TL
Uploaded byTorsten Lodderstedt
474 views

OpenID for SSI

OpenID for SSI aims to specify protocols based on OpenID Connect and OAuth 2.0 to enable self-sovereign identity (SSI) applications. This initiative is conducted by the OpenID Foundation in collaboration with the Decentralized Identity Foundation. One specification builds upon the DID-SIOP and SIOPv1 standards. Using OpenID Connect allows for variety in SSI technology choices like identifiers, credentials, and cryptography while leveraging existing OpenID Connect implementations, libraries, and developer familiarity. Demonstrations show credential presentation and issuance via OIDC4SSI specifications.

Embed presentation

Download to read offline
OpenID for SSI Kristina Yasuda, Microsoft Dr. Torsten Lodderstedt, yes.com
OpenID for SSI • Aims at specifying a set of protocols based on OpenID Connect and OAuth2.0 to enable SSI applications • Initiative conducted at OpenID Foundation in liaison with the Decentralized Identity Foundation (DIF) • One of the specifications is built up on DID-SIOP in DIDAuth WG in DIF and SIOPv1 chapter 7 in OIDC Core
- Self-Issued OP (SIOP) already provides good starting point - Leveraging the simplicity and security of OpenID Connect and OAuth2.0 for SSI applications - Existing libraries, only HTTPS communication, developer familiarity - Great for mobile applications, no firewall hassles - Security of OpenID Connect has been tested and formally analysed - Allow existing OpenID Connect RPs to access SSI credentials and existing OpenID Connect OPs to issue credentials Why use OpenID Connect/OAuth2.0 as basis?
③ OpenID Connect for Verifiable Credential Issuance (Issuance of Verifiable Credentials) OpenID Connect for SSI Components Issuer (Website) Verifier (Website) Holder (Digital Wallet) Issue Credentials Present Credentials ① Self-Issued OP v2 (key exchange and authentication) ② OpenID Connect for Verifiable Presentations (Presentation of Verifiable Credentials) Can be hosted locally on the user’s device, have cloud components, or be entirely hosted in the cloud
Using OIDC4SSI as an authentication protocol to present and issue credentials allows implementers to choose a combination of DID methods, credential formats and other components of the SSI tech stack. OIDC4SSI allows variety of choices in the SSI tech stack SSI Tech Stack component Implementer’s choices when using OIDC4SSI as a protocol Identifiers Any DID method - user’s identifier can also be a JWK Thumbprint (`sub` in the ID Token) - verifier’s identifier can also be a unique string (`client_id` in the request) Credential Format Any credential format (AnonCreds, LDP-VC, JWT-VC, ISO mDL, etc.) Revocation Any mechanism (Status List 2021, etc.) additional trust mechanisms Any mechanism (.well-known DID configuration, etc.) Cryptography Any cryptosuite (EdDSA, ES256K, etc.)
some use-cases…
SIOPv2
Standard OpenID Connect vs SIOP v2 Self-Issued OP model ⓪ User tries to get access to a resource Website (RP) User Agent OP Trust in cryptographically verifiable identifier ② OP on the user device issues subject-signed ID Token Alice User-controlled OpenID Connect OP is able to self-sign ID Tokens and authenticate using the user-controlled key material (raw public keys or Decentralized identifiers (DIDs)) ① RP requests ID Token OpenID Connect standard model ⓪ User tries to log in Website (RP) User Agent OP (3P OpenID Provider) Trust in 3rd party Alice ② 3rd Party OP issues an ID Token ① RP requests ID Token
OpenID Connect for Verifiable Presentations
Credential Issuer ③ Verify Credential from Trusted Credential Issuer (obtain Issuer’s public key and optionally check revocation list) SIOP v2 + OpenID Connect 4 Verifiable Presentations Presenting Credentials Website or App (RP) User Agent OP Alice Trust in cryptographically authenticated identifier ⓪ User tries to get access to a resource Stored Verifiable Credentials Trust in Credential Issuer(s) ② SIOP issues ID Token & Verifiable Presentation(s) ① RP requests ID Token and Credential(s) Status list (revocation) Issuer’s Public Key
- Protocol is credential/presentation format agnostic - Examples for AnonCreds and mDL in OIDC4VP spec - passing `presentation_definition` PE object by value or by reference - Support for Trust Schemes - for example, request credentials issued by an issuer that is part of a Trust Framework - Dynamic SIOP discovery and invocation via HTTPS URLs - enables use of app/universal links and web wallets - Leverages all OpenID Connect Flows - SIOP can be entirely locally hosted, have cloud components, be entirely cloud-based - Cross Device Flow enabled - Leverages OpenID Connect Metadata for verifiers and wallet management - Clarify that the key feature of SIOP is ability to sign ID Token using a subject-controlled key material (iss==sub in ID Token) - Ongoing: wallet & key attestation Credentials Presentation (Key & New Features)
