SlideShare une entreprise Scribd logo

OpenID Connect 4 SSI

T
Torsten Lodderstedt

OpenID Connect 4 SSI is an initiative conducted at OpenID Foundation in liaison with the Decentralized Identity Foundation. It aims at specifying a set of protocols based on OpenID Connect to enable SSI applications.

Internet
1  sur  31
Télécharger pour lire hors ligne
OpenID Connect for SSI Kristina Yasuda, Microsoft Dr. Torsten Lodderstedt, yes.com
OpenID Connect for SSI • Initiative conducted at OpenID Foundation in liaison with the Decentralized Identity Foundation • Aims at specifying a set of protocols based on OpenID Connect to enable SSI applications
- Provide the community with a solution for SSI applications leveraging the simplicity and security of OpenID Connect - Security of OpenID Connect has been tested and formally analysed - Allow existing OpenID Connect RPs to access SSI credential and existing OpenID Connect OPs to also issue credentials Why extend OpenID Connect to support SSI?
OpenID Connect for SSI Components Issuer (Website) Verifier (Website) Holder (Digital Wallet) Issue Credentials Present Credentials ① Self-Issued OP v2 (key exchange and authentication) or OpenID Connect Core Code flow ② OpenID Connect for Verifiable Presentations (Transportation of Verifiable Credentials) OpenID Connect Core ③ OpenID Connect for Credential Issuance (Issuance of Verifiable Credentials) Base Protocol
Use Case: eKYC using Bank ID Credential - A Bank customer wants to sign a car leasing contract. The leasing provider is obliged to identify the customer (Anti-Money Laundering Law). The leasing provider accepts identification via a digital wallet. - The leasing provider sends the customer to the wallet, which currently does not contain a suitable credential. The wallet offers some options to the customer to obtain the required credential. - The customer selects the bank-based approach, selects her bank, and proceeds to the bank’s digital banking experience where she is offered to issue an ID credential to the wallet. - Upon receiving an ID credential to the wallet, when prompted, the customer confirms presentation of the new credential to the leasing company. - The leasing company receives the credential and proceeds to the next step in the contract signing process… - Customer benefit: ease of use of bank-based identification in combination with additional privacy preservation through the wallet since there is no call-home to the Bank directly by the leasing provider. - Leasing provider benefit: ability to accept ID credentials from the Issuers/Banks without establishing a federation with them
Use Case: NHS doctors moving around 1200 clinics - A clinic wants to verify identity a doctor who has been assigned to work there from another clinic. The doctors are moved between clinics quite often and each time a clinic onboards a new doctor, it is obliged to verify the doctor’s identity and privileges. The clinic accepts identification via a digital wallet. - The clinic sends the doctor to the wallet. If the wallet does not currently contain a suitable credential, it offers some options to the doctor to obtain the required credential. - The doctor selects the previous clinic where he/she worked, and proceeds to that clinic’s credential issuance experience where he/she is offered to issue an ID credential to the wallet. - Upon receiving an ID credential to the wallet, when prompted, the doctor confirms presentation of the new credential to the new clinic. - The new clinic company receives the credential and proceeds to the next step in the contract signing process… - Customer benefit: ease of use of digital credentials instead of having to collect paper documents from all the previous clinics. - New clinic: ability to accept credentials in a digital format significantly shortens onboarding time and gives more time to the doctors to actually treat the customers instead of dealing with administrative processes.
Use Case: University managing alumni - An employer wants to verify the education history of the employee during the hiring on-boarding process. The employee accepts identification via a digital wallet. - The employer sends the employee to the wallet. If the wallet does not currently contain a suitable credential, it offers some options to the employee to obtain the required credential. - The employee selects the university he/she has graduated from, and proceeds to that university’s credential issuance experience where he/she is offered to issue an ID credential to the wallet. - Upon receiving an ID credential to the wallet, when prompted, the employee confirms presentation of the new credential to the employee. - The employee new clinic company receives the credential and proceeds to the next step in the contract signing process… - Customer benefit: ease of use of digital credentials instead of having to physically go to the university and collect paper documents or having to exchange emails with the university admin. - New clinic: ability to move growing number of alumni data to the cold storage once, instead of storing it in an active storage ready to respond to an API call anytime.
Self-Issued OP (SIOP) v2
1. SIOP v2 OpenID Connect standard model ⓪ User tries to log in Website (RP) User Agent OP (3P OpenID Provider) Trust (to 3rd party) Alice ① 3rd Party OP issues an ID Token Self-Issued OP model ⓪ User tries to log in Website (RP) User Agent OP Trust (on first use) ① OP on the user device issues ID Token Alice ● Self-Issued OP is an OP within the End-user’s local control. ● Enables End-users to interact with verifiers directly, without relying on a third-party providers. ● Performs key exchange and authentication.
What’s new in v2? - DIDs as “sub” values (in additional to raw public keys) to “self-issue” an ID Token - Dynamic SIOP discovery and invocation via HTTPS URLs - in addition to “openid://” custom scheme - enables use of app/universal links and web wallets - Dynamic RP registration (DID or Entity statements) - Cross Device Flow
