SlideShare a Scribd company logo
1 of 31
Download to read offline
OpenID Connect for SSI
Kristina Yasuda, Microsoft
Dr. Torsten Lodderstedt, yes.com
OpenID Connect for SSI
• Initiative conducted at OpenID Foundation in liaison with the
Decentralized Identity Foundation
• Aims at specifying a set of protocols based on OpenID
Connect to enable SSI applications
- Provide the community with a solution for SSI applications leveraging
the simplicity and security of OpenID Connect
- Security of OpenID Connect has been tested and formally
analysed
- Allow existing OpenID Connect RPs to access SSI credential and
existing OpenID Connect OPs to also issue credentials
Why extend OpenID Connect to support SSI?
OpenID Connect for SSI Components
Issuer
(Website)
Verifier
(Website)
Holder
(Digital Wallet)
Issue
Credentials
Present
Credentials
① Self-Issued OP v2 (key exchange and authentication)
or
OpenID Connect Core Code flow
② OpenID Connect for Verifiable Presentations
(Transportation of Verifiable Credentials)
OpenID Connect Core
③ OpenID Connect for Credential Issuance
(Issuance of Verifiable Credentials)
Base Protocol
Use Case: eKYC using Bank ID Credential
- A Bank customer wants to sign a car leasing contract. The leasing provider is obliged to identify the
customer (Anti-Money Laundering Law). The leasing provider accepts identification via a digital wallet.
- The leasing provider sends the customer to the wallet, which currently does not contain a suitable
credential. The wallet offers some options to the customer to obtain the required credential.
- The customer selects the bank-based approach, selects her bank, and proceeds to the bank’s digital
banking experience where she is offered to issue an ID credential to the wallet.
- Upon receiving an ID credential to the wallet, when prompted, the customer confirms presentation of the
new credential to the leasing company.
- The leasing company receives the credential and proceeds to the next step in the contract signing
process…
- Customer benefit: ease of use of bank-based identification in combination with additional privacy
preservation through the wallet since there is no call-home to the Bank directly by the leasing provider.
- Leasing provider benefit: ability to accept ID credentials from the Issuers/Banks without establishing a
federation with them
Use Case: NHS doctors moving around 1200
clinics
- A clinic wants to verify identity a doctor who has been assigned to work there from another clinic. The
doctors are moved between clinics quite often and each time a clinic onboards a new doctor, it is obliged
to verify the doctor’s identity and privileges. The clinic accepts identification via a digital wallet.
- The clinic sends the doctor to the wallet. If the wallet does not currently contain a suitable credential, it
offers some options to the doctor to obtain the required credential.
- The doctor selects the previous clinic where he/she worked, and proceeds to that clinic’s credential
issuance experience where he/she is offered to issue an ID credential to the wallet.
- Upon receiving an ID credential to the wallet, when prompted, the doctor confirms presentation of the new
credential to the new clinic.
- The new clinic company receives the credential and proceeds to the next step in the contract signing
process…
- Customer benefit: ease of use of digital credentials instead of having to collect paper documents from all
the previous clinics.
- New clinic: ability to accept credentials in a digital format significantly shortens onboarding time and gives
more time to the doctors to actually treat the customers instead of dealing with administrative processes.
Use Case: University managing alumni
- An employer wants to verify the education history of the employee during the hiring on-boarding process.
The employee accepts identification via a digital wallet.
- The employer sends the employee to the wallet. If the wallet does not currently contain a suitable
credential, it offers some options to the employee to obtain the required credential.
- The employee selects the university he/she has graduated from, and proceeds to that university’s
credential issuance experience where he/she is offered to issue an ID credential to the wallet.
- Upon receiving an ID credential to the wallet, when prompted, the employee confirms presentation of the
new credential to the employee.
- The employee new clinic company receives the credential and proceeds to the next step in the contract
signing process…
- Customer benefit: ease of use of digital credentials instead of having to physically go to the university and
collect paper documents or having to exchange emails with the university admin.
- New clinic: ability to move growing number of alumni data to the cold storage once, instead of storing it in
an active storage ready to respond to an API call anytime.
Self-Issued OP (SIOP) v2
1. SIOP v2
OpenID Connect standard model
⓪ User tries to log in
Website (RP)
User
Agent
OP
(3P OpenID Provider)
Trust (to 3rd party)
Alice
① 3rd Party OP
issues an ID Token
Self-Issued OP model
⓪ User tries to log in
Website (RP)
User
Agent
OP
Trust (on first use)
① OP on the user
device issues ID Token
Alice
● Self-Issued OP is an OP within the End-user’s local control.
● Enables End-users to interact with verifiers directly, without relying on a third-party providers.
● Performs key exchange and authentication.
What’s new in v2?
- DIDs as “sub” values (in additional to raw public keys) to
“self-issue” an ID Token
- Dynamic SIOP discovery and invocation via HTTPS URLs
- in addition to “openid://” custom scheme
- enables use of app/universal links and web wallets
- Dynamic RP registration (DID or Entity statements)
- Cross Device Flow
SIOP request–response example
SIOP Response
SIOP Request
HTTP/1.1 302 Found
Location: openid://?
response_type=id_token
&client_id=https://client.example.org/cb
&redirect_uri=https://client.example.org/cb
&scope=openid%20profile
&nonce=n-0S6_WzA2Mj
HTTP/1.1 302 Found
Location: https://client.example.org/cb#
&id_token=eyJ0 ... NiJ9.eyJ1c ... I6IjIifX0.D ... ZXso
openid://?
response_type=id_token
