SlideShare a Scribd company logo

OpenID Connect 4 SSI

T
Torsten Lodderstedt

OpenID Connect 4 SSI is an initiative conducted at OpenID Foundation in liaison with the Decentralized Identity Foundation. It aims at specifying a set of protocols based on OpenID Connect to enable SSI applications.

Internet
1 of 31
Download to read offline
OpenID Connect for SSI Kristina Yasuda, Microsoft Dr. Torsten Lodderstedt, yes.com
OpenID Connect for SSI • Initiative conducted at OpenID Foundation in liaison with the Decentralized Identity Foundation • Aims at specifying a set of protocols based on OpenID Connect to enable SSI applications
- Provide the community with a solution for SSI applications leveraging the simplicity and security of OpenID Connect - Security of OpenID Connect has been tested and formally analysed - Allow existing OpenID Connect RPs to access SSI credential and existing OpenID Connect OPs to also issue credentials Why extend OpenID Connect to support SSI?
OpenID Connect for SSI Components Issuer (Website) Verifier (Website) Holder (Digital Wallet) Issue Credentials Present Credentials ① Self-Issued OP v2 (key exchange and authentication) or OpenID Connect Core Code flow ② OpenID Connect for Verifiable Presentations (Transportation of Verifiable Credentials) OpenID Connect Core ③ OpenID Connect for Credential Issuance (Issuance of Verifiable Credentials) Base Protocol
Use Case: eKYC using Bank ID Credential - A Bank customer wants to sign a car leasing contract. The leasing provider is obliged to identify the customer (Anti-Money Laundering Law). The leasing provider accepts identification via a digital wallet. - The leasing provider sends the customer to the wallet, which currently does not contain a suitable credential. The wallet offers some options to the customer to obtain the required credential. - The customer selects the bank-based approach, selects her bank, and proceeds to the bank’s digital banking experience where she is offered to issue an ID credential to the wallet. - Upon receiving an ID credential to the wallet, when prompted, the customer confirms presentation of the new credential to the leasing company. - The leasing company receives the credential and proceeds to the next step in the contract signing process… - Customer benefit: ease of use of bank-based identification in combination with additional privacy preservation through the wallet since there is no call-home to the Bank directly by the leasing provider. - Leasing provider benefit: ability to accept ID credentials from the Issuers/Banks without establishing a federation with them
Use Case: NHS doctors moving around 1200 clinics - A clinic wants to verify identity a doctor who has been assigned to work there from another clinic. The doctors are moved between clinics quite often and each time a clinic onboards a new doctor, it is obliged to verify the doctor’s identity and privileges. The clinic accepts identification via a digital wallet. - The clinic sends the doctor to the wallet. If the wallet does not currently contain a suitable credential, it offers some options to the doctor to obtain the required credential. - The doctor selects the previous clinic where he/she worked, and proceeds to that clinic’s credential issuance experience where he/she is offered to issue an ID credential to the wallet. - Upon receiving an ID credential to the wallet, when prompted, the doctor confirms presentation of the new credential to the new clinic. - The new clinic company receives the credential and proceeds to the next step in the contract signing process… - Customer benefit: ease of use of digital credentials instead of having to collect paper documents from all the previous clinics. - New clinic: ability to accept credentials in a digital format significantly shortens onboarding time and gives more time to the doctors to actually treat the customers instead of dealing with administrative processes.
Use Case: University managing alumni - An employer wants to verify the education history of the employee during the hiring on-boarding process. The employee accepts identification via a digital wallet. - The employer sends the employee to the wallet. If the wallet does not currently contain a suitable credential, it offers some options to the employee to obtain the required credential. - The employee selects the university he/she has graduated from, and proceeds to that university’s credential issuance experience where he/she is offered to issue an ID credential to the wallet. - Upon receiving an ID credential to the wallet, when prompted, the employee confirms presentation of the new credential to the employee. - The employee new clinic company receives the credential and proceeds to the next step in the contract signing process… - Customer benefit: ease of use of digital credentials instead of having to physically go to the university and collect paper documents or having to exchange emails with the university admin. - New clinic: ability to move growing number of alumni data to the cold storage once, instead of storing it in an active storage ready to respond to an API call anytime.
Self-Issued OP (SIOP) v2
1. SIOP v2 OpenID Connect standard model ⓪ User tries to log in Website (RP) User Agent OP (3P OpenID Provider) Trust (to 3rd party) Alice ① 3rd Party OP issues an ID Token Self-Issued OP model ⓪ User tries to log in Website (RP) User Agent OP Trust (on first use) ① OP on the user device issues ID Token Alice ● Self-Issued OP is an OP within the End-user’s local control. ● Enables End-users to interact with verifiers directly, without relying on a third-party providers. ● Performs key exchange and authentication.
What’s new in v2? - DIDs as “sub” values (in additional to raw public keys) to “self-issue” an ID Token - Dynamic SIOP discovery and invocation via HTTPS URLs - in addition to “openid://” custom scheme - enables use of app/universal links and web wallets - Dynamic RP registration (DID or Entity statements) - Cross Device Flow