SIOP request–response example SIOP Response SIOP Request HTTP/1.1 302 Found Location: openid://? response_type=id_token &client_id=https://client.example.org/cb &redirect_uri=https://client.example.org/cb &scope=openid%20profile &nonce=n-0S6_WzA2Mj HTTP/1.1 302 Found Location: https://client.example.org/cb# &id_token=eyJ0 ... NiJ9.eyJ1c ... I6IjIifX0.D ... ZXso openid://? response_type=id_token &response_mode=post &client_id=https://client.example.org/cb &redirect_uri=https://client.example.org/post_cb &scope=openid%20profile &nonce=n-0S6_WzA2Mj on device cross device POST /post_cb HTTP/1.1 Host: client.example.com Content-Type: application/x-www-form-urlencoded &id_token=eyJ0 ... NiJ9.eyJ1c ... I6IjIifX0.D ... ZXso
SIOP request–response example { "iss": "https://self-issued.me/v2", "sub": "did:example:EiC6Y9_aDaCsI", https url -> jwks_uri hosted under .well-known "aud": "https://client.example.org/cb", "nonce": "n-0S6_WzA2Mj", "exp": 1311281970, "iat": 1311280970 } Decoded ID Token “sub” can be raw public key or DID
OpenID Connect 4 Verifiable Presentations
• Works with all OpenID Connect Flows (SIOP v2, code, CIBA, …) • Request syntax uses "claims" parameter & DIF Presentation Exchange • Supports different credential/presentation formats: • encoded as JSON or JSON-LD • signed as a JWS or Linked Data Proofs • ... • Supports different transports: • Embedded in ID Token or Userinfo response • new VP Token (provided alongside ID Token) Enables presentation of W3C Verifiable Credentials using OpenID Connect. 2. OIDC4VP
OIDC4VP Request SIOP+OIDC4VP Request HTTP/1.1 302 Found Location: openid://? response_type=id_token &client_id=https://client.example.org/cb &redirect_uri=https://client.example.org/cb &scope=openid%20profile &nonce=n-0S6_WzA2Mj &claims=... { "vp_token": { "presentation_definition": { "id": "identification", "input_descriptors": [ { "id": "id_card_credential", "schema": [ { "uri":"https://www.w3.org/2018/credentials/examples/v1/IDCardCredential" } ] } ... } `claims` parameter with DIF Presentation Exchange Syntax
{ "@context": [ "https://www.w3.org/2018/credentials/v1" ], "type": [ "VerifiablePresentation" ], "verifiableCredential": [ { "@context": [ "https://www.w3.org/2018/credentials/v1", "https://www.w3.org/2018/credentials/examples/v1" ], "id": "https://example.com/credentials/1872", "type": [ "VerifiableCredential", "IDCardCredential" ], "issuer": { "id": "did:example:issuer" }, "issuanceDate": "2010-01-01T19:23:24Z", "credentialSubject": { "given_name": "Fredrik", Response OIDC4VP Response VP Token containing Verifiable Presentation Decoded ID Token HTTP/1.1 302 Found Location: https://client.example.org/cb# &id_token=eyJ0 ... NiJ9.eyJ1c ... &vp_token=... { ... "_vp_token": { "presentation_submission": { "id": "example presentation", "definition_id": "identification", "descriptor_map": [ { "id": "id_card_credential", "format": "ldp_vp", "path": "$" "path_nested": { "format": "ldp_vc", "path": "$.verifiableCredential[0]" } ... } Path in the ID Token refers to a separate artifact - VP Token
DEMO Bringing it all together ...
SIOP v2 / OIDC4VPs Prototype •Implemented within IDUnion project •Team: Sebastian Bickerle, Paul Wenzel, Fabian Hauck, & Dr. Daniel Fett •Use Case: Login to NextCloud using Verifiable Credentials •Based on • Existing NextCloud OpenID Connect Plugin • Lissi Wallet • Hyperledger Indy & Indy SDK
DEMO •On device: https://youtu.be/gDg2ma7TwWU •Cross device: https://youtu.be/hC3VQE-vMnQ
Architecture NextCloud Ledger Plugin (Frontend) Lissi Wallet redirects (HTTPS GET) (3) “response” (HTTPS POST) Plugin (Backend) polling on device cross device ledger access (1) QR Code schema definition und credential definition schema definition und credential definition, revocation info (2) Request payload (GET request_uri)
Findings • QR Codes pretty huge • Verifiers can be identified • Verifier's Web URL shown in wallet (leverages OIDC client data model) • Simple & Scalable Architecture •No separate connection establishment step required
Further ongoing implementations • Microsoft • Convergence.Tech • Gematik (within IDunion) • walt.id (eSSIF-Lab)* • Sphereon • Gimly *Some ESSIF projects already utilizes SIOP (based on DID-SIOP & OpenID Connect 4 Identity Assurance)
OpenID Connect 4 Credentials Issuance
Status • Based on pre-existing implementation experience (MATTR Ltd & Convergence.tech) • Work recently started with requirements gathering and brainstorming sessions at IIW #33 • Current WG Draft https://openid.bitbucket.io/connect/openid-connect-4-verifiable-credential-issuance-1_0.html
Benefits • Obvious way to turn existing OpenID Connect OPs into Issuers • Allows for inline credential issuance • Issuer-controlled UX gives flexibility • Wallet and Issuer identification utilizing OpenID Connect metadata
Key Ideas • Issuance via OAuth protected API: Credential endpoint • Multiple credentials, Same credential in different formats/keys • Support all kinds of proof methods (also non JWS) for key material the new credential shall be bound to • Separate client authentication & message integrity protection from proof of possession of this key material • Allow presentation of credentials (in authz request and dynamically obtained) as input for the issuance • Allow deferred issuance • Support Credential metadata (Credential Manifest)
New Endpoints • Issuance Initiation Endpoint: An endpoint exposed by the wallet that allows an issuer to initiate the issuance flow • Nonce Endpoint: provides the RP with a nonce it will include into verifiable presentations sent to the authorization endpoint • Credential Endpoint: OAuth-protected API to issue verifiable credentials • Deferred Credential Endpoint: used for deferred issuance of verifiable credentials
Extended Endpoints • Client Metadata: new metadata parameter is added to allow a wallet (acting as OpenID Connect RP) to publish its issuance initiation endpoint. • Server Metadata: new metadata parameters (credential types, …) • Authorization Endpoint: • `claims` parameter allows to request authorization for issuance of one or more credentials. • new parameters to convey verifiable presentations and further data to alternatively callback to the RP (acting as wallet) to request further verifiable credentials. • PAR is recommended • Token Endpoint: optional parameters to provide RP with a nonce to used for proof of possession of key material
Planned implementations • Microsoft • IDunion • walt.id & yes.com & BCDiploma (eSSIF-Lab) • Sphereon • Talao.io • Convergence.Tech
Thank you!

