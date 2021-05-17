Successfully reported this slideshow.
  1. 1. OpenID Connect for W3C Verifiable Credential Objects AB/Connect Working Group Kristina Yasuda, Oliver Terbu, Torsten Lodderstedt, Adam Lemmon, Tobias Looker
  2. 2. Scope - Support request and presentation of W3C Verifiable Credentials in all OpenID Connect Flows (SIOP, code, CIBA, …)
  3. 3. Out of Scope ● Data models for verifiable credentials or presentations ● Validation of verifiable presentations/credentials
  4. 4. Need - DIDComm is complex and lacks interoperability - OIDC is seen by a lot of people as a candidate for a simple and interoperable integration layer - Projects now either use DIF DID-SIOP, which is incomplete, or OIDC Core SIOP ch. 7, which is too generic. A more specific standard is required - Due to the lack of a clear standard, different projects implement different variants of the DID SIOP - Demand for standard to request and provide W3C Verifiable Presentations via OIDC
  5. 5. Goal - Make OIDC the first choice for anyone wanting to obtain and/or provide W3C Verifiable Presentations
  6. 6. Value - Provide interoperability between existing and new OpenID Connect deployments that use W3C verifiable presentations - Leverage OpenID Connect as simple to use protocol for wallet integrations - Leverage Verifiable Credentials for existing OpenID Connect deployments
  7. 7. Terminology - Presentation Data derived from one or more verifiable credentials, issued by one or more issuers, that is shared with a specific verifier. (see https://www.w3.org/TR/vc-data-model/#terminology) - Verified Presentation (VP) A verifiable presentation is a tamper-evident presentation encoded in such a way that authorship of the data can be trusted after a process of cryptographic verification. Certain types of verifiable presentations might contain data that is synthesized from, but do not contain, the original verifiable credentials (for example, zero-knowledge proofs). (see https://www.w3.org/TR/vc-data-model/#terminology)
  8. 8. Overview of the technical content - Request - uses “claims” parameter (OIDC Section 5.5) to request W3C verifiable presentation by credential type and (additionally) particular claims - Reponse - W3C verifiable presentations are returned using the same syntax either - 1) embedded inside the ID Token or userinfo response, or - 2) as a separate artifact VP Token that is returned together with the ID Token - Note: aggregated/distributed claims syntax was considered by discarded after WG/Community feedback
  9. 9. Examples
  10. 10. VP in ID Token ‘verifiable_presentations’ claim contains entire VPs `claims` parameter in the request
  11. 11. Separate artifact - ‘VP Token’ ID Token contains a `vp_hash` ‘VP Token’ contains an entire VP `claims` parameter in the request
  12. 12. Requests
  13. 13. Request for Verifiable Presentation (Type)
  14. 14. Request for Verifiable Presentation (Type and Claims)
  15. 15. “Just” Request Claims
  16. 16. Relationship with other work - Relationship with OpenID Connect Core - OIDC4VCO uses mechanisms already defined in OIDC Core, and does not introduce any breaking changes. - Relationship with SIOP V2 draft - SIOP V2 draft will refer to the OIDC4VCO draft wrt how W3C verifiable presentations (VPs) can be transported using SIOP model, since OIDC4VCO draft defines a generic way how W3C VPs can be used with various OIDC flows including SIOP V2. - Relationship with Claims Aggregation draft (and Credential Provider draft once contributed) - Claims Aggregation draft describes new Claims endpoint used by intermediary OP to obtain aggregated claims. RP/OP interface is aggregated claims as defined on OIDCC + “uid” assertion binding mechanism. OIDC4VCO draft describes extension at RP/OP interface for requesting and returns VPs as additional data in OIDC responses, defining a new token. Different formats and delivery mechanisms + OIDC4VCO defines request syntax. - Relationship with DIF Presentation Exchange (PE) draft - DIF PE draft could be used as part of the request syntax in OIDC4VCO draft, which should be discussed once OIDC4VCO draft is adopted. DIF PE is a query language that is protocol agnostic, and it does not replace OIDC4VCO draft.
  17. 17. Proposal ● Editors of claims aggregation and OIDC4VCO will keep working closely to align the documents, while adopting the OIDC4VCO draft separately. ● Write architecture whitepaper describing intermediary OP pattern with OIDC in general as well specifics of implementing it using OIDC aggregated claims or W3C Verifiable Credentials (or other types of cryptographically bound credentials).
  18. 18. CP (B) Identity Register 7. Signed claims b CP (A) Identity Register Client 5. Signed claims a IdP (wallet etc.) Identity Register c a b Signed Claims (Token) C D 4. Give me a. Token = Ta 6. Give me b. Token = Tb 1. Give me claims {a,b} 8. Here are {a,b} with the user identification claims c. 2.Is it ok to Give {a,b} to D? 3. I grant. User Main Interface of Claims Aggregation draft (for RP-OP interface response, adds additional veriﬁcation steps and uses Aggregated Claims syntax) Interface of OIDC4VCO draft