SIOP request–response example SIOP Response SIOP Request HTTP/1.1 302 Found Location: openid://? response_type=id_token &client_id=https://client.example.org/cb &redirect_uri=https://client.example.org/cb &scope=openid%20profile &nonce=n-0S6_WzA2Mj HTTP/1.1 302 Found Location: https://client.example.org/cb# &id_token=eyJ0 ... NiJ9.eyJ1c ... I6IjIifX0.D ... ZXso openid://? response_type=id_token &response_mode=post &client_id=https://client.example.org/cb &redirect_uri=https://client.example.org/post_cb &scope=openid%20profile &nonce=n-0S6_WzA2Mj on device cross device POST /post_cb HTTP/1.1 Host: client.example.com Content-Type: application/x-www-form-urlencoded &id_token=eyJ0 ... NiJ9.eyJ1c ... I6IjIifX0.D ... ZXso
SIOP request–response example { "iss": "https://self-issued.me/v2", "sub": "did:example:EiC6Y9_aDaCsI", https url -> jwks_uri hosted under .well-known "aud": "https://client.example.org/cb", "nonce": "n-0S6_WzA2Mj", "exp": 1311281970, "iat": 1311280970 } Decoded ID Token “sub” can be raw public key or DID
OpenID Connect 4 Verifiable Presentations
• Works with all OpenID Connect Flows (SIOP v2, code, CIBA, …) • Request syntax uses "claims" parameter & DIF Presentation Exchange • Supports different credential/presentation formats: • encoded as JSON or JSON-LD • signed as a JWS or Linked Data Proofs • ... • Supports different transports: • Embedded in ID Token or Userinfo response • new VP Token (provided alongside ID Token) Enables presentation of W3C Verifiable Credentials using OpenID Connect. 2. OIDC4VP
OIDC4VP Request SIOP+OIDC4VP Request HTTP/1.1 302 Found Location: openid://? response_type=id_token &client_id=https://client.example.org/cb &redirect_uri=https://client.example.org/cb &scope=openid%20profile &nonce=n-0S6_WzA2Mj &claims=... { "vp_token": { "presentation_definition": { "id": "identification", "input_descriptors": [ { "id": "id_card_credential", "schema": [ { "uri":"https://www.w3.org/2018/credentials/examples/v1/IDCardCredential" } ] } ... } `claims` parameter with DIF Presentation Exchange Syntax
{ "@context": [ "https://www.w3.org/2018/credentials/v1" ], "type": [ "VerifiablePresentation" ], "verifiableCredential": [ { "@context": [ "https://www.w3.org/2018/credentials/v1", "https://www.w3.org/2018/credentials/examples/v1" ], "id": "https://example.com/credentials/1872", "type": [ "VerifiableCredential", "IDCardCredential" ], "issuer": { "id": "did:example:issuer" }, "issuanceDate": "2010-01-01T19:23:24Z", "credentialSubject": { "given_name": "Fredrik", Response OIDC4VP Response VP Token containing Verifiable Presentation Decoded ID Token HTTP/1.1 302 Found Location: https://client.example.org/cb# &id_token=eyJ0 ... NiJ9.eyJ1c ... &vp_token=... { ... "_vp_token": { "presentation_submission": { "id": "example presentation", "definition_id": "identification", "descriptor_map": [ { "id": "id_card_credential", "format": "ldp_vp", "path": "$" "path_nested": { "format": "ldp_vc", "path": "$.verifiableCredential[0]" } ... } Path in the ID Token refers to a separate artifact - VP Token
DEMO Bringing it all together ...
SIOP v2 / OIDC4VPs Prototype •Implemented within IDUnion project •Team: Sebastian Bickerle, Paul Wenzel, Fabian Hauck, & Dr. Daniel Fett •Use Case: Login to NextCloud using Verifiable Credentials •Based on • Existing NextCloud OpenID Connect Plugin • Lissi Wallet • Hyperledger Indy & Indy SDK
DEMO •On device: https://youtu.be/gDg2ma7TwWU •Cross device: https://youtu.be/hC3VQE-vMnQ
Architecture NextCloud Ledger Plugin (Frontend) Lissi Wallet redirects (HTTPS GET) (3) “response” (HTTPS POST) Plugin (Backend) polling on device cross device ledger access (1) QR Code schema definition und credential definition schema definition und credential definition, revocation info (2) Request payload (GET request_uri)
Findings • QR Codes pretty huge • Verifiers can be identified • Verifier's Web URL shown in wallet (leverages OIDC client data model) • Simple & Scalable Architecture •No separate connection establishment step required
Further ongoing implementations • Microsoft • Convergence.Tech • Gematik (within IDunion) • walt.id (eSSIF-Lab)* • Sphereon • Gimly *Some ESSIF projects already utilizes SIOP (based on DID-SIOP & OpenID Connect 4 Identity Assurance)
OpenID Connect 4 Credentials Issuance
Status • Based on pre-existing implementation experience (MATTR Ltd & Convergence.tech) • Work recently started with requirements gathering and brainstorming sessions at IIW #33 • Current WG Draft https://openid.bitbucket.io/connect/openid-connect-4-verifiable-credential-issuance-1_0.html
Benefits • Obvious way to turn existing OpenID Connect OPs into Issuers • Allows for inline credential issuance • Issuer-controlled UX gives flexibility • Wallet and Issuer identification utilizing OpenID Connect metadata
Key Ideas • Issuance via OAuth protected API: Credential endpoint • Multiple credentials, Same credential in different formats/keys • Support all kinds of proof methods (also non JWS) for key material the new credential shall be bound to • Separate client authentication & message integrity protection from proof of possession of this key material • Allow presentation of credentials (in authz request and dynamically obtained) as input for the issuance • Allow deferred issuance • Support Credential metadata (Credential Manifest)
New Endpoints • Issuance Initiation Endpoint: An endpoint exposed by the wallet that allows an issuer to initiate the issuance flow • Nonce Endpoint: provides the RP with a nonce it will include into verifiable presentations sent to the authorization endpoint • Credential Endpoint: OAuth-protected API to issue verifiable credentials • Deferred Credential Endpoint: used for deferred issuance of verifiable credentials
Extended Endpoints • Client Metadata: new metadata parameter is added to allow a wallet (acting as OpenID Connect RP) to publish its issuance initiation endpoint. • Server Metadata: new metadata parameters (credential types, …) • Authorization Endpoint: • `claims` parameter allows to request authorization for issuance of one or more credentials. • new parameters to convey verifiable presentations and further data to alternatively callback to the RP (acting as wallet) to request further verifiable credentials. • PAR is recommended • Token Endpoint: optional parameters to provide RP with a nonce to used for proof of possession of key material
Planned implementations • Microsoft • IDunion • walt.id & yes.com & BCDiploma (eSSIF-Lab) • Sphereon • Talao.io • Convergence.Tech
Thank you!