&response_mode=post
&client_id=https://client.example.org/cb
&redirect_uri=https://client.example.org/post_cb
&scope=openid%20profile
&nonce=n-0S6_WzA2Mj
on device
cross device
POST /post_cb HTTP/1.1
Host: client.example.com
Content-Type: application/x-www-form-urlencoded
&id_token=eyJ0 ... NiJ9.eyJ1c ... I6IjIifX0.D ... ZXso
SIOP request–response example
{
"iss": "https://self-issued.me/v2",
"sub": "did:example:EiC6Y9_aDaCsI",
https url -> jwks_uri hosted under .well-known
"aud": "https://client.example.org/cb",
"nonce": "n-0S6_WzA2Mj",
"exp": 1311281970,
"iat": 1311280970
}
Decoded ID Token
“sub” can be raw public key or DID
OpenID Connect 4 Verifiable
Presentations
• Works with all OpenID Connect Flows (SIOP v2, code, CIBA, …)
• Request syntax uses "claims" parameter & DIF Presentation Exchange
• Supports different credential/presentation formats:
• encoded as JSON or JSON-LD
• signed as a JWS or Linked Data Proofs
• ...
• Supports different transports:
• Embedded in ID Token or Userinfo response
• new VP Token (provided alongside ID Token)
Enables presentation of W3C Verifiable Credentials using OpenID Connect.
2. OIDC4VP
OIDC4VP Request
SIOP+OIDC4VP Request
HTTP/1.1 302 Found
Location: openid://?
response_type=id_token
&client_id=https://client.example.org/cb
&redirect_uri=https://client.example.org/cb
&scope=openid%20profile
&nonce=n-0S6_WzA2Mj
&claims=...
{
"vp_token": {
"presentation_definition": {
"id": "identification",
"input_descriptors": [
{
"id": "id_card_credential",
"schema": [
{
"uri":"https://www.w3.org/2018/credentials/examples/v1/IDCardCredential"
}
]
}
...
}
`claims` parameter with DIF Presentation Exchange Syntax
{
"@context": [
"https://www.w3.org/2018/credentials/v1"
],
"type": [
"VerifiablePresentation"
],
"verifiableCredential": [
{
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://www.w3.org/2018/credentials/examples/v1"
],
"id": "https://example.com/credentials/1872",
"type": [
"VerifiableCredential",
"IDCardCredential"
],
"issuer": {
"id": "did:example:issuer"
},
"issuanceDate": "2010-01-01T19:23:24Z",
"credentialSubject": {
"given_name": "Fredrik",
Response
OIDC4VP Response
VP Token containing Verifiable Presentation
Decoded ID Token
HTTP/1.1 302 Found
Location: https://client.example.org/cb#
&id_token=eyJ0 ... NiJ9.eyJ1c ...
&vp_token=...
{
...
"_vp_token": {
"presentation_submission": {
"id": "example presentation",
"definition_id": "identification",
"descriptor_map": [
{
"id": "id_card_credential",
"format": "ldp_vp",
"path": "$"
"path_nested": {
"format": "ldp_vc",
"path": "$.verifiableCredential[0]"
}
...
}
Path in the ID
Token refers to a
separate artifact -
VP Token
DEMO
Bringing it all together ...
SIOP v2 / OIDC4VPs Prototype
•Implemented within IDUnion project
•Team: Sebastian Bickerle, Paul Wenzel,
Fabian Hauck, & Dr. Daniel Fett
•Use Case: Login to NextCloud using
Verifiable Credentials
•Based on
• Existing NextCloud OpenID Connect Plugin
• Lissi Wallet
• Hyperledger Indy & Indy SDK
DEMO
•On device: https://youtu.be/gDg2ma7TwWU
•Cross device: https://youtu.be/hC3VQE-vMnQ
Architecture
NextCloud
Ledger
Plugin
(Frontend)
Lissi
Wallet
redirects (HTTPS GET)
(3) “response”
(HTTPS POST)
Plugin
(Backend)
polling
on device
cross device
ledger access
(1) QR Code
schema definition und credential definition schema definition und credential definition, revocation info
(2) Request payload
(GET request_uri)
Findings
• QR Codes pretty huge
• Verifiers can be identified
• Verifier's Web URL shown in wallet (leverages OIDC client data model)
• Simple & Scalable Architecture
•No separate connection establishment step required
Further ongoing implementations
• Microsoft
• Convergence.Tech
• Gematik (within IDunion)
• walt.id (eSSIF-Lab)*
• Sphereon
• Gimly
*Some ESSIF projects already utilizes SIOP (based on DID-SIOP & OpenID Connect 4 Identity
Assurance)
OpenID Connect 4
Credentials Issuance
Status
• Based on pre-existing implementation experience
(MATTR Ltd & Convergence.tech)
• Work recently started with requirements gathering and
brainstorming sessions at IIW #33
• Current WG Draft
https://openid.bitbucket.io/connect/openid-connect-4-verifiable-credential-issuance-1_0.html
Benefits
• Obvious way to turn existing OpenID Connect OPs into Issuers
• Allows for inline credential issuance
• Issuer-controlled UX gives flexibility
• Wallet and Issuer identification utilizing OpenID Connect
metadata
Key Ideas
• Issuance via OAuth protected API: Credential endpoint
• Multiple credentials, Same credential in different formats/keys
• Support all kinds of proof methods (also non JWS) for key
material the new credential shall be bound to
• Separate client authentication & message integrity protection
from proof of possession of this key material
• Allow presentation of credentials (in authz request and
dynamically obtained) as input for the issuance
• Allow deferred issuance
• Support Credential metadata (Credential Manifest)
New Endpoints
• Issuance Initiation Endpoint: An endpoint exposed by the wallet that allows an
issuer to initiate the issuance flow
• Nonce Endpoint: provides the RP with a nonce it will include into verifiable
presentations sent to the authorization endpoint
• Credential Endpoint: OAuth-protected API to issue verifiable credentials
• Deferred Credential Endpoint: used for deferred issuance of verifiable
credentials
Extended Endpoints
• Client Metadata: new metadata parameter is added to allow a wallet (acting as
OpenID Connect RP) to publish its issuance initiation endpoint.
• Server Metadata: new metadata parameters (credential types, …)
• Authorization Endpoint:
• `claims` parameter allows to request authorization for issuance of one or
more credentials.
• new parameters to convey verifiable presentations and further data to
alternatively callback to the RP (acting as wallet) to request further
verifiable credentials.
• PAR is recommended
• Token Endpoint: optional parameters to provide RP with a nonce to used for
proof of possession of key material
Planned implementations
• Microsoft
• IDunion
• walt.id & yes.com & BCDiploma (eSSIF-Lab)
• Sphereon
• Talao.io
• Convergence.Tech
Thank you!