- First Implementer’s Drafts of OpenID Connect SIOPV2 and OIDC4VP approved. Targeting Second Implementer’s Draft by the end of 2022 - Latest Editor’s drafts can be published at: - https://openid.net/specs/openid-connect-self-issued-v2-1_0.html - https://openid.net/specs/openid-connect-4-verifiable-presentations-1_0.html - Existing & ongoing Implementations: - The European Blockchain Services Infrastructure (EBSI) - Microsoft - Workday - Ping Identity - Convergence.Tech - IDunion - walt.id (eSSIF-Lab)* - Sphereon - Gimly *Some ESSIF projects already utilizes SIOP (based on DID-SIOP & OpenID Connect 4 Identity Assurance) Credential Presentation (Status)
Demo Credential Presentation
IDunion Prototype •Implemented within IDunion project •Team: Sebastian Bickerle, Paul Wenzel, Fabian Hauck, & Dr. Daniel Fett •Use Case: Login to NextCloud using Verifiable Credentials •Based on • Existing NextCloud OpenID Connect Plugin • Lissi Wallet • Hyperledger Indy & Indy SDK & AnonCreds
European Banking Identity Prototype •eSSIF-Lab founded project •Team: yes.com & walt.id • Presentation & Issuance via OIDC4SSI •Based on • walt.id Wallet (Web Wallet) • JSON LD based credentials • did:key (did:ebsi) eSSIF-Lab is funded by the European Commission, as part of the Horizon 2020 Research and Innovation Programme, under Grant Agreement Nº 871932 and it's framed under Next Generation Internet Initiative.
Architecture Verifier Ledger Frontend Wallet redirects (HTTPS GET) (3) “response” (HTTPS POST) Backend polling on device cross device ledger access (1) QR Code e.g. DID resolution, revocation info, schema and credential definition (2) Request payload (GET request_uri)
Request Example ESSIF Lab (W3C VC) { "response_type" :"id_token", "client_id":"https://example.com/callback" , "scope":"openid", "redirect_uri" :"https://example.com/callback" , "nonce":"67473895393019470130" , ... "claims":{ "vp_token":{ "presentation_definition" :{ "id":"1", "input_descriptors" :[ { "id":"1", "schema":{ "uri":"https://raw.githubusercontent.com/…/EuropeanBankIdentity.json" } } ] } } } }
Response Example ESSIF Lab (W3C VC) { "iss": "https://self-issued.me/v2", "aud": "https://example.com/callback", "sub": "did:key:z6MkqUDiu3MHxAm...mscLT8E9R5CKdbtr7gwR8", "exp": 1645469476, "iat": 1645465876, "nonce": "cdb97870-a3be-49b4-aa55-8c7c7122178a", "_vp_token": { "presentation_submission": { "descriptor_map": [ { "path": "$", "format": "ldp_vp", "path_nested": { "path": "$.verifiableCredential[0]", "format": "ldp_vc" } ], "definition_id": "1", "id": "1" } } } { "@context" :[ "https://www.w3.org/2018/credentials/v1" ], "holder" :"did:key:z6MkqUDiu3MHxAmuMQ8jjkLiUu1mscLT8E9R5CKdbtr7gwR8" , "id":"urn:uuid:04816f2a-85f1-45d7-a66d-51764d39a569" , "proof":{ "domain" :"https://example.com/callback" , "jws" :"...", "nonce":"cdb97870-a3be-49b4-aa55-8c7c7122178a" , "proofPurpose" :"authentication" , "type":"Ed25519Signature2018" , "verificationMethod" :"did:key:z6MkqUDiu3 ..." }, "type":[ "VerifiablePresentation" ], "verifiableCredential" :[ { … "type":[ "VerifiableCredential" , "EuropeanBankIdentity" ], "credentialSubject" :{ "id":"did:key:z6MkqUDiu3MHxAmuMQ8jjkLiUu1mscLT8E9R5CKdbtr7gwR8" , "familyName" :"Family001" , "givenName" :"Given001" , "birthDate" :"1950-01-01" , "placeOfBirth" :{ "country" :"DE", "locality" :"Berlin" } }, ID Token VP Token
Request Example IDunion (AnonCred) { "response_type" :"id_token" , "client_id" :"https://example.com/callback" , "scope":"openid" , "redirect_uri" :"https://example.com/callback ", "nonce":"67473895393019470130" , ... "claims" :{ "vp_token" :{ "presentation_definition" :{ "id":"NextcloudLogin" , "input_descriptors" :[ { "id":"ref2", "name":"NextcloudCredential" , "format" : { "ac_vc": { "proof_type" : ["CLSignature2019" ] } }, "constraints" :{ "limit_disclosure" :"required" , "fields":[{ "path": [ "$.schema_id" ], "filter": { "type": "string" , "pattern": "did:indy:idu:test:3QowxFtwciWceMFr7WbwnM:2:BasicScheme:0.1" } }, {"path":[ "$.values.email" ]}, { "path":["$.values.first_name" ]}, { "path":["$.values.last_name" ]}] } }
Response Example IDunion (AnonCred) { "aud": "https://example.com/callback ", "sub": "9wgU5CR6PdgGmvBfgz_CqAtBxJ33ckMEwvij-gC6Bcw" , "auth_time" : 1638483344 , "iss": "https://self-issued.me/v2" , "sub_jwk" : { "x": "cQ5fu5VmG…dA_5lTMGcoyQE78RrqQ6" , "kty": "EC", "y": "XHpi27YMA…rnF_-f_ASULPTmUmTS" , "crv": "P-384" }, "exp": 1638483944 , "iat": 1638483344 , "nonce": "67473895393019470130 ", "_vp_token" : { "presentation_submission" : { "descriptor_map" : [ { "id": "ref2", "path": "$", "format" : "ac_vp", "path_nested" : { "path": "$.requested_proof.revealed_attr_groups.ref2", "format" : "ac_vc" } } ], "definition_id" : "NextcloudLogin" , "id": "NexcloudCredentialPresentationSubmission" } } } { "proof": {...}, "requested_proof": { "revealed_attrs" : {}, "revealed_attr_groups": { "ref2": { "sub_proof_index" : 0, "values" : { "email": { "raw": "alice@example.com" , "encoded" : "115589951…83915671017846" }, "last_name" : { "raw": "Wonderland" , "encoded" : "167908493…94017654562035" }, "first_name" : { "raw": "Alice", "encoded" : "270346400…99344178781507" } } } }, … }, "identifiers" : [ { "schema_id" : "3QowxFtwciWceMFr7WbwnM:2:BasicScheme:0.1" , "cred_def_id" : "CsiDLAiFkQb9N4NDJKUagd:3:CL:4687:awesome_cred" , "rev_reg_id" : null, "timestamp" : null } ] } ID Token VP Token