Recommandé

OIDC4VP for AB/C WG
OIDC4VP for AB/C WGOIDC4VP for AB/C WG
OIDC4VP for AB/C WG
Torsten Lodderstedt
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
Torsten Lodderstedt
 
OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)
Torsten Lodderstedt
 
OpenID for SSI
OpenID for SSIOpenID for SSI
OpenID for SSI
Torsten Lodderstedt
 
OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)
Torsten Lodderstedt
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
Torsten Lodderstedt
 
OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36
Torsten Lodderstedt
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
Torsten Lodderstedt
 

Recommandé

OIDC4VP for AB/C WG
OIDC4VP for AB/C WGOIDC4VP for AB/C WG
OIDC4VP for AB/C WG
Torsten Lodderstedt
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
Torsten Lodderstedt
 
OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)
Torsten Lodderstedt
 
OpenID for SSI
OpenID for SSIOpenID for SSI
OpenID for SSI
Torsten Lodderstedt
 
OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)
Torsten Lodderstedt
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
Torsten Lodderstedt
 
OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36
Torsten Lodderstedt
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
Torsten Lodderstedt
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
Torsten Lodderstedt
 
OpenID for Verifiable Credentials (IIW 35)
OpenID for Verifiable Credentials (IIW 35)OpenID for Verifiable Credentials (IIW 35)
OpenID for Verifiable Credentials (IIW 35)
Torsten Lodderstedt
 
OpenID Connect 4 SSI (at EIC 2021)
OpenID Connect 4 SSI (at EIC 2021)OpenID Connect 4 SSI (at EIC 2021)
OpenID Connect 4 SSI (at EIC 2021)
Torsten Lodderstedt
 
The European Union goes Decentralized
The European Union goes DecentralizedThe European Union goes Decentralized
The European Union goes Decentralized
Torsten Lodderstedt
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
Pat Patterson
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
 
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdfVerifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Kristina Yasuda
 
Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2
Torsten Lodderstedt
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov
 
Verifiable Credentials in Self-Sovereign Identity (SSI)
Verifiable Credentials in Self-Sovereign Identity (SSI)Verifiable Credentials in Self-Sovereign Identity (SSI)
Verifiable Credentials in Self-Sovereign Identity (SSI)
Evernym
 
OpenID Connect for W3C Verifiable Credential Objects
OpenID Connect for W3C Verifiable Credential ObjectsOpenID Connect for W3C Verifiable Credential Objects
OpenID Connect for W3C Verifiable Credential Objects
Torsten Lodderstedt
 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications Overview
FIDO Alliance
 
FAPI (Financial-grade API) and CIBA (Client Initiated Backchannel Authenticat...
FAPI (Financial-grade API) and CIBA (Client Initiated Backchannel Authenticat...FAPI (Financial-grade API) and CIBA (Client Initiated Backchannel Authenticat...
FAPI (Financial-grade API) and CIBA (Client Initiated Backchannel Authenticat...
Tatsuo Kudo
 
What is self-sovereign identity (SSI)?
What is self-sovereign identity (SSI)?What is self-sovereign identity (SSI)?
What is self-sovereign identity (SSI)?
Evernym
 
Future-proofing Authentication with Passkeys
Future-proofing Authentication with PasskeysFuture-proofing Authentication with Passkeys
Future-proofing Authentication with Passkeys
Nordic APIs
 
Verifiable Credentials, Self Sovereign Identity and DLTs
Verifiable Credentials, Self Sovereign Identity and DLTs Verifiable Credentials, Self Sovereign Identity and DLTs
Verifiable Credentials, Self Sovereign Identity and DLTs
Vasiliy Suvorov
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
Jacob Combs
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
LiamWadman
 
IDA,VC,DID関連仕様 最新情報 - OpenID BizDay #15
IDA,VC,DID関連仕様 最新情報 - OpenID BizDay #15IDA,VC,DID関連仕様 最新情報 - OpenID BizDay #15
IDA,VC,DID関連仕様 最新情報 - OpenID BizDay #15
OpenID Foundation Japan
 
韓国における FIDO/ eKYC /DID の現状と今後の取り組み - OpenID Summit 2020
韓国における FIDO/ eKYC /DID の現状と今後の取り組み - OpenID Summit 2020韓国における FIDO/ eKYC /DID の現状と今後の取り組み - OpenID Summit 2020
韓国における FIDO/ eKYC /DID の現状と今後の取り組み - OpenID Summit 2020
OpenID Foundation Japan
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
Torsten Lodderstedt
 
OAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootOAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring Boot
Geert Pante
 