More Related Content

What's hot

How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...Torsten Lodderstedt
 
OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36Torsten Lodderstedt
 
OpenID for Verifiable Credentials (IIW 35)
OpenID for Verifiable Credentials (IIW 35)OpenID for Verifiable Credentials (IIW 35)
OpenID for Verifiable Credentials (IIW 35)Torsten Lodderstedt
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
Verifiable Credentials in Self-Sovereign Identity (SSI)
Verifiable Credentials in Self-Sovereign Identity (SSI)Verifiable Credentials in Self-Sovereign Identity (SSI)
Verifiable Credentials in Self-Sovereign Identity (SSI)Evernym
 
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdfVerifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdfKristina Yasuda
 
Verifiable Credentials for Travel & Hospitality
Verifiable Credentials for Travel & HospitalityVerifiable Credentials for Travel & Hospitality
Verifiable Credentials for Travel & HospitalityEvernym
 
The European Union goes Decentralized
The European Union goes DecentralizedThe European Union goes Decentralized
The European Union goes DecentralizedTorsten Lodderstedt
 
What are Decentralized Identifiers (DIDs)?
What are Decentralized Identifiers (DIDs)?What are Decentralized Identifiers (DIDs)?
What are Decentralized Identifiers (DIDs)?Evernym
 
Peer DIDs: a secure and scalable method for DIDs that’s entirely off-ledger –...
Peer DIDs: a secure and scalable method for DIDs that’s entirely off-ledger –...Peer DIDs: a secure and scalable method for DIDs that’s entirely off-ledger –...
Peer DIDs: a secure and scalable method for DIDs that’s entirely off-ledger –...SSIMeetup
 
Overview of Decentralized Identity
Overview of Decentralized IdentityOverview of Decentralized Identity
Overview of Decentralized IdentityJim Flynn
 
銀行 API における OAuth 2.0 / FAPI の動向 #openid #bizday
銀行 API における OAuth 2.0 / FAPI の動向 #openid #bizday銀行 API における OAuth 2.0 / FAPI の動向 #openid #bizday
銀行 API における OAuth 2.0 / FAPI の動向 #openid #bizdayTatsuo Kudo
 
Digital Guardianship in Self-Sovereign Identity
Digital Guardianship in Self-Sovereign IdentityDigital Guardianship in Self-Sovereign Identity
Digital Guardianship in Self-Sovereign IdentityEvernym
 
Introduction to Self Sovereign Identity
Introduction to Self Sovereign IdentityIntroduction to Self Sovereign Identity
Introduction to Self Sovereign IdentityHeather Vescent
 
Verifiable Credentials, Self Sovereign Identity and DLTs
Verifiable Credentials, Self Sovereign Identity and DLTs Verifiable Credentials, Self Sovereign Identity and DLTs
Verifiable Credentials, Self Sovereign Identity and DLTs Vasiliy Suvorov
 
Introduction to Self Sovereign Identity - IIW October 2019
Introduction to Self Sovereign Identity - IIW October 2019Introduction to Self Sovereign Identity - IIW October 2019
Introduction to Self Sovereign Identity - IIW October 2019Heather Vescent
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveNordic APIs
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An OverviewPat Patterson
 

What's hot (20)

How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
 
OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36
 
OpenID for Verifiable Credentials (IIW 35)
OpenID for Verifiable Credentials (IIW 35)OpenID for Verifiable Credentials (IIW 35)
OpenID for Verifiable Credentials (IIW 35)
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
 
Verifiable Credentials in Self-Sovereign Identity (SSI)
Verifiable Credentials in Self-Sovereign Identity (SSI)Verifiable Credentials in Self-Sovereign Identity (SSI)
Verifiable Credentials in Self-Sovereign Identity (SSI)
 
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdfVerifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
 
Verifiable Credentials for Travel & Hospitality
Verifiable Credentials for Travel & HospitalityVerifiable Credentials for Travel & Hospitality
Verifiable Credentials for Travel & Hospitality
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
The European Union goes Decentralized
The European Union goes DecentralizedThe European Union goes Decentralized
The European Union goes Decentralized
 
What are Decentralized Identifiers (DIDs)?
What are Decentralized Identifiers (DIDs)?What are Decentralized Identifiers (DIDs)?
What are Decentralized Identifiers (DIDs)?
 
Peer DIDs: a secure and scalable method for DIDs that’s entirely off-ledger –...
Peer DIDs: a secure and scalable method for DIDs that’s entirely off-ledger –...Peer DIDs: a secure and scalable method for DIDs that’s entirely off-ledger –...
Peer DIDs: a secure and scalable method for DIDs that’s entirely off-ledger –...
 
Overview of Decentralized Identity
Overview of Decentralized IdentityOverview of Decentralized Identity
Overview of Decentralized Identity
 
銀行 API における OAuth 2.0 / FAPI の動向 #openid #bizday
銀行 API における OAuth 2.0 / FAPI の動向 #openid #bizday銀行 API における OAuth 2.0 / FAPI の動向 #openid #bizday
銀行 API における OAuth 2.0 / FAPI の動向 #openid #bizday
 
Digital Guardianship in Self-Sovereign Identity
Digital Guardianship in Self-Sovereign IdentityDigital Guardianship in Self-Sovereign Identity
Digital Guardianship in Self-Sovereign Identity
 
Introduction to Self Sovereign Identity
Introduction to Self Sovereign IdentityIntroduction to Self Sovereign Identity
Introduction to Self Sovereign Identity
 
Verifiable credentials explained by CCI
Verifiable credentials explained by CCIVerifiable credentials explained by CCI
Verifiable credentials explained by CCI
 
Verifiable Credentials, Self Sovereign Identity and DLTs
Verifiable Credentials, Self Sovereign Identity and DLTs Verifiable Credentials, Self Sovereign Identity and DLTs
Verifiable Credentials, Self Sovereign Identity and DLTs
 
Introduction to Self Sovereign Identity - IIW October 2019
Introduction to Self Sovereign Identity - IIW October 2019Introduction to Self Sovereign Identity - IIW October 2019
Introduction to Self Sovereign Identity - IIW October 2019
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
 

Similar to OpenID Connect 4 SSI

How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...Torsten Lodderstedt
 
OAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootOAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootGeert Pante
 