OpenID for Credential Issuance
Credential Issuer ③ Verify Credential from Trusted Credential Issuer (obtain Issuer’s public key and optionally check revocation) OpenID Connect 4 Verifiable Credentials Issuance Issuing Credentials Website or App (RP) User Agent OP Alice Trust in cryptographically authenticated identifier ⓪ User tries to log in RP Stored Verifiable Credentials Trust in Credential Issuer(s) ② SIOP issues ID Token & Verifiable Presentation(s) ① RP requests ID Token and Credential(s) ⓪ User requests Credential ① Credential Issuer issues credential
- Issuance via OAuth-protected Credential Endpoint - Currently two authorization flows: - Code flow (others possible) ■ invoked by Wallet requesting authorization for one or more credentials at the Authorization Endpoint (may trigger by presentation request during the issuance) ■ Issuer takes screen control and can authenticate/identify user with means at Issuer’s discretion - Pre-authorized code flow (new grant type) ■ Wallet is invoked after completion of process with the Issuer (QR Code or redirect) Design Principles
- Protocol is credential format agnostic - W3C Verifiable Credentials, ISO mobile Driving Licence/electronic ID, SMART Health Cards - Can be customized to use different methods for proofs of possession of key material - for example, `jwt` proof type that includes a signature by a key material tied to a DID - Allows Credential Issuance during Presentation Request (inline issuance) - Requested credential not found in the wallet - Allows just-in-time and batch credential issuance as well as credential refresh - Allows Presentation Request during Credential Issuance - Issuer is requesting to present a VC as a way to identify a user during Issuance - Can be built on top of existing OAuth/OpenID implementations - Leverages OpenID Connect Metadata for wallet & issuer management - Ongoing: wallet & key attestation to build Issuer’s trust in the wallet Credential Issuance (Key Features)
- Specification adopted by the working group. Targeting First Implementer’s draft by the end of 2022. - https://openid.net/specs/openid-connect-4-verifiable-credential-issuance-1_0.html - Planned and ongoing implementations: - The European Blockchain Services Infrastructure (EBSI) - Microsoft - Mattr - IDunion - walt.id & yes.com & BCDiploma (eSSIF-Lab) - Sphereon - Talao.io - Convergence.Tech Credential Issuance (Status)
Demo Credential Issuance
European Banking Identity Prototype •eSSIF-Lab founded project •Team: yes.com & walt.id • Presentation & Issuance via OIDC4SSI •Based on • walt.id Wallet (Web Wallet) • JSON LD based credentials • did:key (did:ebsi) eSSIF-Lab is funded by the European Commission, as part of the Horizon 2020 Research and Innovation Programme, under Grant Agreement Nº 871932 and it's framed under Next Generation Internet Initiative.
Authorization Request HTTP/1.1 302 Found Location: https://server.example.com/authorize? response_type=code &client_id=s6BhdRkqt3 &code_challenge=E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM &code_challenge_method=S256 &scope=openid_credential:ttps://…/EuropeanBankIdentity.json &redirect_uri=https://client.example.org/cb
Credential Issuance (W3C VC) HTTP/1.1 200 OK Content-Type: application/json Cache-Control: no-store Pragma: no-cache { "format": "ldp_vc", "credential" : "eyJjcmVkZW50a...d0MifQ==" } POST /credential HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded Authorization: BEARER czZCaGRSa3F0MzpnWDFmQmF0M2JW type=https://…/EuropeanBankIdentity.json format=ldp_vc did=did:key:z6MkqUDiu3MHxAmuMQ8jjkLiUu1mscLT8E9R5CKdbtr7gwR8 proof=%7B%22type%22:%22jwt%22…0aW9EkL1nOzM%22%7D Request Response
Issued Credential { ... "issuer": "did:key:z6MkgF2pvVNEFXCksupWKrdPhL6ubecis3AWbWVsr9bNAbwC", "type": [ "VerifiableCredential", "EuropeanBankIdentity" ], "credentialSchema": { "id": "https://raw.githubusercontent.com/…/EuropeanBankIdentity.json", }, "credentialSubject": { "placeOfBirth": { "country": "DE", "locality": "Berlin" }, "familyName": "Family001", "givenName": "Given001", "id": "did:key:z6MkmY9NFeyqNTS6nYN1tSeuxg6Sbxi7ntt2wR4Upy9HHSDS", "birthDate": "1950-01-01" } ... }
- Interoperability profile relying on SIOP v2 and OIDC4VP - Microsoft - Workday - Ping Identity - (Mattr) - (IBM) Demo 2
Using OIDC4SSI as an authentication protocol to present and issue credentials allows implementers to choose a combination of DID methods, credential formats and other components of the SSI tech stack. OIDC4SSI allows variety of choices in the SSI tech stack SSI Tech Stack component Implementer’s choices when using OIDC4SSI as a protocol Identifiers Any DID method - user’s identifier can also be a JWK Thumbprint (`sub` in the ID Token) - verifier’s identifier can also be a unique string (`client_id` in the request) Credential Format Any credential format (AnonCreds, LDP-VC, JWT-VC, ISO mDL, etc.) Revocation Any mechanism (Status List 2021, etc.) additional trust mechanisms Any mechanism (.well-known DID configuration, etc.) Cryptography Any cryptosuite (EdDSA, ES256K, etc.)
Announcements - OIDF Slack channel #wg-connect
Q&A