Recommended

OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)Torsten Lodderstedt
 
OIDC4VP for AB/C WG
OIDC4VP for AB/C WGOIDC4VP for AB/C WG
OIDC4VP for AB/C WGTorsten Lodderstedt
 
OpenID for SSI
OpenID for SSIOpenID for SSI
OpenID for SSITorsten Lodderstedt
 
OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36Torsten Lodderstedt
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable CredentialsTorsten Lodderstedt
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...Torsten Lodderstedt
 
OpenID Connect 4 SSI (at EIC 2021)
OpenID Connect 4 SSI (at EIC 2021)OpenID Connect 4 SSI (at EIC 2021)
OpenID Connect 4 SSI (at EIC 2021)Torsten Lodderstedt
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable CredentialsTorsten Lodderstedt
 

Recommended

OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)Torsten Lodderstedt
 
OIDC4VP for AB/C WG
OIDC4VP for AB/C WGOIDC4VP for AB/C WG
OIDC4VP for AB/C WGTorsten Lodderstedt
 
OpenID for SSI
OpenID for SSIOpenID for SSI
OpenID for SSITorsten Lodderstedt
 
OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36Torsten Lodderstedt
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable CredentialsTorsten Lodderstedt
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...Torsten Lodderstedt
 
OpenID Connect 4 SSI (at EIC 2021)
OpenID Connect 4 SSI (at EIC 2021)OpenID Connect 4 SSI (at EIC 2021)
OpenID Connect 4 SSI (at EIC 2021)Torsten Lodderstedt
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable CredentialsTorsten Lodderstedt
 
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdfVerifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdfKristina Yasuda
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...Torsten Lodderstedt
 
OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)Torsten Lodderstedt
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An OverviewPat Patterson
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect ExplainedVladimir Dzhuvinov
 
Verifiable Credentials, Self Sovereign Identity and DLTs
Verifiable Credentials, Self Sovereign Identity and DLTs Verifiable Credentials, Self Sovereign Identity and DLTs
Verifiable Credentials, Self Sovereign Identity and DLTs Vasiliy Suvorov
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect Nat Sakimura
 
Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sove...
Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sove...Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sove...
Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sove...SSIMeetup
 
Introduction to Self Sovereign Identity
Introduction to Self Sovereign IdentityIntroduction to Self Sovereign Identity
Introduction to Self Sovereign IdentityHeather Vescent
 
OpenID for Verifiable Credentials (IIW 35)
OpenID for Verifiable Credentials (IIW 35)OpenID for Verifiable Credentials (IIW 35)
OpenID for Verifiable Credentials (IIW 35)Torsten Lodderstedt
 
EUDI wallets with OpenID for verifiable credentials (OID4VCI/OID4VP)
EUDI wallets with OpenID for verifiable credentials (OID4VCI/OID4VP)EUDI wallets with OpenID for verifiable credentials (OID4VCI/OID4VP)
EUDI wallets with OpenID for verifiable credentials (OID4VCI/OID4VP)Lal Chandran
 
Identity Assurance with OpenID Connect
Identity Assurance with OpenID ConnectIdentity Assurance with OpenID Connect
Identity Assurance with OpenID ConnectTorsten Lodderstedt
 
Peer DIDs: a secure and scalable method for DIDs that’s entirely off-ledger –...
Peer DIDs: a secure and scalable method for DIDs that’s entirely off-ledger –...Peer DIDs: a secure and scalable method for DIDs that’s entirely off-ledger –...
Peer DIDs: a secure and scalable method for DIDs that’s entirely off-ledger –...SSIMeetup
 
Verifiable Credentials in Self-Sovereign Identity (SSI)
Verifiable Credentials in Self-Sovereign Identity (SSI)Verifiable Credentials in Self-Sovereign Identity (SSI)
Verifiable Credentials in Self-Sovereign Identity (SSI)Evernym
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectJacob Combs
 
The Hyperledger Indy Public Blockchain Node
The Hyperledger Indy Public Blockchain NodeThe Hyperledger Indy Public Blockchain Node
The Hyperledger Indy Public Blockchain NodeSSIMeetup
 
What are Decentralized Identifiers (DIDs)?
What are Decentralized Identifiers (DIDs)?What are Decentralized Identifiers (DIDs)?
What are Decentralized Identifiers (DIDs)?Evernym
 
OpenID Connect Federation
OpenID Connect FederationOpenID Connect Federation
OpenID Connect FederationAndreas Åkre Solberg
 
Verifiable credentials explained by CCI
Verifiable credentials explained by CCIVerifiable credentials explained by CCI
Verifiable credentials explained by CCIKaliya "Identity Woman" Young
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...Torsten Lodderstedt
 
OAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootOAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootGeert Pante
 

More Related Content

What's hot

Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdfVerifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdfKristina Yasuda
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...Torsten Lodderstedt
 
OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)Torsten Lodderstedt
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An OverviewPat Patterson
 