KYC VERIFICATION USING BLOCKCHAIN
KYC VERIFICATION USING BLOCKCHAINKYC VERIFICATION USING BLOCKCHAIN
KYC VERIFICATION USING BLOCKCHAINIRJET Journal
 
Can Blockchain Enable Identity Management?
Can Blockchain Enable Identity Management?Can Blockchain Enable Identity Management?
Can Blockchain Enable Identity Management?Priyanka Aash
 
Product Identification Service
Product Identification ServiceProduct Identification Service
Product Identification ServiceSergeyWalsh
 
Product Identification Service
Product Identification ServiceProduct Identification Service
Product Identification ServiceSergeyWalsh
 
A Survey on e-KYC Verifier Using Blockchain
A Survey on e-KYC Verifier Using BlockchainA Survey on e-KYC Verifier Using Blockchain
A Survey on e-KYC Verifier Using BlockchainIRJET Journal
 
Demystifying AuthN/AuthZ Using OIDC & OAuth2
Demystifying AuthN/AuthZ Using OIDC & OAuth2Demystifying AuthN/AuthZ Using OIDC & OAuth2
Demystifying AuthN/AuthZ Using OIDC & OAuth2NGINX, Inc.
 
Value proposition of SSI tech providers - Self-Sovereign Identity
Value proposition of SSI tech providers - Self-Sovereign IdentityValue proposition of SSI tech providers - Self-Sovereign Identity
Value proposition of SSI tech providers - Self-Sovereign IdentitySSIMeetup
 
Application on Know Your Customer Authentication
Application on Know Your Customer AuthenticationApplication on Know Your Customer Authentication
Application on Know Your Customer AuthenticationIRJET Journal
 
Authentication through Claims-Based Authentication
Authentication through Claims-Based AuthenticationAuthentication through Claims-Based Authentication
Authentication through Claims-Based Authenticationijtsrd
 
apidays LIVE Paris 2021 - Identification & Authentication for Individuals wit...
apidays LIVE Paris 2021 - Identification & Authentication for Individuals wit...apidays LIVE Paris 2021 - Identification & Authentication for Individuals wit...
apidays LIVE Paris 2021 - Identification & Authentication for Individuals wit...apidays
 
Understanding Claim based Authentication
Understanding Claim based AuthenticationUnderstanding Claim based Authentication
Understanding Claim based AuthenticationMohammad Yousri
 
OpenID Foundation/Open Banking Workshop - OpenID Foundation Overview
OpenID Foundation/Open Banking Workshop - OpenID Foundation OverviewOpenID Foundation/Open Banking Workshop - OpenID Foundation Overview
OpenID Foundation/Open Banking Workshop - OpenID Foundation OverviewMikeLeszcz
 
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop Kristina Yasuda
 
FOSSASIA 2018 Self-Sovereign Identity with Hyperledger Indy/Sovrin
FOSSASIA 2018 Self-Sovereign Identity with Hyperledger Indy/SovrinFOSSASIA 2018 Self-Sovereign Identity with Hyperledger Indy/Sovrin
FOSSASIA 2018 Self-Sovereign Identity with Hyperledger Indy/SovrinCalvin Cheng
 

Similar to OpenID Connect 4 SSI (20)

How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
 
OAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootOAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring Boot
 
KYC VERIFICATION USING BLOCKCHAIN
KYC VERIFICATION USING BLOCKCHAINKYC VERIFICATION USING BLOCKCHAIN
KYC VERIFICATION USING BLOCKCHAIN
 
Can Blockchain Enable Identity Management?
Can Blockchain Enable Identity Management?Can Blockchain Enable Identity Management?
Can Blockchain Enable Identity Management?
 
Product Identification Service
Product Identification ServiceProduct Identification Service
Product Identification Service
 
E-Business security
E-Business security E-Business security
E-Business security
 
Product Identification Service
Product Identification ServiceProduct Identification Service
Product Identification Service
 
A Survey on e-KYC Verifier Using Blockchain
A Survey on e-KYC Verifier Using BlockchainA Survey on e-KYC Verifier Using Blockchain
A Survey on e-KYC Verifier Using Blockchain
 
Demystifying AuthN/AuthZ Using OIDC & OAuth2
Demystifying AuthN/AuthZ Using OIDC & OAuth2Demystifying AuthN/AuthZ Using OIDC & OAuth2
Demystifying AuthN/AuthZ Using OIDC & OAuth2
 
Access management
Access managementAccess management
Access management
 
Value proposition of SSI tech providers - Self-Sovereign Identity
Value proposition of SSI tech providers - Self-Sovereign IdentityValue proposition of SSI tech providers - Self-Sovereign Identity
Value proposition of SSI tech providers - Self-Sovereign Identity
 
Application on Know Your Customer Authentication
Application on Know Your Customer AuthenticationApplication on Know Your Customer Authentication
Application on Know Your Customer Authentication
 
Authentication through Claims-Based Authentication
Authentication through Claims-Based AuthenticationAuthentication through Claims-Based Authentication
Authentication through Claims-Based Authentication
 
apidays LIVE Paris 2021 - Identification & Authentication for Individuals wit...
apidays LIVE Paris 2021 - Identification & Authentication for Individuals wit...apidays LIVE Paris 2021 - Identification & Authentication for Individuals wit...
apidays LIVE Paris 2021 - Identification & Authentication for Individuals wit...
 