More Related Content

PDF
OpenID Connect 4 SSI (DIFCon F2F)
byTorsten Lodderstedt
 
PDF
OpenID 4 Verifiable Credentials + HAIP (Update)
byTorsten Lodderstedt
 
PDF
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
byTorsten Lodderstedt
 
PDF
OpenID for Verifiable Credentials
byTorsten Lodderstedt
 
PDF
OIDC4VP for AB/C WG
byTorsten Lodderstedt
 
PDF
OpenID Connect 4 SSI
byTorsten Lodderstedt
 
PDF
IDA,VC,DID関連仕様 最新情報 - OpenID BizDay #15
byOpenID Foundation Japan
 
PPTX
OpenID Connect for W3C Verifiable Credential Objects
byTorsten Lodderstedt
 
OpenID Connect 4 SSI (DIFCon F2F)
byTorsten Lodderstedt
 
OpenID 4 Verifiable Credentials + HAIP (Update)
byTorsten Lodderstedt
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
byTorsten Lodderstedt
 
OpenID for Verifiable Credentials
byTorsten Lodderstedt
 
OIDC4VP for AB/C WG
byTorsten Lodderstedt
 
OpenID Connect 4 SSI
byTorsten Lodderstedt
 
IDA,VC,DID関連仕様 最新情報 - OpenID BizDay #15
byOpenID Foundation Japan
 
OpenID Connect for W3C Verifiable Credential Objects
byTorsten Lodderstedt
 

What's hot

PDF
OpenID for Verifiable Credentials @ IIW 36
byTorsten Lodderstedt
 
PDF
OpenID Connect Explained
byVladimir Dzhuvinov
 
PPTX
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
byKristina Yasuda
 
PPTX
Building secure applications with keycloak
byAbhishek Koserwal
 
PDF
Modern Authentication -- FIDO2 Web Authentication (WebAuthn) を学ぶ --
byJun Kurihara
 
PDF
Hyperledger Indy tutorial
byssuser3993f3
 
PDF
次世代 KYC に関する検討状況 - OpenID BizDay #15
byOpenID Foundation Japan
 
PDF
OpenID Connect 入門 〜コンシューマーにおけるID連携のトレンド〜
byMasaru Kurahayashi
 
PPTX
FIDO Workshop-Demo Breakdown.pptx
byFIDO Alliance
 
PDF
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
byKristina Yasuda
 
PPTX
Secure your app with keycloak
byGuy Marom
 
PPTX
Mit 2014 introduction to open id connect and o-auth 2
byJustin Richer
 
ODP
OAuth2 - Introduction
byKnoldus Inc.
 
PDF
いまどきの OAuth / OpenID Connect (OIDC) 一挙おさらい (2020 年 2 月) #authlete
byTatsuo Kudo
 
PPTX
Spring Boot RestApi.pptx
byGoogle Developers Group Libreville Nom de famille
 
PPTX
Fido Technical Overview
byFIDO Alliance
 
PDF
分散型IDと検証可能なアイデンティティ技術概要
byNaohiro Fujie
 
PDF
自己主権型IDと分散型ID
byNaohiro Fujie
 
PDF
OAuth & OpenID Connect Deep Dive
byNordic APIs
 
PDF
Self-Sovereign Identity: Ideology and Architecture with Christopher Allen
bySSIMeetup
 
OpenID for Verifiable Credentials @ IIW 36
byTorsten Lodderstedt
 
OpenID Connect Explained
byVladimir Dzhuvinov
 
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
byKristina Yasuda
 
Building secure applications with keycloak
byAbhishek Koserwal
 
Modern Authentication -- FIDO2 Web Authentication (WebAuthn) を学ぶ --
byJun Kurihara
 
Hyperledger Indy tutorial
byssuser3993f3
 
次世代 KYC に関する検討状況 - OpenID BizDay #15
byOpenID Foundation Japan
 
OpenID Connect 入門 〜コンシューマーにおけるID連携のトレンド〜
byMasaru Kurahayashi
 
FIDO Workshop-Demo Breakdown.pptx
byFIDO Alliance
 
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
byKristina Yasuda
 
Secure your app with keycloak
byGuy Marom
 
Mit 2014 introduction to open id connect and o-auth 2
byJustin Richer
 
OAuth2 - Introduction
byKnoldus Inc.
 
いまどきの OAuth / OpenID Connect (OIDC) 一挙おさらい (2020 年 2 月) #authlete
byTatsuo Kudo
 
Spring Boot RestApi.pptx
byGoogle Developers Group Libreville Nom de famille
 
Fido Technical Overview
byFIDO Alliance
 
分散型IDと検証可能なアイデンティティ技術概要
byNaohiro Fujie
 
自己主権型IDと分散型ID
byNaohiro Fujie
 
OAuth & OpenID Connect Deep Dive
byNordic APIs
 
Self-Sovereign Identity: Ideology and Architecture with Christopher Allen
bySSIMeetup
 

Similar to OpenID for SSI

PPTX
OpenID for Verifiable Credentials
byTorsten Lodderstedt
 
PDF
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
byTorsten Lodderstedt
 
PDF
OpenID Connect 4 SSI (at EIC 2021)
byTorsten Lodderstedt
 
PDF
OpenID for Verifiable Credentials (IIW 35)
byTorsten Lodderstedt
 
PDF
EUDI wallets with OpenID for verifiable credentials (OID4VCI/OID4VP)
byLal Chandran
 
PDF
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
byAndreas Falk
 
PPTX
Configuring Single Sign-On (SSO) via Identity Management | MuleSoft Mysore Me...
byMysoreMuleSoftMeetup
 
PDF
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
byVladimir Bychkov
 
PPTX
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
byTorsten Lodderstedt
 
PDF
OpenID Connect "101" Introduction -- October 23, 2018
byOpenIDFoundation
 
PPTX
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect Working Group U...
byOpenIDFoundation
 
PDF
Review on OpenID Authentication Framework
byijsrd.com
 
PPT
OpenID Progress EEMA Conference
byevidos
 
PDF
Internet Identity Workshop #29 highlights with Drummond Reed
bySSIMeetup
 
PPTX
RSA Europe: Future of Cloud Identity
byMike Schwartz
 
PDF
Enabling Large-Scale Multi-Party Federations with OpenID Connect - OpenID Sum...
byOpenID Foundation Japan
 
PPT
Street conf overview
byericsachs
 
KEY
OpenID - An in depth look at what it is, and how you can use it
byBill Shupp
 
PDF
#iiw 13th report at #idcon 10th
byNov Matake
 
PDF
OpenID Connect 4 Identity Assurance at IIW #32
byTorsten Lodderstedt
 
OpenID for Verifiable Credentials
byTorsten Lodderstedt
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
byTorsten Lodderstedt
 
OpenID Connect 4 SSI (at EIC 2021)
byTorsten Lodderstedt
 
OpenID for Verifiable Credentials (IIW 35)
byTorsten Lodderstedt
 
EUDI wallets with OpenID for verifiable credentials (OID4VCI/OID4VP)
byLal Chandran
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
byAndreas Falk
 
Configuring Single Sign-On (SSO) via Identity Management | MuleSoft Mysore Me...
byMysoreMuleSoftMeetup
 