Contenu connexe

Tendances

The European Union goes Decentralized
The European Union goes DecentralizedThe European Union goes Decentralized
The European Union goes Decentralized
Torsten Lodderstedt
 
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdfVerifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Kristina Yasuda
 

Tendances (20)

How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
 
OpenID for Verifiable Credentials (IIW 35)
OpenID for Verifiable Credentials (IIW 35)OpenID for Verifiable Credentials (IIW 35)
OpenID for Verifiable Credentials (IIW 35)
 
OpenID Connect 4 SSI (at EIC 2021)
OpenID Connect 4 SSI (at EIC 2021)OpenID Connect 4 SSI (at EIC 2021)
OpenID Connect 4 SSI (at EIC 2021)
 
The European Union goes Decentralized
The European Union goes DecentralizedThe European Union goes Decentralized
The European Union goes Decentralized
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
 
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdfVerifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
 
Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
Verifiable Credentials in Self-Sovereign Identity (SSI)
Verifiable Credentials in Self-Sovereign Identity (SSI)Verifiable Credentials in Self-Sovereign Identity (SSI)
Verifiable Credentials in Self-Sovereign Identity (SSI)
 
OpenID Connect for W3C Verifiable Credential Objects
OpenID Connect for W3C Verifiable Credential ObjectsOpenID Connect for W3C Verifiable Credential Objects
OpenID Connect for W3C Verifiable Credential Objects
 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications Overview
 
FAPI (Financial-grade API) and CIBA (Client Initiated Backchannel Authenticat...
FAPI (Financial-grade API) and CIBA (Client Initiated Backchannel Authenticat...FAPI (Financial-grade API) and CIBA (Client Initiated Backchannel Authenticat...
FAPI (Financial-grade API) and CIBA (Client Initiated Backchannel Authenticat...
 
What is self-sovereign identity (SSI)?
What is self-sovereign identity (SSI)?What is self-sovereign identity (SSI)?
What is self-sovereign identity (SSI)?
 
Future-proofing Authentication with Passkeys
Future-proofing Authentication with PasskeysFuture-proofing Authentication with Passkeys
Future-proofing Authentication with Passkeys
 
Verifiable Credentials, Self Sovereign Identity and DLTs
Verifiable Credentials, Self Sovereign Identity and DLTs Verifiable Credentials, Self Sovereign Identity and DLTs
Verifiable Credentials, Self Sovereign Identity and DLTs
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
 
IDA,VC,DID関連仕様 最新情報 - OpenID BizDay #15
IDA,VC,DID関連仕様 最新情報 - OpenID BizDay #15IDA,VC,DID関連仕様 最新情報 - OpenID BizDay #15
IDA,VC,DID関連仕様 最新情報 - OpenID BizDay #15
 
韓国における FIDO/ eKYC /DID の現状と今後の取り組み - OpenID Summit 2020
韓国における FIDO/ eKYC /DID の現状と今後の取り組み - OpenID Summit 2020韓国における FIDO/ eKYC /DID の現状と今後の取り組み - OpenID Summit 2020
韓国における FIDO/ eKYC /DID の現状と今後の取り組み - OpenID Summit 2020
 

Similaire à OpenID Connect 4 SSI

Product Identification Service
Product Identification ServiceProduct Identification Service
Product Identification Service
SergeyWalsh
 
Demystifying AuthN/AuthZ Using OIDC & OAuth2
Demystifying AuthN/AuthZ Using OIDC & OAuth2Demystifying AuthN/AuthZ Using OIDC & OAuth2
Demystifying AuthN/AuthZ Using OIDC & OAuth2
NGINX, Inc.
 
Value proposition of SSI tech providers - Self-Sovereign Identity
Value proposition of SSI tech providers - Self-Sovereign IdentityValue proposition of SSI tech providers - Self-Sovereign Identity
Value proposition of SSI tech providers - Self-Sovereign Identity
SSIMeetup
 
Authentication through Claims-Based Authentication
Authentication through Claims-Based AuthenticationAuthentication through Claims-Based Authentication
Authentication through Claims-Based Authentication
ijtsrd
 

Similaire à OpenID Connect 4 SSI (20)

How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
 
OAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootOAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring Boot
 
KYC VERIFICATION USING BLOCKCHAIN
KYC VERIFICATION USING BLOCKCHAINKYC VERIFICATION USING BLOCKCHAIN
KYC VERIFICATION USING BLOCKCHAIN
 
Can Blockchain Enable Identity Management?
Can Blockchain Enable Identity Management?Can Blockchain Enable Identity Management?
Can Blockchain Enable Identity Management?
 
Product Identification Service
Product Identification ServiceProduct Identification Service
Product Identification Service
 
E-Business security
E-Business security E-Business security
E-Business security
 
Product Identification Service
Product Identification ServiceProduct Identification Service
Product Identification Service
 
A Survey on e-KYC Verifier Using Blockchain
A Survey on e-KYC Verifier Using BlockchainA Survey on e-KYC Verifier Using Blockchain
A Survey on e-KYC Verifier Using Blockchain
 
Demystifying AuthN/AuthZ Using OIDC & OAuth2
Demystifying AuthN/AuthZ Using OIDC & OAuth2Demystifying AuthN/AuthZ Using OIDC & OAuth2
Demystifying AuthN/AuthZ Using OIDC & OAuth2
 
Access management
Access managementAccess management
Access management
 
Value proposition of SSI tech providers - Self-Sovereign Identity
Value proposition of SSI tech providers - Self-Sovereign IdentityValue proposition of SSI tech providers - Self-Sovereign Identity
Value proposition of SSI tech providers - Self-Sovereign Identity
 
Application on Know Your Customer Authentication
Application on Know Your Customer AuthenticationApplication on Know Your Customer Authentication
Application on Know Your Customer Authentication
 
Authentication through Claims-Based Authentication
Authentication through Claims-Based AuthenticationAuthentication through Claims-Based Authentication
Authentication through Claims-Based Authentication
 
apidays LIVE Paris 2021 - Identification & Authentication for Individuals wit...
apidays LIVE Paris 2021 - Identification & Authentication for Individuals wit...apidays LIVE Paris 2021 - Identification & Authentication for Individuals wit...
apidays LIVE Paris 2021 - Identification & Authentication for Individuals wit...
 