Understanding Claim based Authentication
Understanding Claim based AuthenticationUnderstanding Claim based Authentication
Understanding Claim based Authentication
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
 
OpenID Foundation/Open Banking Workshop - OpenID Foundation Overview
OpenID Foundation/Open Banking Workshop - OpenID Foundation OverviewOpenID Foundation/Open Banking Workshop - OpenID Foundation Overview
OpenID Foundation/Open Banking Workshop - OpenID Foundation Overview
 
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
 
FOSSASIA 2018 Self-Sovereign Identity with Hyperledger Indy/Sovrin
FOSSASIA 2018 Self-Sovereign Identity with Hyperledger Indy/SovrinFOSSASIA 2018 Self-Sovereign Identity with Hyperledger Indy/Sovrin
FOSSASIA 2018 Self-Sovereign Identity with Hyperledger Indy/Sovrin
 
Presentation
PresentationPresentation
Presentation
 

More from Torsten Lodderstedt

Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2Torsten Lodderstedt
 
Comprehensive overview FAPI 1 and 2
Comprehensive overview FAPI 1 and 2Comprehensive overview FAPI 1 and 2
Comprehensive overview FAPI 1 and 2Torsten Lodderstedt
 
OpenID Connect 4 Identity Assurance at IIW #32
OpenID Connect 4 Identity Assurance at IIW #32OpenID Connect 4 Identity Assurance at IIW #32
OpenID Connect 4 Identity Assurance at IIW #32Torsten Lodderstedt
 
OpenID Connect for W3C Verifiable Credential Objects
OpenID Connect for W3C Verifiable Credential ObjectsOpenID Connect for W3C Verifiable Credential Objects
OpenID Connect for W3C Verifiable Credential ObjectsTorsten Lodderstedt
 
Identity Assurance with OpenID Connect
Identity Assurance with OpenID ConnectIdentity Assurance with OpenID Connect
Identity Assurance with OpenID ConnectTorsten Lodderstedt
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security RecommendationsNextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security RecommendationsTorsten Lodderstedt
 
OpenID Connect for Identity Assurance
OpenID Connect for Identity AssuranceOpenID Connect for Identity Assurance
OpenID Connect for Identity AssuranceTorsten Lodderstedt
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations Torsten Lodderstedt
 
Identiverse: PSD2, Open Banking, and Technical Interoperability
Identiverse: PSD2, Open Banking, and Technical InteroperabilityIdentiverse: PSD2, Open Banking, and Technical Interoperability
Identiverse: PSD2, Open Banking, and Technical InteroperabilityTorsten Lodderstedt
 
Identity Proofing with OpenID Connect
Identity Proofing with OpenID ConnectIdentity Proofing with OpenID Connect
Identity Proofing with OpenID ConnectTorsten Lodderstedt
 

More from Torsten Lodderstedt (15)

GAIN Presentation.pptx
GAIN Presentation.pptxGAIN Presentation.pptx
GAIN Presentation.pptx
 
Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2
 
Comprehensive overview FAPI 1 and 2
Comprehensive overview FAPI 1 and 2Comprehensive overview FAPI 1 and 2
Comprehensive overview FAPI 1 and 2
 
OpenID Connect 4 Identity Assurance at IIW #32
OpenID Connect 4 Identity Assurance at IIW #32OpenID Connect 4 Identity Assurance at IIW #32
OpenID Connect 4 Identity Assurance at IIW #32
 
OpenID Connect for W3C Verifiable Credential Objects
OpenID Connect for W3C Verifiable Credential ObjectsOpenID Connect for W3C Verifiable Credential Objects
OpenID Connect for W3C Verifiable Credential Objects
 
Identity Assurance with OpenID Connect
Identity Assurance with OpenID ConnectIdentity Assurance with OpenID Connect
Identity Assurance with OpenID Connect
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security RecommendationsNextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations
 
Rich Authorization Requests
Rich Authorization RequestsRich Authorization Requests
Rich Authorization Requests
 
Pushed Authorization Requests
Pushed Authorization RequestsPushed Authorization Requests
Pushed Authorization Requests
 
OpenID Connect for Identity Assurance
OpenID Connect for Identity AssuranceOpenID Connect for Identity Assurance
OpenID Connect for Identity Assurance
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations
 
Identiverse: PSD2, Open Banking, and Technical Interoperability
Identiverse: PSD2, Open Banking, and Technical InteroperabilityIdentiverse: PSD2, Open Banking, and Technical Interoperability
Identiverse: PSD2, Open Banking, and Technical Interoperability
 
OAuth 2.0 Security Reinforced
OAuth 2.0 Security ReinforcedOAuth 2.0 Security Reinforced
OAuth 2.0 Security Reinforced
 
OAuth Security 4 Dummies iiw#27
OAuth Security 4 Dummies iiw#27OAuth Security 4 Dummies iiw#27
OAuth Security 4 Dummies iiw#27
 
Identity Proofing with OpenID Connect
Identity Proofing with OpenID ConnectIdentity Proofing with OpenID Connect
Identity Proofing with OpenID Connect
 

Recently uploaded

一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书F
 
Lowongan Kerja LC Yogyakarta Terbaru 085746015303
Lowongan Kerja LC Yogyakarta Terbaru 085746015303Lowongan Kerja LC Yogyakarta Terbaru 085746015303
Lowongan Kerja LC Yogyakarta Terbaru 085746015303Dewi Agency
 
Beyond Inbound: Unlocking the Secrets of API Egress Traffic Management
Beyond Inbound: Unlocking the Secrets of API Egress Traffic ManagementBeyond Inbound: Unlocking the Secrets of API Egress Traffic Management
Beyond Inbound: Unlocking the Secrets of API Egress Traffic Managementseank14
 
一比一原版美国北卡罗莱纳大学毕业证如何办理
一比一原版美国北卡罗莱纳大学毕业证如何办理一比一原版美国北卡罗莱纳大学毕业证如何办理
一比一原版美国北卡罗莱纳大学毕业证如何办理A
 
Dan Quinn Commanders Feather Dad Hat Hoodie
Dan Quinn Commanders Feather Dad Hat HoodieDan Quinn Commanders Feather Dad Hat Hoodie
Dan Quinn Commanders Feather Dad Hat Hoodierahman018755
 
Down bad crying at the gym t shirtsDown bad crying at the gym t shirts
Down bad crying at the gym t shirtsDown bad crying at the gym t shirtsDown bad crying at the gym t shirtsDown bad crying at the gym t shirts
Down bad crying at the gym t shirtsDown bad crying at the gym t shirtsrahman018755
 
一比一原版澳大利亚迪肯大学毕业证如何办理
一比一原版澳大利亚迪肯大学毕业证如何办理一比一原版澳大利亚迪肯大学毕业证如何办理
一比一原版澳大利亚迪肯大学毕业证如何办理SS
 
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at  CaribNOG 27APNIC Updates presented by Paul Wilson at  CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27APNIC
 
