirko Mollik <mirko.mollik@eudi.sprind.org>
c2bo
c2bo reviewed Apr 7, 2025
View reviewed changes
Copy link
Member

@c2bo c2bo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure about the proof of possession part tbh

@cre8 @c2bo
Apply suggestions from code review
42b8e74 
Co-authored-by: Christian Bormann <8774236+c2bo@users.noreply.github.com>
cre8
cre8 commented Apr 8, 2025
View reviewed changes
@tlodderstedt tlodderstedt changed the title add attachment parameter to authz req add verifier_attestations parameter to authz req Apr 8, 2025
tlodderstedt
tlodderstedt requested changes Apr 8, 2025
View reviewed changes
@cre8 @tlodderstedt
Apply suggestions from code review
78ad05b 
Co-authored-by: Torsten Lodderstedt <torsten@lodderstedt.net>
@cre8 cre8 mentioned this pull request Apr 8, 2025
Merged
cre8
cre8 commented Apr 11, 2025
View reviewed changes
cre8 and others added 2 commits April 10, 2025 21:57
@cre8
Apply suggestions from code review
4966fc2
@cre8
remove double example
30a1c91 
Signed-off-by: Mirko Mollik <mirko.mollik@eudi.sprind.org>
tlodderstedt
tlodderstedt requested changes Apr 11, 2025
View reviewed changes
@cre8
fix typo
26d851a 
Signed-off-by: Mirko Mollik <mirko.mollik@eudi.sprind.org>
tlodderstedt
tlodderstedt requested changes Apr 11, 2025
View reviewed changes
@cre8 @tlodderstedt
Apply suggestions from code review
70b2561 
change type to format

Co-authored-by: Torsten Lodderstedt <torsten@lodderstedt.net>
cre8
cre8 commented Apr 11, 2025
View reviewed changes
c2bo
c2bo approved these changes Apr 11, 2025
View reviewed changes
Copy link
Member

@c2bo c2bo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not really happy with wallets having to parse everything first (to discover type) before understanding if it's relevant, but overall this variant seems to achieve the requirements

openid-4-verifiable-presentations-1_0.md
This specification supports two models for proof of possession:

- **claim-bound attestations**: The attestation is not signed by the Relying Party, but bound to it. The exact binding mechanism is defined by the type of the definition. For example for JWTs, the `sub` claim is including the distinguished name of the Certificate that was used to sign the request. The binding may also include the client_id parameter.
- **key-bound attestations**: The attestation's proof of possession is signed by the Relying Party with a key contained or related to the attestation . To bind the signature to the presentation request, the respective signature object should include the `nonce` and `client_id` request parameters. The attestation and the proof of possession have to be passed in the attachment.
Copy link
Member

@c2bo c2bo Apr 11, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- **key-bound attestations**: The attestation's proof of possession is signed by the Relying Party with a key contained or related to the attestation . To bind the signature to the presentation request, the respective signature object should include the `nonce` and `client_id` request parameters. The attestation and the proof of possession have to be passed in the attachment.
- **key-bound attestations**: The attestation's proof of possession is signed by the Verifier with a key contained or related to the attestation. To bind the signature to the presentation request, the respective object signed by the Verifier should include the `nonce` and `client_id` request parameters. The attestation and the proof of possession have to be passed in the attachment.

@cre8
Copy link
Contributor Author

cre8 commented Apr 11, 2025

I am not really happy with wallets having to parse everything first (to discover type) before understanding if it's relevant, but overall this variant seems to achieve the requirements

Me neither, but since it's only parsing and not validating, it should be fine. If there occur attestations where it becomes more complex, we can add an optional attribute that can be used as an identifier. But at this point we were not able to find a good solution that pleased everyone.

@Sakurann Sakurann merged commit 469a1e9 into openid:main Apr 11, 2025
2 checks passed
c2bo
c2bo reviewed Apr 11, 2025
View reviewed changes
openid-4-verifiable-presentations-1_0.md

This specification supports two models for proof of possession:

- **claim-bound attestations**: The attestation is not signed by the Relying Party, but bound to it. The exact binding mechanism is defined by the type of the definition. For example for JWTs, the `sub` claim is including the distinguished name of the Certificate that was used to sign the request. The binding may also include the client_id parameter.
Copy link
Member

@c2bo c2bo Apr 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- **claim-bound attestations**: The attestation is not signed by the Relying Party, but bound to it. The exact binding mechanism is defined by the type of the definition. For example for JWTs, the `sub` claim is including the distinguished name of the Certificate that was used to sign the request. The binding may also include the client_id parameter.
- **claim-bound attestations**: The attestation is not signed by the Verifier, but bound to it. The exact binding mechanism is defined by the type of the definition. For example for JWTs, the `sub` claim is including the distinguished name of the Certificate that was used to sign the request. The binding may also include the client_id parameter.

Sakurann added a commit that referenced this pull request Apr 11, 2025
@Sakurann
Revert "add verifier_attestations parameter to authz req (#482)"
48c01e5 
This reverts commit 469a1e9.
@Sakurann Sakurann mentioned this pull request Apr 11, 2025
Closed
@cre8 cre8 deleted the attachements branch April 11, 2025 19:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jogu jogu jogu approved these changes

@c2bo c2bo c2bo approved these changes

@TimoGlastra TimoGlastra TimoGlastra approved these changes

@Sakurann Sakurann Sakurann left review comments

@tlodderstedt tlodderstedt tlodderstedt approved these changes

@danielfett danielfett Awaiting requested review from danielfett

@tplooker tplooker Awaiting requested review from tplooker

@awoie awoie Awaiting requested review from awoie

@bc-pi bc-pi Awaiting requested review from bc-pi

@babisRoutis babisRoutis Awaiting requested review from babisRoutis

Assignees

No one assigned

Labels

editors

Projects

None yet

Milestone

Final 1.0

Development

Successfully merging this pull request may close these issues.

Add attachments in the presentation request

7 participants

@cre8 @Sakurann @danielfett @jogu @tlodderstedt @c2bo @TimoGlastra