Verifiable Credentials, Self Sovereign Identity and DLTs
Verifiable Credentials, Self Sovereign Identity and DLTs Verifiable Credentials, Self Sovereign Identity and DLTs
Verifiable Credentials, Self Sovereign Identity and DLTs Vasiliy Suvorov
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect Nat Sakimura
 
Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sove...
Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sove...Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sove...
Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sove...SSIMeetup
 
Introduction to Self Sovereign Identity
Introduction to Self Sovereign IdentityIntroduction to Self Sovereign Identity
Introduction to Self Sovereign IdentityHeather Vescent
 
OpenID for Verifiable Credentials (IIW 35)
OpenID for Verifiable Credentials (IIW 35)OpenID for Verifiable Credentials (IIW 35)
OpenID for Verifiable Credentials (IIW 35)Torsten Lodderstedt
 
EUDI wallets with OpenID for verifiable credentials (OID4VCI/OID4VP)
EUDI wallets with OpenID for verifiable credentials (OID4VCI/OID4VP)EUDI wallets with OpenID for verifiable credentials (OID4VCI/OID4VP)
EUDI wallets with OpenID for verifiable credentials (OID4VCI/OID4VP)Lal Chandran
 
Identity Assurance with OpenID Connect
Identity Assurance with OpenID ConnectIdentity Assurance with OpenID Connect
Identity Assurance with OpenID ConnectTorsten Lodderstedt
 
Peer DIDs: a secure and scalable method for DIDs that’s entirely off-ledger –...
Peer DIDs: a secure and scalable method for DIDs that’s entirely off-ledger –...Peer DIDs: a secure and scalable method for DIDs that’s entirely off-ledger –...
Peer DIDs: a secure and scalable method for DIDs that’s entirely off-ledger –...SSIMeetup
 
Verifiable Credentials in Self-Sovereign Identity (SSI)
Verifiable Credentials in Self-Sovereign Identity (SSI)Verifiable Credentials in Self-Sovereign Identity (SSI)
Verifiable Credentials in Self-Sovereign Identity (SSI)Evernym
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectJacob Combs
 
The Hyperledger Indy Public Blockchain Node
The Hyperledger Indy Public Blockchain NodeThe Hyperledger Indy Public Blockchain Node
The Hyperledger Indy Public Blockchain NodeSSIMeetup
 
What are Decentralized Identifiers (DIDs)?
What are Decentralized Identifiers (DIDs)?What are Decentralized Identifiers (DIDs)?
What are Decentralized Identifiers (DIDs)?Evernym
 

What's hot (20)

Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdfVerifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
 
OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
Verifiable Credentials, Self Sovereign Identity and DLTs
Verifiable Credentials, Self Sovereign Identity and DLTs Verifiable Credentials, Self Sovereign Identity and DLTs
Verifiable Credentials, Self Sovereign Identity and DLTs
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
 
Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sove...
Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sove...Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sove...
Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sove...
 
Introduction to Self Sovereign Identity
Introduction to Self Sovereign IdentityIntroduction to Self Sovereign Identity
Introduction to Self Sovereign Identity
 
OpenID for Verifiable Credentials (IIW 35)
OpenID for Verifiable Credentials (IIW 35)OpenID for Verifiable Credentials (IIW 35)
OpenID for Verifiable Credentials (IIW 35)
 
EUDI wallets with OpenID for verifiable credentials (OID4VCI/OID4VP)
EUDI wallets with OpenID for verifiable credentials (OID4VCI/OID4VP)EUDI wallets with OpenID for verifiable credentials (OID4VCI/OID4VP)
EUDI wallets with OpenID for verifiable credentials (OID4VCI/OID4VP)
 
Identity Assurance with OpenID Connect
Identity Assurance with OpenID ConnectIdentity Assurance with OpenID Connect
Identity Assurance with OpenID Connect
 
Peer DIDs: a secure and scalable method for DIDs that’s entirely off-ledger –...
Peer DIDs: a secure and scalable method for DIDs that’s entirely off-ledger –...Peer DIDs: a secure and scalable method for DIDs that’s entirely off-ledger –...
Peer DIDs: a secure and scalable method for DIDs that’s entirely off-ledger –...
 
Verifiable Credentials in Self-Sovereign Identity (SSI)
Verifiable Credentials in Self-Sovereign Identity (SSI)Verifiable Credentials in Self-Sovereign Identity (SSI)
Verifiable Credentials in Self-Sovereign Identity (SSI)
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
 
The Hyperledger Indy Public Blockchain Node
The Hyperledger Indy Public Blockchain NodeThe Hyperledger Indy Public Blockchain Node
The Hyperledger Indy Public Blockchain Node
 
What are Decentralized Identifiers (DIDs)?
What are Decentralized Identifiers (DIDs)?What are Decentralized Identifiers (DIDs)?
What are Decentralized Identifiers (DIDs)?
 