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样Fi
 
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样AS
 
TOP 100 Vulnerabilities Step-by-Step Guide Handbook
TOP 100 Vulnerabilities Step-by-Step Guide HandbookTOP 100 Vulnerabilities Step-by-Step Guide Handbook
TOP 100 Vulnerabilities Step-by-Step Guide HandbookVarun Mithran
 
一比一定制波士顿学院毕业证学位证书
一比一定制波士顿学院毕业证学位证书一比一定制波士顿学院毕业证学位证书
一比一定制波士顿学院毕业证学位证书A
 
原版定制美国加州大学河滨分校毕业证原件一模一样
原版定制美国加州大学河滨分校毕业证原件一模一样原版定制美国加州大学河滨分校毕业证原件一模一样
原版定制美国加州大学河滨分校毕业证原件一模一样A
 
一比一原版犹他大学毕业证如何办理
一比一原版犹他大学毕业证如何办理一比一原版犹他大学毕业证如何办理
一比一原版犹他大学毕业证如何办理F
 
Jual obat aborsi Bekasi ( 085657271886 ) Cytote pil telat bulan penggugur kan...
Jual obat aborsi Bekasi ( 085657271886 ) Cytote pil telat bulan penggugur kan...Jual obat aborsi Bekasi ( 085657271886 ) Cytote pil telat bulan penggugur kan...
Jual obat aborsi Bekasi ( 085657271886 ) Cytote pil telat bulan penggugur kan...ZurliaSoop
 
原版定制(Glasgow毕业证书)英国格拉斯哥大学毕业证原件一模一样
原版定制(Glasgow毕业证书)英国格拉斯哥大学毕业证原件一模一样原版定制(Glasgow毕业证书)英国格拉斯哥大学毕业证原件一模一样
原版定制(Glasgow毕业证书)英国格拉斯哥大学毕业证原件一模一样AS
 
一比一原版布兰迪斯大学毕业证如何办理
一比一原版布兰迪斯大学毕业证如何办理一比一原版布兰迪斯大学毕业证如何办理
一比一原版布兰迪斯大学毕业证如何办理A
 
一比一定制加州大学欧文分校毕业证学位证书
一比一定制加州大学欧文分校毕业证学位证书一比一定制加州大学欧文分校毕业证学位证书
一比一定制加州大学欧文分校毕业证学位证书A
 
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...musaddumba454
 
一比一原版罗切斯特大学毕业证如何办理
一比一原版罗切斯特大学毕业证如何办理一比一原版罗切斯特大学毕业证如何办理
一比一原版罗切斯特大学毕业证如何办理F
 

Recently uploaded (20)

一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书
 
Lowongan Kerja LC Yogyakarta Terbaru 085746015303
Lowongan Kerja LC Yogyakarta Terbaru 085746015303Lowongan Kerja LC Yogyakarta Terbaru 085746015303
Lowongan Kerja LC Yogyakarta Terbaru 085746015303
 
Beyond Inbound: Unlocking the Secrets of API Egress Traffic Management
Beyond Inbound: Unlocking the Secrets of API Egress Traffic ManagementBeyond Inbound: Unlocking the Secrets of API Egress Traffic Management
Beyond Inbound: Unlocking the Secrets of API Egress Traffic Management
 
一比一原版美国北卡罗莱纳大学毕业证如何办理
一比一原版美国北卡罗莱纳大学毕业证如何办理一比一原版美国北卡罗莱纳大学毕业证如何办理
一比一原版美国北卡罗莱纳大学毕业证如何办理
 
Dan Quinn Commanders Feather Dad Hat Hoodie
Dan Quinn Commanders Feather Dad Hat HoodieDan Quinn Commanders Feather Dad Hat Hoodie
Dan Quinn Commanders Feather Dad Hat Hoodie
 
Down bad crying at the gym t shirtsDown bad crying at the gym t shirts
Down bad crying at the gym t shirtsDown bad crying at the gym t shirtsDown bad crying at the gym t shirtsDown bad crying at the gym t shirts
Down bad crying at the gym t shirtsDown bad crying at the gym t shirts
 
一比一原版澳大利亚迪肯大学毕业证如何办理
一比一原版澳大利亚迪肯大学毕业证如何办理一比一原版澳大利亚迪肯大学毕业证如何办理
一比一原版澳大利亚迪肯大学毕业证如何办理
 
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at  CaribNOG 27APNIC Updates presented by Paul Wilson at  CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27
 
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
 
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
 
TOP 100 Vulnerabilities Step-by-Step Guide Handbook
TOP 100 Vulnerabilities Step-by-Step Guide HandbookTOP 100 Vulnerabilities Step-by-Step Guide Handbook
TOP 100 Vulnerabilities Step-by-Step Guide Handbook
 
一比一定制波士顿学院毕业证学位证书
一比一定制波士顿学院毕业证学位证书一比一定制波士顿学院毕业证学位证书
一比一定制波士顿学院毕业证学位证书
 
原版定制美国加州大学河滨分校毕业证原件一模一样
原版定制美国加州大学河滨分校毕业证原件一模一样原版定制美国加州大学河滨分校毕业证原件一模一样
原版定制美国加州大学河滨分校毕业证原件一模一样
 
一比一原版犹他大学毕业证如何办理
一比一原版犹他大学毕业证如何办理一比一原版犹他大学毕业证如何办理
一比一原版犹他大学毕业证如何办理
 
Jual obat aborsi Bekasi ( 085657271886 ) Cytote pil telat bulan penggugur kan...
Jual obat aborsi Bekasi ( 085657271886 ) Cytote pil telat bulan penggugur kan...Jual obat aborsi Bekasi ( 085657271886 ) Cytote pil telat bulan penggugur kan...
Jual obat aborsi Bekasi ( 085657271886 ) Cytote pil telat bulan penggugur kan...
 