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
byVladimir Bychkov
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
byTorsten Lodderstedt
 
OpenID Connect "101" Introduction -- October 23, 2018
byOpenIDFoundation
 
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect Working Group U...
byOpenIDFoundation
 
Review on OpenID Authentication Framework
byijsrd.com
 
OpenID Progress EEMA Conference
byevidos
 
Internet Identity Workshop #29 highlights with Drummond Reed
bySSIMeetup
 
RSA Europe: Future of Cloud Identity
byMike Schwartz
 
Enabling Large-Scale Multi-Party Federations with OpenID Connect - OpenID Sum...
byOpenID Foundation Japan
 
Street conf overview
byericsachs
 
OpenID - An in depth look at what it is, and how you can use it
byBill Shupp
 
#iiw 13th report at #idcon 10th
byNov Matake
 
OpenID Connect 4 Identity Assurance at IIW #32
byTorsten Lodderstedt
 

More from Torsten Lodderstedt

PDF
The European Union goes Decentralized
byTorsten Lodderstedt
 
PDF
OAuth 2.0 Security Reinforced
byTorsten Lodderstedt
 
PDF
Comprehensive overview FAPI 1 and 2
byTorsten Lodderstedt
 
PPTX
Comprehensive overview FAPI 1 and FAPI 2
byTorsten Lodderstedt
 
PPTX
Identity Assurance with OpenID Connect
byTorsten Lodderstedt
 
PDF
Pushed Authorization Requests
byTorsten Lodderstedt
 
PDF
Rich Authorization Requests
byTorsten Lodderstedt
 
PPTX
GAIN Presentation.pptx
byTorsten Lodderstedt
 
PPTX
NextGenPSD2 OAuth SCA Mode Security Recommendations
byTorsten Lodderstedt
 
PPTX
Identiverse: PSD2, Open Banking, and Technical Interoperability
byTorsten Lodderstedt
 
PDF
OpenID Connect for Identity Assurance
byTorsten Lodderstedt
 
PDF
Identity Proofing with OpenID Connect
byTorsten Lodderstedt
 
PPTX
NextGenPSD2 OAuth SCA Mode Security Recommendations
byTorsten Lodderstedt
 
PDF
OAuth Security 4 Dummies iiw#27
byTorsten Lodderstedt
 
The European Union goes Decentralized
byTorsten Lodderstedt
 
OAuth 2.0 Security Reinforced
byTorsten Lodderstedt
 
Comprehensive overview FAPI 1 and 2
byTorsten Lodderstedt
 
Comprehensive overview FAPI 1 and FAPI 2
byTorsten Lodderstedt
 
Identity Assurance with OpenID Connect
byTorsten Lodderstedt
 
Pushed Authorization Requests
byTorsten Lodderstedt
 
Rich Authorization Requests
byTorsten Lodderstedt
 
GAIN Presentation.pptx
byTorsten Lodderstedt
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
byTorsten Lodderstedt
 
Identiverse: PSD2, Open Banking, and Technical Interoperability
byTorsten Lodderstedt
 
OpenID Connect for Identity Assurance
byTorsten Lodderstedt
 
Identity Proofing with OpenID Connect
byTorsten Lodderstedt
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
byTorsten Lodderstedt
 
OAuth Security 4 Dummies iiw#27
byTorsten Lodderstedt
 

Recently uploaded

PPTX
CaseStudy-CloudMigration -For USE CASE -Customer Success Info -6-Aug-25.pptx
bywinlentech
 
PPTX
mc l2 Overview of Computer and Web-Technology.pptx
byavanikharde
 
PDF
ARTIFICIAL INTELLIGENCE DEVELOPMENT SERVICE
bydavidjohansen1597
 
PDF
ARTIFICIAL INTELLIGENCE DEVELOPMENT SERVICE
bydavidjohansen1597
 
PDF
WShell Gameplay and Games of Games of Games
byzramirezmtz9
 
PDF
WShell Gameplay and Games of Games of Games
byzramirezmtz9
 
PPTX
Artificial Intelligence (AI) Technology Project Proposal _ by Slidesgo.pptx
byadhyaadi804
 
PPTX
Bibhav Singh.pptx it's very useful for us it's in very good and very nice
byabhishekjaiswal5th33
 
PPTX
Abhishek Jaiswal.ppt.pptx for you it is very useful for me and I am sharing w...
byabhishekjaiswal5th33
 
PDF
Here are the winners of KALIDASA SAMMAN.
byglcppro
 
PPT
Lecture_3 Network Securityyyeyeyyeeyyeywy.ppt
bysawsan202
 
PDF
Design For Test - Getting Test Automation value from Design Expressions.
byDavid Harrison
 
DOCX
BestMaker.ai: The Complete Brand Story, Founder's Vision, and AI Creative Pla...
byssuser7381d6
 
PDF
classification of elements and periodicity.pdf
byaryanshreya2010
 
PPTX
COĞRAFYA ödevi 70 sayfa güzeldir hayırlı olsun
bydtilter
 
PDF
Key Duties and Roles of an Ecommerce Developer Singapore
byHachi Web Solution
 
PPT
Memory Organization In Assembly Language
byumairmuhammad0409
 
PPTX
SriLank SLT LTE Network Sharing V2.pptx
bynthuang
 
PPTX
PRITHVI theater, A true artist. Newzfeaturez.pptx
bysc05digital
 
PDF
Beacon Kit slides tech framework for world game (s) pdf
bySteven McGee
 
CaseStudy-CloudMigration -For USE CASE -Customer Success Info -6-Aug-25.pptx
bywinlentech
 
mc l2 Overview of Computer and Web-Technology.pptx
byavanikharde
 
ARTIFICIAL INTELLIGENCE DEVELOPMENT SERVICE
bydavidjohansen1597
 
ARTIFICIAL INTELLIGENCE DEVELOPMENT SERVICE
bydavidjohansen1597
 
WShell Gameplay and Games of Games of Games
byzramirezmtz9
 
WShell Gameplay and Games of Games of Games
byzramirezmtz9
 
Artificial Intelligence (AI) Technology Project Proposal _ by Slidesgo.pptx
byadhyaadi804
 
