The document proposes extending OpenID Connect to support requesting and presenting W3C Verifiable Credentials in all OpenID Connect flows. It outlines the need for a standard way to do this given limitations of existing approaches. The proposal is to use existing OpenID Connect mechanisms like the "claims" parameter to request verifiable presentations, which could then be returned embedded in ID tokens or userinfo responses, or as a separate verifiable presentation token. Examples are provided and it discusses the relationship to other relevant work. The goal is to make OpenID Connect the preferred choice for obtaining and providing verifiable presentations.

1. OpenID Connect for W3C
Verifiable Credential Objects
AB/Connect Working Group
Kristina Yasuda, Oliver Terbu, Torsten Lodderstedt, Adam
Lemmon, Tobias Looker

2. Scope
- Support request and presentation of W3C Verifiable Credentials in all OpenID
Connect Flows (SIOP, code, CIBA, …)

3. Out of Scope
● Data models for verifiable credentials or presentations
● Validation of verifiable presentations/credentials

4. Need
- DIDComm is complex and lacks interoperability
- OIDC is seen by a lot of people as a candidate for a simple and interoperable
integration layer
- Projects now either use DIF DID-SIOP, which is incomplete, or OIDC Core SIOP ch. 7, which
is too generic. A more specific standard is required
- Due to the lack of a clear standard, different projects implement different variants of the DID
SIOP
- Demand for standard to request and provide W3C Verifiable Presentations via
OIDC

5. Goal
- Make OIDC the first choice for anyone wanting to obtain and/or provide W3C
Verifiable Presentations

6. Value
- Provide interoperability between existing and new OpenID Connect
deployments that use W3C verifiable presentations
- Leverage OpenID Connect as simple to use protocol for wallet integrations
- Leverage Verifiable Credentials for existing OpenID Connect deployments

7. Terminology
- Presentation
Data derived from one or more verifiable credentials, issued by one or more issuers,
that is shared with a specific verifier. (see
https://www.w3.org/TR/vc-data-model/#terminology)
- Verified Presentation (VP)
A verifiable presentation is a tamper-evident presentation encoded in such a way that
authorship of the data can be trusted after a process of cryptographic verification.
Certain types of verifiable presentations might contain data that is synthesized from, but
do not contain, the original verifiable credentials (for example, zero-knowledge proofs).
(see https://www.w3.org/TR/vc-data-model/#terminology)

8. Overview of the technical content
- Request
- uses “claims” parameter (OIDC Section 5.5) to request W3C verifiable presentation by
credential type and (additionally) particular claims
- Reponse
- W3C verifiable presentations are returned using the same syntax either
- 1) embedded inside the ID Token or userinfo response, or
- 2) as a separate artifact VP Token that is returned together with the ID Token
- Note: aggregated/distributed claims syntax was considered by discarded after WG/Community
feedback

9. Examples

10. VP in ID Token
‘verifiable_presentations’ claim
contains entire VPs
`claims` parameter in the request

11. Separate artifact
- ‘VP Token’
ID Token contains a `vp_hash`
‘VP Token’ contains an entire VP
`claims` parameter in the request

12. Requests

13. Request for Verifiable Presentation (Type)

14. Request for Verifiable Presentation (Type and Claims)

15. “Just” Request Claims

16. Relationship with other work
- Relationship with OpenID Connect Core
- OIDC4VCO uses mechanisms already defined in OIDC Core, and does not introduce any breaking changes.
- Relationship with SIOP V2 draft
- SIOP V2 draft will refer to the OIDC4VCO draft wrt how W3C verifiable presentations (VPs) can be transported
using SIOP model, since OIDC4VCO draft defines a generic way how W3C VPs can be used with various OIDC
flows including SIOP V2.
- Relationship with Claims Aggregation draft (and Credential Provider draft once contributed)
- Claims Aggregation draft describes new Claims endpoint used by intermediary OP to obtain aggregated claims.
RP/OP interface is aggregated claims as defined on OIDCC + “uid” assertion binding mechanism. OIDC4VCO
draft describes extension at RP/OP interface for requesting and returns VPs as additional data in OIDC
responses, defining a new token. Different formats and delivery mechanisms + OIDC4VCO defines request
syntax.
- Relationship with DIF Presentation Exchange (PE) draft
- DIF PE draft could be used as part of the request syntax in OIDC4VCO draft, which should be discussed once
OIDC4VCO draft is adopted. DIF PE is a query language that is protocol agnostic, and it does not replace
OIDC4VCO draft.

17. Proposal
● Editors of claims aggregation and OIDC4VCO will keep working closely to
align the documents, while adopting the OIDC4VCO draft separately.
● Write architecture whitepaper describing intermediary OP pattern with OIDC
in general as well specifics of implementing it using OIDC aggregated claims
or W3C Verifiable Credentials (or other types of cryptographically bound
credentials).

18. CP
(B)
Identity
Register
7. Signed claims
b
CP
(A)
Identity
Register
Client
5. Signed claims
a
IdP
(wallet etc.)
Identity
Register
c
a
b
Signed Claims
(Token)
C D
4. Give me a.
Token = Ta
6. Give me b.
Token = Tb
1. Give me claims {a,b}
8. Here are {a,b} with the
user identification claims c.
2.Is it ok to
Give {a,b}
to D?
3. I grant.
User
Main Interface of Claims Aggregation draft
(for RP-OP interface response, adds
additional verification steps and uses
Aggregated Claims syntax)
Interface of OIDC4VCO draft