原版定制(Glasgow毕业证书)英国格拉斯哥大学毕业证原件一模一样
原版定制(Glasgow毕业证书)英国格拉斯哥大学毕业证原件一模一样原版定制(Glasgow毕业证书)英国格拉斯哥大学毕业证原件一模一样
原版定制(Glasgow毕业证书)英国格拉斯哥大学毕业证原件一模一样
 
一比一原版布兰迪斯大学毕业证如何办理
一比一原版布兰迪斯大学毕业证如何办理一比一原版布兰迪斯大学毕业证如何办理
一比一原版布兰迪斯大学毕业证如何办理
 
一比一定制加州大学欧文分校毕业证学位证书
一比一定制加州大学欧文分校毕业证学位证书一比一定制加州大学欧文分校毕业证学位证书
一比一定制加州大学欧文分校毕业证学位证书
 
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
 
一比一原版罗切斯特大学毕业证如何办理
一比一原版罗切斯特大学毕业证如何办理一比一原版罗切斯特大学毕业证如何办理
一比一原版罗切斯特大学毕业证如何办理
 

OpenID Connect 4 SSI

  • 1. OpenID Connect for SSI Kristina Yasuda, Microsoft Dr. Torsten Lodderstedt, yes.com
  • 2. OpenID Connect for SSI • Initiative conducted at OpenID Foundation in liaison with the Decentralized Identity Foundation • Aims at specifying a set of protocols based on OpenID Connect to enable SSI applications
  • 3. - Provide the community with a solution for SSI applications leveraging the simplicity and security of OpenID Connect - Security of OpenID Connect has been tested and formally analysed - Allow existing OpenID Connect RPs to access SSI credential and existing OpenID Connect OPs to also issue credentials Why extend OpenID Connect to support SSI?
  • 4. OpenID Connect for SSI Components Issuer (Website) Verifier (Website) Holder (Digital Wallet) Issue Credentials Present Credentials ① Self-Issued OP v2 (key exchange and authentication) or OpenID Connect Core Code flow ② OpenID Connect for Verifiable Presentations (Transportation of Verifiable Credentials) OpenID Connect Core ③ OpenID Connect for Credential Issuance (Issuance of Verifiable Credentials) Base Protocol
  • 5. Use Case: eKYC using Bank ID Credential - A Bank customer wants to sign a car leasing contract. The leasing provider is obliged to identify the customer (Anti-Money Laundering Law). The leasing provider accepts identification via a digital wallet. - The leasing provider sends the customer to the wallet, which currently does not contain a suitable credential. The wallet offers some options to the customer to obtain the required credential. - The customer selects the bank-based approach, selects her bank, and proceeds to the bank’s digital banking experience where she is offered to issue an ID credential to the wallet. - Upon receiving an ID credential to the wallet, when prompted, the customer confirms presentation of the new credential to the leasing company. - The leasing company receives the credential and proceeds to the next step in the contract signing process… - Customer benefit: ease of use of bank-based identification in combination with additional privacy preservation through the wallet since there is no call-home to the Bank directly by the leasing provider. - Leasing provider benefit: ability to accept ID credentials from the Issuers/Banks without establishing a federation with them
  • 6. Use Case: NHS doctors moving around 1200 clinics - A clinic wants to verify identity a doctor who has been assigned to work there from another clinic. The doctors are moved between clinics quite often and each time a clinic onboards a new doctor, it is obliged to verify the doctor’s identity and privileges. The clinic accepts identification via a digital wallet. - The clinic sends the doctor to the wallet. If the wallet does not currently contain a suitable credential, it offers some options to the doctor to obtain the required credential. - The doctor selects the previous clinic where he/she worked, and proceeds to that clinic’s credential issuance experience where he/she is offered to issue an ID credential to the wallet. - Upon receiving an ID credential to the wallet, when prompted, the doctor confirms presentation of the new credential to the new clinic. - The new clinic company receives the credential and proceeds to the next step in the contract signing process… - Customer benefit: ease of use of digital credentials instead of having to collect paper documents from all the previous clinics. - New clinic: ability to accept credentials in a digital format significantly shortens onboarding time and gives more time to the doctors to actually treat the customers instead of dealing with administrative processes.
  • 7. Use Case: University managing alumni - An employer wants to verify the education history of the employee during the hiring on-boarding process. The employee accepts identification via a digital wallet. - The employer sends the employee to the wallet. If the wallet does not currently contain a suitable credential, it offers some options to the employee to obtain the required credential. - The employee selects the university he/she has graduated from, and proceeds to that university’s credential issuance experience where he/she is offered to issue an ID credential to the wallet. - Upon receiving an ID credential to the wallet, when prompted, the employee confirms presentation of the new credential to the employee. - The employee new clinic company receives the credential and proceeds to the next step in the contract signing process… - Customer benefit: ease of use of digital credentials instead of having to physically go to the university and collect paper documents or having to exchange emails with the university admin. - New clinic: ability to move growing number of alumni data to the cold storage once, instead of storing it in an active storage ready to respond to an API call anytime.
  • 9. 1. SIOP v2 OpenID Connect standard model ⓪ User tries to log in Website (RP) User Agent OP (3P OpenID Provider) Trust (to 3rd party) Alice ① 3rd Party OP issues an ID Token Self-Issued OP model ⓪ User tries to log in Website (RP) User Agent OP Trust (on first use) ① OP on the user device issues ID Token Alice ● Self-Issued OP is an OP within the End-user’s local control. ● Enables End-users to interact with verifiers directly, without relying on a third-party providers. ● Performs key exchange and authentication.
  • 10. What’s new in v2? - DIDs as “sub” values (in additional to raw public keys) to “self-issue” an ID Token - Dynamic SIOP discovery and invocation via HTTPS URLs - in addition to “openid://” custom scheme - enables use of app/universal links and web wallets - Dynamic RP registration (DID or Entity statements) - Cross Device Flow