Understanding Claim based Authentication
Understanding Claim based AuthenticationUnderstanding Claim based Authentication
Understanding Claim based Authentication
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
 
OpenID Foundation/Open Banking Workshop - OpenID Foundation Overview
OpenID Foundation/Open Banking Workshop - OpenID Foundation OverviewOpenID Foundation/Open Banking Workshop - OpenID Foundation Overview
OpenID Foundation/Open Banking Workshop - OpenID Foundation Overview
 
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
 
FOSSASIA 2018 Self-Sovereign Identity with Hyperledger Indy/Sovrin
FOSSASIA 2018 Self-Sovereign Identity with Hyperledger Indy/SovrinFOSSASIA 2018 Self-Sovereign Identity with Hyperledger Indy/Sovrin
FOSSASIA 2018 Self-Sovereign Identity with Hyperledger Indy/Sovrin
 
Presentation
PresentationPresentation
Presentation
 

Plus de Torsten Lodderstedt

Identiverse: PSD2, Open Banking, and Technical Interoperability
Identiverse: PSD2, Open Banking, and Technical InteroperabilityIdentiverse: PSD2, Open Banking, and Technical Interoperability
Identiverse: PSD2, Open Banking, and Technical Interoperability
Torsten Lodderstedt
 
OAuth 2.0 Security Reinforced
OAuth 2.0 Security ReinforcedOAuth 2.0 Security Reinforced
OAuth 2.0 Security Reinforced
Torsten Lodderstedt
 

Plus de Torsten Lodderstedt (13)

GAIN Presentation.pptx
GAIN Presentation.pptxGAIN Presentation.pptx
GAIN Presentation.pptx
 
Comprehensive overview FAPI 1 and 2
Comprehensive overview FAPI 1 and 2Comprehensive overview FAPI 1 and 2
Comprehensive overview FAPI 1 and 2
 
OpenID Connect 4 Identity Assurance at IIW #32
OpenID Connect 4 Identity Assurance at IIW #32OpenID Connect 4 Identity Assurance at IIW #32
OpenID Connect 4 Identity Assurance at IIW #32
 
Identity Assurance with OpenID Connect
Identity Assurance with OpenID ConnectIdentity Assurance with OpenID Connect
Identity Assurance with OpenID Connect
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security RecommendationsNextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations
 
Rich Authorization Requests
Rich Authorization RequestsRich Authorization Requests
Rich Authorization Requests
 
Pushed Authorization Requests
Pushed Authorization RequestsPushed Authorization Requests
Pushed Authorization Requests
 
OpenID Connect for Identity Assurance
OpenID Connect for Identity AssuranceOpenID Connect for Identity Assurance
OpenID Connect for Identity Assurance
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations
 
Identiverse: PSD2, Open Banking, and Technical Interoperability
Identiverse: PSD2, Open Banking, and Technical InteroperabilityIdentiverse: PSD2, Open Banking, and Technical Interoperability
Identiverse: PSD2, Open Banking, and Technical Interoperability
 
OAuth 2.0 Security Reinforced
OAuth 2.0 Security ReinforcedOAuth 2.0 Security Reinforced
OAuth 2.0 Security Reinforced
 
OAuth Security 4 Dummies iiw#27
OAuth Security 4 Dummies iiw#27OAuth Security 4 Dummies iiw#27
OAuth Security 4 Dummies iiw#27
 
Identity Proofing with OpenID Connect
Identity Proofing with OpenID ConnectIdentity Proofing with OpenID Connect
Identity Proofing with OpenID Connect
 

Dernier

一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样
AS
 
一比一原版(PSU毕业证书)美国宾州州立大学毕业证如何办理
一比一原版(PSU毕业证书)美国宾州州立大学毕业证如何办理一比一原版(PSU毕业证书)美国宾州州立大学毕业证如何办理
一比一原版(PSU毕业证书)美国宾州州立大学毕业证如何办理
Fir
 
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
Fir
 
一比一原版(Design毕业证书)新加坡科技设计大学毕业证原件一模一样
一比一原版(Design毕业证书)新加坡科技设计大学毕业证原件一模一样一比一原版(Design毕业证书)新加坡科技设计大学毕业证原件一模一样
一比一原版(Design毕业证书)新加坡科技设计大学毕业证原件一模一样
AS
 
Abortion Clinic in Kwa thema +27791653574 Kwa thema WhatsApp Abortion Clinic ...
Abortion Clinic in Kwa thema +27791653574 Kwa thema WhatsApp Abortion Clinic ...Abortion Clinic in Kwa thema +27791653574 Kwa thema WhatsApp Abortion Clinic ...
Abortion Clinic in Kwa thema +27791653574 Kwa thema WhatsApp Abortion Clinic ...
mikehavy0
 