Bibhav Singh.pptx it's very useful for us it's in very good and very nice
byabhishekjaiswal5th33
 
Abhishek Jaiswal.ppt.pptx for you it is very useful for me and I am sharing w...
byabhishekjaiswal5th33
 
Here are the winners of KALIDASA SAMMAN.
byglcppro
 
Lecture_3 Network Securityyyeyeyyeeyyeywy.ppt
bysawsan202
 
Design For Test - Getting Test Automation value from Design Expressions.
byDavid Harrison
 
BestMaker.ai: The Complete Brand Story, Founder's Vision, and AI Creative Pla...
byssuser7381d6
 
classification of elements and periodicity.pdf
byaryanshreya2010
 
COĞRAFYA ödevi 70 sayfa güzeldir hayırlı olsun
bydtilter
 
Key Duties and Roles of an Ecommerce Developer Singapore
byHachi Web Solution
 
Memory Organization In Assembly Language
byumairmuhammad0409
 
SriLank SLT LTE Network Sharing V2.pptx
bynthuang
 
PRITHVI theater, A true artist. Newzfeaturez.pptx
bysc05digital
 
Beacon Kit slides tech framework for world game (s) pdf
bySteven McGee
 

OpenID for SSI

  • 1.
    OpenID for SSI KristinaYasuda, Microsoft Dr. Torsten Lodderstedt, yes.com
  • 2.
    OpenID for SSI •Aims at specifying a set of protocols based on OpenID Connect and OAuth2.0 to enable SSI applications • Initiative conducted at OpenID Foundation in liaison with the Decentralized Identity Foundation (DIF) • One of the specifications is built up on DID-SIOP in DIDAuth WG in DIF and SIOPv1 chapter 7 in OIDC Core
  • 3.
    - Self-Issued OP(SIOP) already provides good starting point - Leveraging the simplicity and security of OpenID Connect and OAuth2.0 for SSI applications - Existing libraries, only HTTPS communication, developer familiarity - Great for mobile applications, no firewall hassles - Security of OpenID Connect has been tested and formally analysed - Allow existing OpenID Connect RPs to access SSI credentials and existing OpenID Connect OPs to issue credentials Why use OpenID Connect/OAuth2.0 as basis?
  • 4.
    ③ OpenID Connectfor Verifiable Credential Issuance (Issuance of Verifiable Credentials) OpenID Connect for SSI Components Issuer (Website) Verifier (Website) Holder (Digital Wallet) Issue Credentials Present Credentials ① Self-Issued OP v2 (key exchange and authentication) ② OpenID Connect for Verifiable Presentations (Presentation of Verifiable Credentials) Can be hosted locally on the user’s device, have cloud components, or be entirely hosted in the cloud
  • 5.
    Using OIDC4SSI asan authentication protocol to present and issue credentials allows implementers to choose a combination of DID methods, credential formats and other components of the SSI tech stack. OIDC4SSI allows variety of choices in the SSI tech stack SSI Tech Stack component Implementer’s choices when using OIDC4SSI as a protocol Identifiers Any DID method - user’s identifier can also be a JWK Thumbprint (`sub` in the ID Token) - verifier’s identifier can also be a unique string (`client_id` in the request) Credential Format Any credential format (AnonCreds, LDP-VC, JWT-VC, ISO mDL, etc.) Revocation Any mechanism (Status List 2021, etc.) additional trust mechanisms Any mechanism (.well-known DID configuration, etc.) Cryptography Any cryptosuite (EdDSA, ES256K, etc.)
  • 6.
  • 7.
  • 8.
    Standard OpenID Connectvs SIOP v2 Self-Issued OP model ⓪ User tries to get access to a resource Website (RP) User Agent OP Trust in cryptographically verifiable identifier ② OP on the user device issues subject-signed ID Token Alice User-controlled OpenID Connect OP is able to self-sign ID Tokens and authenticate using the user-controlled key material (raw public keys or Decentralized identifiers (DIDs)) ① RP requests ID Token OpenID Connect standard model ⓪ User tries to log in Website (RP) User Agent OP (3P OpenID Provider) Trust in 3rd party Alice ② 3rd Party OP issues an ID Token ① RP requests ID Token
  • 9.
    OpenID Connect forVerifiable Presentations
  • 10.
    Credential Issuer ③ Verify Credentialfrom Trusted Credential Issuer (obtain Issuer’s public key and optionally check revocation list) SIOP v2 + OpenID Connect 4 Verifiable Presentations Presenting Credentials Website or App (RP) User Agent OP Alice Trust in cryptographically authenticated identifier ⓪ User tries to get access to a resource Stored Verifiable Credentials Trust in Credential Issuer(s) ② SIOP issues ID Token & Verifiable Presentation(s) ① RP requests ID Token and Credential(s) Status list (revocation) Issuer’s Public Key
  • 11.
    - Protocol iscredential/presentation format agnostic - Examples for AnonCreds and mDL in OIDC4VP spec - passing `presentation_definition` PE object by value or by reference - Support for Trust Schemes - for example, request credentials issued by an issuer that is part of a Trust Framework - Dynamic SIOP discovery and invocation via HTTPS URLs - enables use of app/universal links and web wallets - Leverages all OpenID Connect Flows - SIOP can be entirely locally hosted, have cloud components, be entirely cloud-based - Cross Device Flow enabled - Leverages OpenID Connect Metadata for verifiers and wallet management - Clarify that the key feature of SIOP is ability to sign ID Token using a subject-controlled key material (iss==sub in ID Token) - Ongoing: wallet & key attestation Credentials Presentation (Key & New Features)
  • 12.