  • 11. SIOP request–response example SIOP Response SIOP Request HTTP/1.1 302 Found Location: openid://? response_type=id_token &client_id=https://client.example.org/cb &redirect_uri=https://client.example.org/cb &scope=openid%20profile &nonce=n-0S6_WzA2Mj HTTP/1.1 302 Found Location: https://client.example.org/cb# &id_token=eyJ0 ... NiJ9.eyJ1c ... I6IjIifX0.D ... ZXso openid://? response_type=id_token &response_mode=post &client_id=https://client.example.org/cb &redirect_uri=https://client.example.org/post_cb &scope=openid%20profile &nonce=n-0S6_WzA2Mj on device cross device POST /post_cb HTTP/1.1 Host: client.example.com Content-Type: application/x-www-form-urlencoded &id_token=eyJ0 ... NiJ9.eyJ1c ... I6IjIifX0.D ... ZXso
  • 12. SIOP request–response example { "iss": "https://self-issued.me/v2", "sub": "did:example:EiC6Y9_aDaCsI", https url -> jwks_uri hosted under .well-known "aud": "https://client.example.org/cb", "nonce": "n-0S6_WzA2Mj", "exp": 1311281970, "iat": 1311280970 } Decoded ID Token “sub” can be raw public key or DID
  • 13. OpenID Connect 4 Verifiable Presentations
  • 14. • Works with all OpenID Connect Flows (SIOP v2, code, CIBA, …) • Request syntax uses "claims" parameter & DIF Presentation Exchange • Supports different credential/presentation formats: • encoded as JSON or JSON-LD • signed as a JWS or Linked Data Proofs • ... • Supports different transports: • Embedded in ID Token or Userinfo response • new VP Token (provided alongside ID Token) Enables presentation of W3C Verifiable Credentials using OpenID Connect. 2. OIDC4VP
  • 15. OIDC4VP Request SIOP+OIDC4VP Request HTTP/1.1 302 Found Location: openid://? response_type=id_token &client_id=https://client.example.org/cb &redirect_uri=https://client.example.org/cb &scope=openid%20profile &nonce=n-0S6_WzA2Mj &claims=... { "vp_token": { "presentation_definition": { "id": "identification", "input_descriptors": [ { "id": "id_card_credential", "schema": [ { "uri":"https://www.w3.org/2018/credentials/examples/v1/IDCardCredential" } ] } ... } `claims` parameter with DIF Presentation Exchange Syntax
  • 16. { "@context": [ "https://www.w3.org/2018/credentials/v1" ], "type": [ "VerifiablePresentation" ], "verifiableCredential": [ { "@context": [ "https://www.w3.org/2018/credentials/v1", "https://www.w3.org/2018/credentials/examples/v1" ], "id": "https://example.com/credentials/1872", "type": [ "VerifiableCredential", "IDCardCredential" ], "issuer": { "id": "did:example:issuer" }, "issuanceDate": "2010-01-01T19:23:24Z", "credentialSubject": { "given_name": "Fredrik", Response OIDC4VP Response VP Token containing Verifiable Presentation Decoded ID Token HTTP/1.1 302 Found Location: https://client.example.org/cb# &id_token=eyJ0 ... NiJ9.eyJ1c ... &vp_token=... { ... "_vp_token": { "presentation_submission": { "id": "example presentation", "definition_id": "identification", "descriptor_map": [ { "id": "id_card_credential", "format": "ldp_vp", "path": "$" "path_nested": { "format": "ldp_vc", "path": "$.verifiableCredential[0]" } ... } Path in the ID Token refers to a separate artifact - VP Token
  • 17. DEMO Bringing it all together ...
  • 18. SIOP v2 / OIDC4VPs Prototype •Implemented within IDUnion project •Team: Sebastian Bickerle, Paul Wenzel, Fabian Hauck, & Dr. Daniel Fett •Use Case: Login to NextCloud using Verifiable Credentials •Based on • Existing NextCloud OpenID Connect Plugin • Lissi Wallet • Hyperledger Indy & Indy SDK
  • 19. DEMO •On device: https://youtu.be/gDg2ma7TwWU •Cross device: https://youtu.be/hC3VQE-vMnQ
  • 20. Architecture NextCloud Ledger Plugin (Frontend) Lissi Wallet redirects (HTTPS GET) (3) “response” (HTTPS POST) Plugin (Backend) polling on device cross device ledger access (1) QR Code schema definition und credential definition schema definition und credential definition, revocation info (2) Request payload (GET request_uri)
  • 21. Findings • QR Codes pretty huge • Verifiers can be identified • Verifier's Web URL shown in wallet (leverages OIDC client data model) • Simple & Scalable Architecture •No separate connection establishment step required
  • 22. Further ongoing implementations • Microsoft • Convergence.Tech • Gematik (within IDunion) • walt.id (eSSIF-Lab)* • Sphereon • Gimly *Some ESSIF projects already utilizes SIOP (based on DID-SIOP & OpenID Connect 4 Identity Assurance)
  • 24. Status • Based on pre-existing implementation experience (MATTR Ltd & Convergence.tech) • Work recently started with requirements gathering and brainstorming sessions at IIW #33 • Current WG Draft https://openid.bitbucket.io/connect/openid-connect-4-verifiable-credential-issuance-1_0.html
  • 25. Benefits • Obvious way to turn existing OpenID Connect OPs into Issuers • Allows for inline credential issuance • Issuer-controlled UX gives flexibility • Wallet and Issuer identification utilizing OpenID Connect metadata
  • 26. Key Ideas • Issuance via OAuth protected API: Credential endpoint • Multiple credentials, Same credential in different formats/keys • Support all kinds of proof methods (also non JWS) for key material the new credential shall be bound to • Separate client authentication & message integrity protection from proof of possession of this key material • Allow presentation of credentials (in authz request and dynamically obtained) as input for the issuance • Allow deferred issuance • Support Credential metadata (Credential Manifest)
  • 27.
  • 28. New Endpoints • Issuance Initiation Endpoint: An endpoint exposed by the wallet that allows an issuer to initiate the issuance flow • Nonce Endpoint: provides the RP with a nonce it will include into verifiable presentations sent to the authorization endpoint • Credential Endpoint: OAuth-protected API to issue verifiable credentials • Deferred Credential Endpoint: used for deferred issuance of verifiable credentials
  • 29. Extended Endpoints • Client Metadata: new metadata parameter is added to allow a wallet (acting as OpenID Connect RP) to publish its issuance initiation endpoint. • Server Metadata: new metadata parameters (credential types, …) • Authorization Endpoint: • `claims` parameter allows to request authorization for issuance of one or more credentials. • new parameters to convey verifiable presentations and further data to alternatively callback to the RP (acting as wallet) to request further verifiable credentials. • PAR is recommended • Token Endpoint: optional parameters to provide RP with a nonce to used for proof of possession of key material
  • 30. Planned implementations • Microsoft • IDunion • walt.id & yes.com & BCDiploma (eSSIF-Lab) • Sphereon • Talao.io • Convergence.Tech