一比一原版英国创意艺术大学毕业证如何办理
一比一原版英国创意艺术大学毕业证如何办理一比一原版英国创意艺术大学毕业证如何办理
一比一原版英国创意艺术大学毕业证如何办理
AS
 
一比一定制波士顿学院毕业证学位证书
一比一定制波士顿学院毕业证学位证书一比一定制波士顿学院毕业证学位证书
一比一定制波士顿学院毕业证学位证书
A
 
一比一定制美国罗格斯大学毕业证学位证书
一比一定制美国罗格斯大学毕业证学位证书一比一定制美国罗格斯大学毕业证学位证书
一比一定制美国罗格斯大学毕业证学位证书
A
 
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
AS
 
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
musaddumba454
 
一比一原版布兰迪斯大学毕业证如何办理
一比一原版布兰迪斯大学毕业证如何办理一比一原版布兰迪斯大学毕业证如何办理
一比一原版布兰迪斯大学毕业证如何办理
A
 

Dernier (20)

Thank You Luv I’ll Never Walk Alone Again T shirts
Thank You Luv I’ll Never Walk Alone Again T shirtsThank You Luv I’ll Never Walk Alone Again T shirts
Thank You Luv I’ll Never Walk Alone Again T shirts
 
HUMANIZE YOUR BRAND - FREE E-WORKBOOK Download Now
HUMANIZE YOUR BRAND - FREE E-WORKBOOK Download NowHUMANIZE YOUR BRAND - FREE E-WORKBOOK Download Now
HUMANIZE YOUR BRAND - FREE E-WORKBOOK Download Now
 
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
 
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样
 
一比一原版(PSU毕业证书)美国宾州州立大学毕业证如何办理
一比一原版(PSU毕业证书)美国宾州州立大学毕业证如何办理一比一原版(PSU毕业证书)美国宾州州立大学毕业证如何办理
一比一原版(PSU毕业证书)美国宾州州立大学毕业证如何办理
 
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
 
一比一原版(Design毕业证书)新加坡科技设计大学毕业证原件一模一样
一比一原版(Design毕业证书)新加坡科技设计大学毕业证原件一模一样一比一原版(Design毕业证书)新加坡科技设计大学毕业证原件一模一样
一比一原版(Design毕业证书)新加坡科技设计大学毕业证原件一模一样
 
Abortion Clinic in Kwa thema +27791653574 Kwa thema WhatsApp Abortion Clinic ...
Abortion Clinic in Kwa thema +27791653574 Kwa thema WhatsApp Abortion Clinic ...Abortion Clinic in Kwa thema +27791653574 Kwa thema WhatsApp Abortion Clinic ...
Abortion Clinic in Kwa thema +27791653574 Kwa thema WhatsApp Abortion Clinic ...
 
Free on Wednesdays T Shirts Free on Wednesdays Sweatshirts
Free on Wednesdays T Shirts Free on Wednesdays SweatshirtsFree on Wednesdays T Shirts Free on Wednesdays Sweatshirts
Free on Wednesdays T Shirts Free on Wednesdays Sweatshirts
 
一比一原版英国创意艺术大学毕业证如何办理
一比一原版英国创意艺术大学毕业证如何办理一比一原版英国创意艺术大学毕业证如何办理
一比一原版英国创意艺术大学毕业证如何办理
 
一比一定制波士顿学院毕业证学位证书
一比一定制波士顿学院毕业证学位证书一比一定制波士顿学院毕业证学位证书
一比一定制波士顿学院毕业证学位证书
 
Dan Quinn Commanders Feather Dad Hat Hoodie
Dan Quinn Commanders Feather Dad Hat HoodieDan Quinn Commanders Feather Dad Hat Hoodie
Dan Quinn Commanders Feather Dad Hat Hoodie
 
Subdomain enumeration is a crucial phase in cybersecurity, particularly durin...
Subdomain enumeration is a crucial phase in cybersecurity, particularly durin...Subdomain enumeration is a crucial phase in cybersecurity, particularly durin...
Subdomain enumeration is a crucial phase in cybersecurity, particularly durin...
 
一比一定制美国罗格斯大学毕业证学位证书
一比一定制美国罗格斯大学毕业证学位证书一比一定制美国罗格斯大学毕业证学位证书
一比一定制美国罗格斯大学毕业证学位证书
 
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
 
Washington Football Commanders Redskins Feathers Shirt
Washington Football Commanders Redskins Feathers ShirtWashington Football Commanders Redskins Feathers Shirt
Washington Football Commanders Redskins Feathers Shirt
 
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
 
SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...
SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...
SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...
 