    - First Implementer’sDrafts of OpenID Connect SIOPV2 and OIDC4VP approved. Targeting Second Implementer’s Draft by the end of 2022 - Latest Editor’s drafts can be published at: - https://openid.net/specs/openid-connect-self-issued-v2-1_0.html - https://openid.net/specs/openid-connect-4-verifiable-presentations-1_0.html - Existing & ongoing Implementations: - The European Blockchain Services Infrastructure (EBSI) - Microsoft - Workday - Ping Identity - Convergence.Tech - IDunion - walt.id (eSSIF-Lab)* - Sphereon - Gimly *Some ESSIF projects already utilizes SIOP (based on DID-SIOP & OpenID Connect 4 Identity Assurance) Credential Presentation (Status)
  • 13.
  • 14.
    IDunion Prototype •Implemented withinIDunion project •Team: Sebastian Bickerle, Paul Wenzel, Fabian Hauck, & Dr. Daniel Fett •Use Case: Login to NextCloud using Verifiable Credentials •Based on • Existing NextCloud OpenID Connect Plugin • Lissi Wallet • Hyperledger Indy & Indy SDK & AnonCreds
  • 15.
    European Banking IdentityPrototype •eSSIF-Lab founded project •Team: yes.com & walt.id • Presentation & Issuance via OIDC4SSI •Based on • walt.id Wallet (Web Wallet) • JSON LD based credentials • did:key (did:ebsi) eSSIF-Lab is funded by the European Commission, as part of the Horizon 2020 Research and Innovation Programme, under Grant Agreement Nº 871932 and it's framed under Next Generation Internet Initiative.
  • 16.
    Architecture Verifier Ledger Frontend Wallet redirects (HTTPSGET) (3) “response” (HTTPS POST) Backend polling on device cross device ledger access (1) QR Code e.g. DID resolution, revocation info, schema and credential definition (2) Request payload (GET request_uri)
  • 17.
    Request Example ESSIFLab (W3C VC) { "response_type" :"id_token", "client_id":"https://example.com/callback" , "scope":"openid", "redirect_uri" :"https://example.com/callback" , "nonce":"67473895393019470130" , ... "claims":{ "vp_token":{ "presentation_definition" :{ "id":"1", "input_descriptors" :[ { "id":"1", "schema":{ "uri":"https://raw.githubusercontent.com/…/EuropeanBankIdentity.json" } } ] } } } }
  • 18.
    Response Example ESSIFLab (W3C VC) { "iss": "https://self-issued.me/v2", "aud": "https://example.com/callback", "sub": "did:key:z6MkqUDiu3MHxAm...mscLT8E9R5CKdbtr7gwR8", "exp": 1645469476, "iat": 1645465876, "nonce": "cdb97870-a3be-49b4-aa55-8c7c7122178a", "_vp_token": { "presentation_submission": { "descriptor_map": [ { "path": "$", "format": "ldp_vp", "path_nested": { "path": "$.verifiableCredential[0]", "format": "ldp_vc" } ], "definition_id": "1", "id": "1" } } } { "@context" :[ "https://www.w3.org/2018/credentials/v1" ], "holder" :"did:key:z6MkqUDiu3MHxAmuMQ8jjkLiUu1mscLT8E9R5CKdbtr7gwR8" , "id":"urn:uuid:04816f2a-85f1-45d7-a66d-51764d39a569" , "proof":{ "domain" :"https://example.com/callback" , "jws" :"...", "nonce":"cdb97870-a3be-49b4-aa55-8c7c7122178a" , "proofPurpose" :"authentication" , "type":"Ed25519Signature2018" , "verificationMethod" :"did:key:z6MkqUDiu3 ..." }, "type":[ "VerifiablePresentation" ], "verifiableCredential" :[ { … "type":[ "VerifiableCredential" , "EuropeanBankIdentity" ], "credentialSubject" :{ "id":"did:key:z6MkqUDiu3MHxAmuMQ8jjkLiUu1mscLT8E9R5CKdbtr7gwR8" , "familyName" :"Family001" , "givenName" :"Given001" , "birthDate" :"1950-01-01" , "placeOfBirth" :{ "country" :"DE", "locality" :"Berlin" } }, ID Token VP Token
  • 19.
    Request Example IDunion(AnonCred) { "response_type" :"id_token" , "client_id" :"https://example.com/callback" , "scope":"openid" , "redirect_uri" :"https://example.com/callback ", "nonce":"67473895393019470130" , ... "claims" :{ "vp_token" :{ "presentation_definition" :{ "id":"NextcloudLogin" , "input_descriptors" :[ { "id":"ref2", "name":"NextcloudCredential" , "format" : { "ac_vc": { "proof_type" : ["CLSignature2019" ] } }, "constraints" :{ "limit_disclosure" :"required" , "fields":[{ "path": [ "$.schema_id" ], "filter": { "type": "string" , "pattern": "did:indy:idu:test:3QowxFtwciWceMFr7WbwnM:2:BasicScheme:0.1" } }, {"path":[ "$.values.email" ]}, { "path":["$.values.first_name" ]}, { "path":["$.values.last_name" ]}] } }
  • 20.
    Response Example IDunion(AnonCred) { "aud": "https://example.com/callback ", "sub": "9wgU5CR6PdgGmvBfgz_CqAtBxJ33ckMEwvij-gC6Bcw" , "auth_time" : 1638483344 , "iss": "https://self-issued.me/v2" , "sub_jwk" : { "x": "cQ5fu5VmG…dA_5lTMGcoyQE78RrqQ6" , "kty": "EC", "y": "XHpi27YMA…rnF_-f_ASULPTmUmTS" , "crv": "P-384" }, "exp": 1638483944 , "iat": 1638483344 , "nonce": "67473895393019470130 ", "_vp_token" : { "presentation_submission" : { "descriptor_map" : [ { "id": "ref2", "path": "$", "format" : "ac_vp", "path_nested" : { "path": "$.requested_proof.revealed_attr_groups.ref2", "format" : "ac_vc" } } ], "definition_id" : "NextcloudLogin" , "id": "NexcloudCredentialPresentationSubmission" } } } { "proof": {...}, "requested_proof": { "revealed_attrs" : {}, "revealed_attr_groups": { "ref2": { "sub_proof_index" : 0, "values" : { "email": { "raw": "alice@example.com" , "encoded" : "115589951…83915671017846" }, "last_name" : { "raw": "Wonderland" , "encoded" : "167908493…94017654562035" }, "first_name" : { "raw": "Alice", "encoded" : "270346400…99344178781507" } } } }, … }, "identifiers" : [ { "schema_id" : "3QowxFtwciWceMFr7WbwnM:2:BasicScheme:0.1" , "cred_def_id" : "CsiDLAiFkQb9N4NDJKUagd:3:CL:4687:awesome_cred" , "rev_reg_id" : null, "timestamp" : null } ] } ID Token VP Token