OpenID Connect Federation
OpenID Connect FederationOpenID Connect Federation
OpenID Connect Federation
 
Verifiable credentials explained by CCI
Verifiable credentials explained by CCIVerifiable credentials explained by CCI
Verifiable credentials explained by CCI
 

Similar to OpenID Connect 4 SSI

How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...Torsten Lodderstedt
 
OAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootOAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootGeert Pante
 
KYC VERIFICATION USING BLOCKCHAIN
KYC VERIFICATION USING BLOCKCHAINKYC VERIFICATION USING BLOCKCHAIN
KYC VERIFICATION USING BLOCKCHAINIRJET Journal
 
Can Blockchain Enable Identity Management?
Can Blockchain Enable Identity Management?Can Blockchain Enable Identity Management?
Can Blockchain Enable Identity Management?Priyanka Aash
 
Product Identification Service
Product Identification ServiceProduct Identification Service
Product Identification ServiceSergeyWalsh
 
Product Identification Service
Product Identification ServiceProduct Identification Service
Product Identification ServiceSergeyWalsh
 
A Survey on e-KYC Verifier Using Blockchain
A Survey on e-KYC Verifier Using BlockchainA Survey on e-KYC Verifier Using Blockchain
A Survey on e-KYC Verifier Using BlockchainIRJET Journal
 
Demystifying AuthN/AuthZ Using OIDC & OAuth2
Demystifying AuthN/AuthZ Using OIDC & OAuth2Demystifying AuthN/AuthZ Using OIDC & OAuth2
Demystifying AuthN/AuthZ Using OIDC & OAuth2NGINX, Inc.
 
Value proposition of SSI tech providers - Self-Sovereign Identity
Value proposition of SSI tech providers - Self-Sovereign IdentityValue proposition of SSI tech providers - Self-Sovereign Identity
Value proposition of SSI tech providers - Self-Sovereign IdentitySSIMeetup
 
Application on Know Your Customer Authentication
Application on Know Your Customer AuthenticationApplication on Know Your Customer Authentication
Application on Know Your Customer AuthenticationIRJET Journal
 
Authentication through Claims-Based Authentication
Authentication through Claims-Based AuthenticationAuthentication through Claims-Based Authentication
Authentication through Claims-Based Authenticationijtsrd
 
apidays LIVE Paris 2021 - Identification & Authentication for Individuals wit...
apidays LIVE Paris 2021 - Identification & Authentication for Individuals wit...apidays LIVE Paris 2021 - Identification & Authentication for Individuals wit...
apidays LIVE Paris 2021 - Identification & Authentication for Individuals wit...apidays
 
Understanding Claim based Authentication
Understanding Claim based AuthenticationUnderstanding Claim based Authentication
Understanding Claim based AuthenticationMohammad Yousri
 
OpenID Foundation/Open Banking Workshop - OpenID Foundation Overview
OpenID Foundation/Open Banking Workshop - OpenID Foundation OverviewOpenID Foundation/Open Banking Workshop - OpenID Foundation Overview
OpenID Foundation/Open Banking Workshop - OpenID Foundation OverviewMikeLeszcz
 
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop Kristina Yasuda
 
FOSSASIA 2018 Self-Sovereign Identity with Hyperledger Indy/Sovrin
FOSSASIA 2018 Self-Sovereign Identity with Hyperledger Indy/SovrinFOSSASIA 2018 Self-Sovereign Identity with Hyperledger Indy/Sovrin
FOSSASIA 2018 Self-Sovereign Identity with Hyperledger Indy/SovrinCalvin Cheng
 

Similar to OpenID Connect 4 SSI (20)

How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
 
OAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootOAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring Boot
 
KYC VERIFICATION USING BLOCKCHAIN
KYC VERIFICATION USING BLOCKCHAINKYC VERIFICATION USING BLOCKCHAIN
KYC VERIFICATION USING BLOCKCHAIN
 
Can Blockchain Enable Identity Management?
Can Blockchain Enable Identity Management?Can Blockchain Enable Identity Management?
Can Blockchain Enable Identity Management?
 
Product Identification Service
Product Identification ServiceProduct Identification Service
Product Identification Service
 
E-Business security
E-Business security E-Business security
E-Business security
 
Product Identification Service
Product Identification ServiceProduct Identification Service
Product Identification Service
 
A Survey on e-KYC Verifier Using Blockchain
A Survey on e-KYC Verifier Using BlockchainA Survey on e-KYC Verifier Using Blockchain
A Survey on e-KYC Verifier Using Blockchain
 
Demystifying AuthN/AuthZ Using OIDC & OAuth2
Demystifying AuthN/AuthZ Using OIDC & OAuth2Demystifying AuthN/AuthZ Using OIDC & OAuth2
Demystifying AuthN/AuthZ Using OIDC & OAuth2
 
Access management
Access managementAccess management
Access management
 
Value proposition of SSI tech providers - Self-Sovereign Identity
Value proposition of SSI tech providers - Self-Sovereign IdentityValue proposition of SSI tech providers - Self-Sovereign Identity
Value proposition of SSI tech providers - Self-Sovereign Identity
 
Application on Know Your Customer Authentication
Application on Know Your Customer AuthenticationApplication on Know Your Customer Authentication
Application on Know Your Customer Authentication
 
Authentication through Claims-Based Authentication
Authentication through Claims-Based AuthenticationAuthentication through Claims-Based Authentication
Authentication through Claims-Based Authentication
 
apidays LIVE Paris 2021 - Identification & Authentication for Individuals wit...
apidays LIVE Paris 2021 - Identification & Authentication for Individuals wit...apidays LIVE Paris 2021 - Identification & Authentication for Individuals wit...
apidays LIVE Paris 2021 - Identification & Authentication for Individuals wit...
 