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27
 
一比一原版布兰迪斯大学毕业证如何办理
一比一原版布兰迪斯大学毕业证如何办理一比一原版布兰迪斯大学毕业证如何办理
一比一原版布兰迪斯大学毕业证如何办理
 

OpenID Connect 4 SSI

  • 1. OpenID Connect for SSI Kristina Yasuda, Microsoft Dr. Torsten Lodderstedt, yes.com
  • 2. OpenID Connect for SSI • Initiative conducted at OpenID Foundation in liaison with the Decentralized Identity Foundation • Aims at specifying a set of protocols based on OpenID Connect to enable SSI applications
  • 3. - Provide the community with a solution for SSI applications leveraging the simplicity and security of OpenID Connect - Security of OpenID Connect has been tested and formally analysed - Allow existing OpenID Connect RPs to access SSI credential and existing OpenID Connect OPs to also issue credentials Why extend OpenID Connect to support SSI?
  • 4. OpenID Connect for SSI Components Issuer (Website) Verifier (Website) Holder (Digital Wallet) Issue Credentials Present Credentials ① Self-Issued OP v2 (key exchange and authentication) or OpenID Connect Core Code flow ② OpenID Connect for Verifiable Presentations (Transportation of Verifiable Credentials) OpenID Connect Core ③ OpenID Connect for Credential Issuance (Issuance of Verifiable Credentials) Base Protocol
  • 5. Use Case: eKYC using Bank ID Credential - A Bank customer wants to sign a car leasing contract. The leasing provider is obliged to identify the customer (Anti-Money Laundering Law). The leasing provider accepts identification via a digital wallet. - The leasing provider sends the customer to the wallet, which currently does not contain a suitable credential. The wallet offers some options to the customer to obtain the required credential. - The customer selects the bank-based approach, selects her bank, and proceeds to the bank’s digital banking experience where she is offered to issue an ID credential to the wallet. - Upon receiving an ID credential to the wallet, when prompted, the customer confirms presentation of the new credential to the leasing company. - The leasing company receives the credential and proceeds to the next step in the contract signing process… - Customer benefit: ease of use of bank-based identification in combination with additional privacy preservation through the wallet since there is no call-home to the Bank directly by the leasing provider. - Leasing provider benefit: ability to accept ID credentials from the Issuers/Banks without establishing a federation with them
  • 6. Use Case: NHS doctors moving around 1200 clinics - A clinic wants to verify identity a doctor who has been assigned to work there from another clinic. The doctors are moved between clinics quite often and each time a clinic onboards a new doctor, it is obliged to verify the doctor’s identity and privileges. The clinic accepts identification via a digital wallet. - The clinic sends the doctor to the wallet. If the wallet does not currently contain a suitable credential, it offers some options to the doctor to obtain the required credential. - The doctor selects the previous clinic where he/she worked, and proceeds to that clinic’s credential issuance experience where he/she is offered to issue an ID credential to the wallet. - Upon receiving an ID credential to the wallet, when prompted, the doctor confirms presentation of the new credential to the new clinic. - The new clinic company receives the credential and proceeds to the next step in the contract signing process… - Customer benefit: ease of use of digital credentials instead of having to collect paper documents from all the previous clinics. - New clinic: ability to accept credentials in a digital format significantly shortens onboarding time and gives more time to the doctors to actually treat the customers instead of dealing with administrative processes.
  • 7. Use Case: University managing alumni - An employer wants to verify the education history of the employee during the hiring on-boarding process. The employee accepts identification via a digital wallet. - The employer sends the employee to the wallet. If the wallet does not currently contain a suitable credential, it offers some options to the employee to obtain the required credential. - The employee selects the university he/she has graduated from, and proceeds to that university’s credential issuance experience where he/she is offered to issue an ID credential to the wallet. - Upon receiving an ID credential to the wallet, when prompted, the employee confirms presentation of the new credential to the employee. - The employee new clinic company receives the credential and proceeds to the next step in the contract signing process… - Customer benefit: ease of use of digital credentials instead of having to physically go to the university and collect paper documents or having to exchange emails with the university admin. - New clinic: ability to move growing number of alumni data to the cold storage once, instead of storing it in an active storage ready to respond to an API call anytime.
  • 9. 1. SIOP v2 OpenID Connect standard model ⓪ User tries to log in Website (RP) User Agent OP (3P OpenID Provider) Trust (to 3rd party) Alice ① 3rd Party OP issues an ID Token Self-Issued OP model ⓪ User tries to log in Website (RP) User Agent OP Trust (on first use) ① OP on the user device issues ID Token Alice ● Self-Issued OP is an OP within the End-user’s local control. ● Enables End-users to interact with verifiers directly, without relying on a third-party providers. ● Performs key exchange and authentication.
  • 10. What’s new in v2? - DIDs as “sub” values (in additional to raw public keys) to “self-issue” an ID Token - Dynamic SIOP discovery and invocation via HTTPS URLs - in addition to “openid://” custom scheme - enables use of app/universal links and web wallets - Dynamic RP registration (DID or Entity statements) - Cross Device Flow
  • 11. SIOP request–response example SIOP Response SIOP Request HTTP/1.1 302 Found Location: openid://? response_type=id_token &client_id=https://client.example.org/cb &redirect_uri=https://client.example.org/cb &scope=openid%20profile &nonce=n-0S6_WzA2Mj HTTP/1.1 302 Found Location: https://client.example.org/cb# &id_token=eyJ0 ... NiJ9.eyJ1c ... I6IjIifX0.D ... ZXso openid://? response_type=id_token &response_mode=post &client_id=https://client.example.org/cb &redirect_uri=https://client.example.org/post_cb &scope=openid%20profile &nonce=n-0S6_WzA2Mj on device cross device POST /post_cb HTTP/1.1 Host: client.example.com Content-Type: application/x-www-form-urlencoded &id_token=eyJ0 ... NiJ9.eyJ1c ... I6IjIifX0.D ... ZXso