  • 21.
  • 22.
    Credential Issuer ③ Verify Credentialfrom Trusted Credential Issuer (obtain Issuer’s public key and optionally check revocation) OpenID Connect 4 Verifiable Credentials Issuance Issuing Credentials Website or App (RP) User Agent OP Alice Trust in cryptographically authenticated identifier ⓪ User tries to log in RP Stored Verifiable Credentials Trust in Credential Issuer(s) ② SIOP issues ID Token & Verifiable Presentation(s) ① RP requests ID Token and Credential(s) ⓪ User requests Credential ① Credential Issuer issues credential
  • 23.
    - Issuance viaOAuth-protected Credential Endpoint - Currently two authorization flows: - Code flow (others possible) ■ invoked by Wallet requesting authorization for one or more credentials at the Authorization Endpoint (may trigger by presentation request during the issuance) ■ Issuer takes screen control and can authenticate/identify user with means at Issuer’s discretion - Pre-authorized code flow (new grant type) ■ Wallet is invoked after completion of process with the Issuer (QR Code or redirect) Design Principles
  • 24.
    - Protocol iscredential format agnostic - W3C Verifiable Credentials, ISO mobile Driving Licence/electronic ID, SMART Health Cards - Can be customized to use different methods for proofs of possession of key material - for example, `jwt` proof type that includes a signature by a key material tied to a DID - Allows Credential Issuance during Presentation Request (inline issuance) - Requested credential not found in the wallet - Allows just-in-time and batch credential issuance as well as credential refresh - Allows Presentation Request during Credential Issuance - Issuer is requesting to present a VC as a way to identify a user during Issuance - Can be built on top of existing OAuth/OpenID implementations - Leverages OpenID Connect Metadata for wallet & issuer management - Ongoing: wallet & key attestation to build Issuer’s trust in the wallet Credential Issuance (Key Features)
  • 25.
    - Specification adoptedby the working group. Targeting First Implementer’s draft by the end of 2022. - https://openid.net/specs/openid-connect-4-verifiable-credential-issuance-1_0.html - Planned and ongoing implementations: - The European Blockchain Services Infrastructure (EBSI) - Microsoft - Mattr - IDunion - walt.id & yes.com & BCDiploma (eSSIF-Lab) - Sphereon - Talao.io - Convergence.Tech Credential Issuance (Status)
  • 26.
  • 27.
    European Banking IdentityPrototype •eSSIF-Lab founded project •Team: yes.com & walt.id • Presentation & Issuance via OIDC4SSI •Based on • walt.id Wallet (Web Wallet) • JSON LD based credentials • did:key (did:ebsi) eSSIF-Lab is funded by the European Commission, as part of the Horizon 2020 Research and Innovation Programme, under Grant Agreement Nº 871932 and it's framed under Next Generation Internet Initiative.
  • 28.
    Authorization Request HTTP/1.1 302Found Location: https://server.example.com/authorize? response_type=code &client_id=s6BhdRkqt3 &code_challenge=E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM &code_challenge_method=S256 &scope=openid_credential:ttps://…/EuropeanBankIdentity.json &redirect_uri=https://client.example.org/cb
  • 29.
    Credential Issuance (W3CVC) HTTP/1.1 200 OK Content-Type: application/json Cache-Control: no-store Pragma: no-cache { "format": "ldp_vc", "credential" : "eyJjcmVkZW50a...d0MifQ==" } POST /credential HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded Authorization: BEARER czZCaGRSa3F0MzpnWDFmQmF0M2JW type=https://…/EuropeanBankIdentity.json format=ldp_vc did=did:key:z6MkqUDiu3MHxAmuMQ8jjkLiUu1mscLT8E9R5CKdbtr7gwR8 proof=%7B%22type%22:%22jwt%22…0aW9EkL1nOzM%22%7D Request Response
  • 30.
    Issued Credential { ... "issuer": "did:key:z6MkgF2pvVNEFXCksupWKrdPhL6ubecis3AWbWVsr9bNAbwC", "type":[ "VerifiableCredential", "EuropeanBankIdentity" ], "credentialSchema": { "id": "https://raw.githubusercontent.com/…/EuropeanBankIdentity.json", }, "credentialSubject": { "placeOfBirth": { "country": "DE", "locality": "Berlin" }, "familyName": "Family001", "givenName": "Given001", "id": "did:key:z6MkmY9NFeyqNTS6nYN1tSeuxg6Sbxi7ntt2wR4Upy9HHSDS", "birthDate": "1950-01-01" } ... }
  • 31.
    - Interoperability profilerelying on SIOP v2 and OIDC4VP - Microsoft - Workday - Ping Identity - (Mattr) - (IBM) Demo 2
  • 32.
    Using OIDC4SSI asan authentication protocol to present and issue credentials allows implementers to choose a combination of DID methods, credential formats and other components of the SSI tech stack. OIDC4SSI allows variety of choices in the SSI tech stack SSI Tech Stack component Implementer’s choices when using OIDC4SSI as a protocol Identifiers Any DID method - user’s identifier can also be a JWK Thumbprint (`sub` in the ID Token) - verifier’s identifier can also be a unique string (`client_id` in the request) Credential Format Any credential format (AnonCreds, LDP-VC, JWT-VC, ISO mDL, etc.) Revocation Any mechanism (Status List 2021, etc.) additional trust mechanisms Any mechanism (.well-known DID configuration, etc.) Cryptography Any cryptosuite (EdDSA, ES256K, etc.)
  • 33.
    Announcements - OIDF Slackchannel #wg-connect
  • 34.