Understanding Claim based Authentication
Understanding Claim based AuthenticationUnderstanding Claim based Authentication
Understanding Claim based Authentication
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
 
OpenID Foundation/Open Banking Workshop - OpenID Foundation Overview
OpenID Foundation/Open Banking Workshop - OpenID Foundation OverviewOpenID Foundation/Open Banking Workshop - OpenID Foundation Overview
OpenID Foundation/Open Banking Workshop - OpenID Foundation Overview
 
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
 
FOSSASIA 2018 Self-Sovereign Identity with Hyperledger Indy/Sovrin
FOSSASIA 2018 Self-Sovereign Identity with Hyperledger Indy/SovrinFOSSASIA 2018 Self-Sovereign Identity with Hyperledger Indy/Sovrin
FOSSASIA 2018 Self-Sovereign Identity with Hyperledger Indy/Sovrin
 
Presentation
PresentationPresentation
Presentation
 

More from Torsten Lodderstedt

The European Union goes Decentralized
The European Union goes DecentralizedThe European Union goes Decentralized
The European Union goes DecentralizedTorsten Lodderstedt
 
Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2Torsten Lodderstedt
 
Comprehensive overview FAPI 1 and 2
Comprehensive overview FAPI 1 and 2Comprehensive overview FAPI 1 and 2
Comprehensive overview FAPI 1 and 2Torsten Lodderstedt
 
OpenID Connect 4 Identity Assurance at IIW #32
OpenID Connect 4 Identity Assurance at IIW #32OpenID Connect 4 Identity Assurance at IIW #32
OpenID Connect 4 Identity Assurance at IIW #32Torsten Lodderstedt
 
OpenID Connect for W3C Verifiable Credential Objects
OpenID Connect for W3C Verifiable Credential ObjectsOpenID Connect for W3C Verifiable Credential Objects
OpenID Connect for W3C Verifiable Credential ObjectsTorsten Lodderstedt
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security RecommendationsNextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security RecommendationsTorsten Lodderstedt
 
OpenID Connect for Identity Assurance
OpenID Connect for Identity AssuranceOpenID Connect for Identity Assurance
OpenID Connect for Identity AssuranceTorsten Lodderstedt
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations Torsten Lodderstedt
 
Identiverse: PSD2, Open Banking, and Technical Interoperability
Identiverse: PSD2, Open Banking, and Technical InteroperabilityIdentiverse: PSD2, Open Banking, and Technical Interoperability
Identiverse: PSD2, Open Banking, and Technical InteroperabilityTorsten Lodderstedt
 
Identity Proofing with OpenID Connect
Identity Proofing with OpenID ConnectIdentity Proofing with OpenID Connect
Identity Proofing with OpenID ConnectTorsten Lodderstedt
 

More from Torsten Lodderstedt (15)

The European Union goes Decentralized
The European Union goes DecentralizedThe European Union goes Decentralized
The European Union goes Decentralized
 
GAIN Presentation.pptx
GAIN Presentation.pptxGAIN Presentation.pptx
GAIN Presentation.pptx
 
Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2
 
Comprehensive overview FAPI 1 and 2
Comprehensive overview FAPI 1 and 2Comprehensive overview FAPI 1 and 2
Comprehensive overview FAPI 1 and 2
 
OpenID Connect 4 Identity Assurance at IIW #32
OpenID Connect 4 Identity Assurance at IIW #32OpenID Connect 4 Identity Assurance at IIW #32
OpenID Connect 4 Identity Assurance at IIW #32
 
OpenID Connect for W3C Verifiable Credential Objects
OpenID Connect for W3C Verifiable Credential ObjectsOpenID Connect for W3C Verifiable Credential Objects
OpenID Connect for W3C Verifiable Credential Objects
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security RecommendationsNextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations
 
Rich Authorization Requests
Rich Authorization RequestsRich Authorization Requests
Rich Authorization Requests
 
Pushed Authorization Requests
Pushed Authorization RequestsPushed Authorization Requests
Pushed Authorization Requests
 
OpenID Connect for Identity Assurance
OpenID Connect for Identity AssuranceOpenID Connect for Identity Assurance
OpenID Connect for Identity Assurance
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations
 
Identiverse: PSD2, Open Banking, and Technical Interoperability
Identiverse: PSD2, Open Banking, and Technical InteroperabilityIdentiverse: PSD2, Open Banking, and Technical Interoperability
Identiverse: PSD2, Open Banking, and Technical Interoperability
 
OAuth 2.0 Security Reinforced
OAuth 2.0 Security ReinforcedOAuth 2.0 Security Reinforced
OAuth 2.0 Security Reinforced
 
OAuth Security 4 Dummies iiw#27
OAuth Security 4 Dummies iiw#27OAuth Security 4 Dummies iiw#27
OAuth Security 4 Dummies iiw#27
 
Identity Proofing with OpenID Connect
Identity Proofing with OpenID ConnectIdentity Proofing with OpenID Connect
Identity Proofing with OpenID Connect
 

Recently uploaded

IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书rnrncn29
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 
Company Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxCompany Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxMario
 
Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxmibuzondetrabajo
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 
Cybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best PracticesCybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best PracticesLumiverse Solutions Pvt Ltd
 
TRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxTRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxAndrieCagasanAkio
 
ETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptxETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptxNIMMANAGANTI RAMAKRISHNA
 

Recently uploaded (9)

IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 
Company Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxCompany Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptx
 
Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptx
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predi
 
Cybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best PracticesCybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best Practices
 
TRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxTRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptx
 
ETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptxETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptx
 