  • 12. SIOP request–response example { "iss": "https://self-issued.me/v2", "sub": "did:example:EiC6Y9_aDaCsI", https url -> jwks_uri hosted under .well-known "aud": "https://client.example.org/cb", "nonce": "n-0S6_WzA2Mj", "exp": 1311281970, "iat": 1311280970 } Decoded ID Token “sub” can be raw public key or DID
  • 13. OpenID Connect 4 Verifiable Presentations
  • 14. • Works with all OpenID Connect Flows (SIOP v2, code, CIBA, …) • Request syntax uses "claims" parameter & DIF Presentation Exchange • Supports different credential/presentation formats: • encoded as JSON or JSON-LD • signed as a JWS or Linked Data Proofs • ... • Supports different transports: • Embedded in ID Token or Userinfo response • new VP Token (provided alongside ID Token) Enables presentation of W3C Verifiable Credentials using OpenID Connect. 2. OIDC4VP
  • 15. OIDC4VP Request SIOP+OIDC4VP Request HTTP/1.1 302 Found Location: openid://? response_type=id_token &client_id=https://client.example.org/cb &redirect_uri=https://client.example.org/cb &scope=openid%20profile &nonce=n-0S6_WzA2Mj &claims=... { "vp_token": { "presentation_definition": { "id": "identification", "input_descriptors": [ { "id": "id_card_credential", "schema": [ { "uri":"https://www.w3.org/2018/credentials/examples/v1/IDCardCredential" } ] } ... } `claims` parameter with DIF Presentation Exchange Syntax
  • 16. { "@context": [ "https://www.w3.org/2018/credentials/v1" ], "type": [ "VerifiablePresentation" ], "verifiableCredential": [ { "@context": [ "https://www.w3.org/2018/credentials/v1", "https://www.w3.org/2018/credentials/examples/v1" ], "id": "https://example.com/credentials/1872", "type": [ "VerifiableCredential", "IDCardCredential" ], "issuer": { "id": "did:example:issuer" }, "issuanceDate": "2010-01-01T19:23:24Z", "credentialSubject": { "given_name": "Fredrik", Response OIDC4VP Response VP Token containing Verifiable Presentation Decoded ID Token HTTP/1.1 302 Found Location: https://client.example.org/cb# &id_token=eyJ0 ... NiJ9.eyJ1c ... &vp_token=... { ... "_vp_token": { "presentation_submission": { "id": "example presentation", "definition_id": "identification", "descriptor_map": [ { "id": "id_card_credential", "format": "ldp_vp", "path": "$" "path_nested": { "format": "ldp_vc", "path": "$.verifiableCredential[0]" } ... } Path in the ID Token refers to a separate artifact - VP Token
  • 17. DEMO Bringing it all together ...
  • 18. SIOP v2 / OIDC4VPs Prototype •Implemented within IDUnion project •Team: Sebastian Bickerle, Paul Wenzel, Fabian Hauck, & Dr. Daniel Fett •Use Case: Login to NextCloud using Verifiable Credentials •Based on • Existing NextCloud OpenID Connect Plugin • Lissi Wallet • Hyperledger Indy & Indy SDK
  • 19. DEMO •On device: https://youtu.be/gDg2ma7TwWU •Cross device: https://youtu.be/hC3VQE-vMnQ
  • 20. Architecture NextCloud Ledger Plugin (Frontend) Lissi Wallet redirects (HTTPS GET) (3) “response” (HTTPS POST) Plugin (Backend) polling on device cross device ledger access (1) QR Code schema definition und credential definition schema definition und credential definition, revocation info (2) Request payload (GET request_uri)
  • 21. Findings • QR Codes pretty huge • Verifiers can be identified • Verifier's Web URL shown in wallet (leverages OIDC client data model) • Simple & Scalable Architecture •No separate connection establishment step required
  • 22. Further ongoing implementations • Microsoft • Convergence.Tech • Gematik (within IDunion) • walt.id (eSSIF-Lab)* • Sphereon • Gimly *Some ESSIF projects already utilizes SIOP (based on DID-SIOP & OpenID Connect 4 Identity Assurance)
  • 24. Status • Based on pre-existing implementation experience (MATTR Ltd & Convergence.tech) • Work recently started with requirements gathering and brainstorming sessions at IIW #33 • Current WG Draft https://openid.bitbucket.io/connect/openid-connect-4-verifiable-credential-issuance-1_0.html
  • 25. Benefits • Obvious way to turn existing OpenID Connect OPs into Issuers • Allows for inline credential issuance • Issuer-controlled UX gives flexibility • Wallet and Issuer identification utilizing OpenID Connect metadata
  • 26. Key Ideas • Issuance via OAuth protected API: Credential endpoint • Multiple credentials, Same credential in different formats/keys • Support all kinds of proof methods (also non JWS) for key material the new credential shall be bound to • Separate client authentication & message integrity protection from proof of possession of this key material • Allow presentation of credentials (in authz request and dynamically obtained) as input for the issuance • Allow deferred issuance • Support Credential metadata (Credential Manifest)
  • 27.
  • 28. New Endpoints • Issuance Initiation Endpoint: An endpoint exposed by the wallet that allows an issuer to initiate the issuance flow • Nonce Endpoint: provides the RP with a nonce it will include into verifiable presentations sent to the authorization endpoint • Credential Endpoint: OAuth-protected API to issue verifiable credentials • Deferred Credential Endpoint: used for deferred issuance of verifiable credentials
  • 29. Extended Endpoints • Client Metadata: new metadata parameter is added to allow a wallet (acting as OpenID Connect RP) to publish its issuance initiation endpoint. • Server Metadata: new metadata parameters (credential types, …) • Authorization Endpoint: • `claims` parameter allows to request authorization for issuance of one or more credentials. • new parameters to convey verifiable presentations and further data to alternatively callback to the RP (acting as wallet) to request further verifiable credentials. • PAR is recommended • Token Endpoint: optional parameters to provide RP with a nonce to used for proof of possession of key material
  • 30. Planned implementations • Microsoft • IDunion • walt.id & yes.com & BCDiploma (eSSIF-Lab) • Sphereon • Talao.io • Convergence.Tech