OpenID Connect 4 SSI

  • 1. OpenID Connect for SSI Kristina Yasuda, Microsoft Dr. Torsten Lodderstedt, yes.com
  • 2. OpenID Connect for SSI • Initiative conducted at OpenID Foundation in liaison with the Decentralized Identity Foundation • Aims at specifying a set of protocols based on OpenID Connect to enable SSI applications
  • 3. - Provide the community with a solution for SSI applications leveraging the simplicity and security of OpenID Connect - Security of OpenID Connect has been tested and formally analysed - Allow existing OpenID Connect RPs to access SSI credential and existing OpenID Connect OPs to also issue credentials Why extend OpenID Connect to support SSI?
  • 4. OpenID Connect for SSI Components Issuer (Website) Verifier (Website) Holder (Digital Wallet) Issue Credentials Present Credentials ① Self-Issued OP v2 (key exchange and authentication) or OpenID Connect Core Code flow ② OpenID Connect for Verifiable Presentations (Transportation of Verifiable Credentials) OpenID Connect Core ③ OpenID Connect for Credential Issuance (Issuance of Verifiable Credentials) Base Protocol
  • 5. Use Case: eKYC using Bank ID Credential - A Bank customer wants to sign a car leasing contract. The leasing provider is obliged to identify the customer (Anti-Money Laundering Law). The leasing provider accepts identification via a digital wallet. - The leasing provider sends the customer to the wallet, which currently does not contain a suitable credential. The wallet offers some options to the customer to obtain the required credential. - The customer selects the bank-based approach, selects her bank, and proceeds to the bank’s digital banking experience where she is offered to issue an ID credential to the wallet. - Upon receiving an ID credential to the wallet, when prompted, the customer confirms presentation of the new credential to the leasing company. - The leasing company receives the credential and proceeds to the next step in the contract signing process… - Customer benefit: ease of use of bank-based identification in combination with additional privacy preservation through the wallet since there is no call-home to the Bank directly by the leasing provider. - Leasing provider benefit: ability to accept ID credentials from the Issuers/Banks without establishing a federation with them
  • 6. Use Case: NHS doctors moving around 1200 clinics - A clinic wants to verify identity a doctor who has been assigned to work there from another clinic. The doctors are moved between clinics quite often and each time a clinic onboards a new doctor, it is obliged to verify the doctor’s identity and privileges. The clinic accepts identification via a digital wallet. - The clinic sends the doctor to the wallet. If the wallet does not currently contain a suitable credential, it offers some options to the doctor to obtain the required credential. - The doctor selects the previous clinic where he/she worked, and proceeds to that clinic’s credential issuance experience where he/she is offered to issue an ID credential to the wallet. - Upon receiving an ID credential to the wallet, when prompted, the doctor confirms presentation of the new credential to the new clinic. - The new clinic company receives the credential and proceeds to the next step in the contract signing process… - Customer benefit: ease of use of digital credentials instead of having to collect paper documents from all the previous clinics. - New clinic: ability to accept credentials in a digital format significantly shortens onboarding time and gives more time to the doctors to actually treat the customers instead of dealing with administrative processes.
  • 7. Use Case: University managing alumni - An employer wants to verify the education history of the employee during the hiring on-boarding process. The employee accepts identification via a digital wallet. - The employer sends the employee to the wallet. If the wallet does not currently contain a suitable credential, it offers some options to the employee to obtain the required credential. - The employee selects the university he/she has graduated from, and proceeds to that university’s credential issuance experience where he/she is offered to issue an ID credential to the wallet. - Upon receiving an ID credential to the wallet, when prompted, the employee confirms presentation of the new credential to the employee. - The employee new clinic company receives the credential and proceeds to the next step in the contract signing process… - Customer benefit: ease of use of digital credentials instead of having to physically go to the university and collect paper documents or having to exchange emails with the university admin. - New clinic: ability to move growing number of alumni data to the cold storage once, instead of storing it in an active storage ready to respond to an API call anytime.
  • 9. 1. SIOP v2 OpenID Connect standard model ⓪ User tries to log in Website (RP) User Agent OP (3P OpenID Provider) Trust (to 3rd party) Alice ① 3rd Party OP issues an ID Token Self-Issued OP model ⓪ User tries to log in Website (RP) User Agent OP Trust (on first use) ① OP on the user device issues ID Token Alice ● Self-Issued OP is an OP within the End-user’s local control. ● Enables End-users to interact with verifiers directly, without relying on a third-party providers. ● Performs key exchange and authentication.
  • 10. What’s new in v2? - DIDs as “sub” values (in additional to raw public keys) to “self-issue” an ID Token - Dynamic SIOP discovery and invocation via HTTPS URLs - in addition to “openid://” custom scheme - enables use of app/universal links and web wallets - Dynamic RP registration (DID or Entity statements) - Cross Device Flow
  • 11. SIOP request–response example SIOP Response SIOP Request HTTP/1.1 302 Found Location: openid://? response_type=id_token &client_id=https://client.example.org/cb &redirect_uri=https://client.example.org/cb &scope=openid%20profile &nonce=n-0S6_WzA2Mj HTTP/1.1 302 Found Location: https://client.example.org/cb# &id_token=eyJ0 ... NiJ9.eyJ1c ... I6IjIifX0.D ... ZXso openid://? response_type=id_token &response_mode=post &client_id=https://client.example.org/cb &redirect_uri=https://client.example.org/post_cb &scope=openid%20profile &nonce=n-0S6_WzA2Mj on device cross device POST /post_cb HTTP/1.1 Host: client.example.com Content-Type: application/x-www-form-urlencoded &id_token=eyJ0 ... NiJ9.eyJ1c ... I6IjIifX0.D ... ZXso
  • 12. SIOP request–response example { "iss": "https://self-issued.me/v2", "sub": "did:example:EiC6Y9_aDaCsI", https url -> jwks_uri hosted under .well-known "aud": "https://client.example.org/cb", "nonce": "n-0S6_WzA2Mj", "exp": 1311281970, "iat": 1311280970 } Decoded ID Token “sub” can be raw public key or DID
  • 13. OpenID Connect 4 Verifiable Presentations
  • 14. • Works with all OpenID Connect Flows (SIOP v2, code, CIBA, …) • Request syntax uses "claims" parameter & DIF Presentation Exchange • Supports different credential/presentation formats: • encoded as JSON or JSON-LD • signed as a JWS or Linked Data Proofs • ... • Supports different transports: • Embedded in ID Token or Userinfo response • new VP Token (provided alongside ID Token) Enables presentation of W3C Verifiable Credentials using OpenID Connect. 2. OIDC4VP
  • 15. OIDC4VP Request SIOP+OIDC4VP Request HTTP/1.1 302 Found Location: openid://? response_type=id_token &client_id=https://client.example.org/cb &redirect_uri=https://client.example.org/cb &scope=openid%20profile &nonce=n-0S6_WzA2Mj &claims=... { "vp_token": { "presentation_definition": { "id": "identification", "input_descriptors": [ { "id": "id_card_credential", "schema": [ { "uri":"https://www.w3.org/2018/credentials/examples/v1/IDCardCredential" } ] } ... } `claims` parameter with DIF Presentation Exchange Syntax
  • 16. { "@context": [ "https://www.w3.org/2018/credentials/v1" ], "type": [ "VerifiablePresentation" ], "verifiableCredential": [ { "@context": [ "https://www.w3.org/2018/credentials/v1", "https://www.w3.org/2018/credentials/examples/v1" ], "id": "https://example.com/credentials/1872", "type": [ "VerifiableCredential", "IDCardCredential" ], "issuer": { "id": "did:example:issuer" }, "issuanceDate": "2010-01-01T19:23:24Z", "credentialSubject": { "given_name": "Fredrik", Response OIDC4VP Response VP Token containing Verifiable Presentation Decoded ID Token HTTP/1.1 302 Found Location: https://client.example.org/cb# &id_token=eyJ0 ... NiJ9.eyJ1c ... &vp_token=... { ... "_vp_token": { "presentation_submission": { "id": "example presentation", "definition_id": "identification", "descriptor_map": [ { "id": "id_card_credential", "format": "ldp_vp", "path": "$" "path_nested": { "format": "ldp_vc", "path": "$.verifiableCredential[0]" } ... } Path in the ID Token refers to a separate artifact - VP Token
  • 17. DEMO Bringing it all together ...
  • 18. SIOP v2 / OIDC4VPs Prototype •Implemented within IDUnion project •Team: Sebastian Bickerle, Paul Wenzel, Fabian Hauck, & Dr. Daniel Fett •Use Case: Login to NextCloud using Verifiable Credentials •Based on • Existing NextCloud OpenID Connect Plugin • Lissi Wallet • Hyperledger Indy & Indy SDK
  • 19. DEMO •On device: https://youtu.be/gDg2ma7TwWU •Cross device: https://youtu.be/hC3VQE-vMnQ
  • 20. Architecture NextCloud Ledger Plugin (Frontend) Lissi Wallet redirects (HTTPS GET) (3) “response” (HTTPS POST) Plugin (Backend) polling on device cross device ledger access (1) QR Code schema definition und credential definition schema definition und credential definition, revocation info (2) Request payload (GET request_uri)
  • 21. Findings • QR Codes pretty huge • Verifiers can be identified • Verifier's Web URL shown in wallet (leverages OIDC client data model) • Simple & Scalable Architecture •No separate connection establishment step required
  • 22. Further ongoing implementations • Microsoft • Convergence.Tech • Gematik (within IDunion) • walt.id (eSSIF-Lab)* • Sphereon • Gimly *Some ESSIF projects already utilizes SIOP (based on DID-SIOP & OpenID Connect 4 Identity Assurance)
  • 24. Status • Based on pre-existing implementation experience (MATTR Ltd & Convergence.tech) • Work recently started with requirements gathering and brainstorming sessions at IIW #33 • Current WG Draft https://openid.bitbucket.io/connect/openid-connect-4-verifiable-credential-issuance-1_0.html
  • 25. Benefits • Obvious way to turn existing OpenID Connect OPs into Issuers • Allows for inline credential issuance • Issuer-controlled UX gives flexibility • Wallet and Issuer identification utilizing OpenID Connect metadata
  • 26. Key Ideas • Issuance via OAuth protected API: Credential endpoint • Multiple credentials, Same credential in different formats/keys • Support all kinds of proof methods (also non JWS) for key material the new credential shall be bound to • Separate client authentication & message integrity protection from proof of possession of this key material • Allow presentation of credentials (in authz request and dynamically obtained) as input for the issuance • Allow deferred issuance • Support Credential metadata (Credential Manifest)
  • 27.
  • 28. New Endpoints • Issuance Initiation Endpoint: An endpoint exposed by the wallet that allows an issuer to initiate the issuance flow • Nonce Endpoint: provides the RP with a nonce it will include into verifiable presentations sent to the authorization endpoint • Credential Endpoint: OAuth-protected API to issue verifiable credentials • Deferred Credential Endpoint: used for deferred issuance of verifiable credentials
  • 29. Extended Endpoints • Client Metadata: new metadata parameter is added to allow a wallet (acting as OpenID Connect RP) to publish its issuance initiation endpoint. • Server Metadata: new metadata parameters (credential types, …) • Authorization Endpoint: • `claims` parameter allows to request authorization for issuance of one or more credentials. • new parameters to convey verifiable presentations and further data to alternatively callback to the RP (acting as wallet) to request further verifiable credentials. • PAR is recommended • Token Endpoint: optional parameters to provide RP with a nonce to used for proof of possession of key material
  • 30. Planned implementations • Microsoft • IDunion • walt.id & yes.com & BCDiploma (eSSIF-Lab) • Sphereon • Talao.io • Convergence.Tech