OpenID for SSI aims to specify protocols based on OpenID Connect and OAuth 2.0 to enable self-sovereign identity (SSI) applications. This initiative is conducted by the OpenID Foundation in collaboration with the Decentralized Identity Foundation. One specification builds upon the DID-SIOP and SIOPv1 standards. Using OpenID Connect allows for variety in SSI technology choices like identifiers, credentials, and cryptography while leveraging existing OpenID Connect implementations, libraries, and developer familiarity. Demonstrations show credential presentation and issuance via OIDC4SSI specifications.
OpenID for Verifiable Credentials is a family of protocols supporting implementation of applications with Verifiable Credentials, i.e. verifiable credential issuance, credential presentation, and pseudonyms authentication.
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...Torsten Lodderstedt
This deck gives an overview of OpenID 4 Verifiable Credentials and shows how the specs can be tailored to the needs of a certain category of projects/ecosystems.
OpenID Connect 4 SSI is an initiative conducted at OpenID Foundation in liaison with the Decentralized Identity Foundation. It aims at specifying a set of protocols based on OpenID Connect to enable SSI applications.
OpenID Connect 4 SSI aims at specifying a set of protocols based on OpenID Connect to enable SSI applications. The initiative is conducted at OpenID Foundation in liaison with the Decentralized Identity Foundation (DIF). One of the specifications is built up on DID-SIOP in DIDAuth WG in DIF and SIOP v1 in OIDC Core.
OpenID for Verifiable Credentials is a family of protocols supporting implementation of applications with Verifiable Credentials, i.e. verifiable credential issuance, credential presentation, and pseudonyms authentication.
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...Torsten Lodderstedt
This deck gives an overview of OpenID 4 Verifiable Credentials and shows how the specs can be tailored to the needs of a certain category of projects/ecosystems.
OpenID Connect 4 SSI is an initiative conducted at OpenID Foundation in liaison with the Decentralized Identity Foundation. It aims at specifying a set of protocols based on OpenID Connect to enable SSI applications.
OpenID Connect 4 SSI aims at specifying a set of protocols based on OpenID Connect to enable SSI applications. The initiative is conducted at OpenID Foundation in liaison with the Decentralized Identity Foundation (DIF). One of the specifications is built up on DID-SIOP in DIDAuth WG in DIF and SIOP v1 in OIDC Core.
This presentation gives an overview on the work that is going on at OpenID Foundation in Liaison with Decentralized Identity Foundation to enable SSI applications based on OpenID Connect.
The European Union’s regulation on Digital Identity, eIDAS, is currently being overhauled to adopt decentralized identity principles. The goal is to provide all citizens and residents across the EU with highly secure and privacy preserving digital wallets that can be used to manage various digital credentials, from eIDs to diplomas to payment instruments. Decentralized identity principles aim at giving freedom of choice and control to the end-user. Ensuring security and interoperability, however, will be challenging — especially in the enormous scale in terms of users and use cases the EU is aiming at. The choices made in eIDAS will have a huge impact on digital identity in the EU and beyond.
The so-called “Architecture and Reference Framework” (ARF) defines the technical underpinnings of eIDAS v2. Many experts from the member states and the Commission have been working on this framework over the last year, trying to select the best combination of technologies and standards out of the enormous number available in the market today. This talk will introduce the ARF and explain what architectural patterns and technical standards are adopted and how the challenges mentioned above are addressed in order to leverage on the vision of the eIDAS v2 regulation.
What is a Verifiable Credential, and Why Does it Matter?
https://identiverse.com/idv2022/session/841421/
"A verifiable credential (VC) is an assertion with a secret weapon – called a verifiable presentation (VP). VCs and VPs are unique in that they enable users to directly hold and present claims about themselves, issued by many different authorities. This is an important addition to the domain-relative credentials that are presented today as part of federated sign-in or SSO contexts. You may ask – why is that direct presentation important? Kristina Yasuda will talk through how VCs and VPs work, what makes VCs different from common federated credentials, and what VCs could change about how we interact with data in the future."
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop Kristina Yasuda
Presentation I gave on Self-Issued OpenID Provider during the second OpenID Foundation Virtual Workshop covering:
1. What is Self-Issued OpenID Provider (SIOP) ?
2. SIOP Requirements (draft)
3. Initial discussion points deep-dive
Self-Issued OpenID Providers are personal OpenID Providers that issue self-signed ID Tokens, enabling portability of the identities among providers
Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sove...SSIMeetup
Drummond Reed, Chief Trust Officer at Evernym, will explain in our second Webinar "Decentralized Identifiers (DIDs) - Building Block of Self-Sovereign Identity (SSI)" giving us the background on how DIDs work, where they come from and why they are important for Blockchain based Digital Identity.
A tutorial on how the process of writing an application using a browser’s WebAuthn API, plus how to install a server, how to generate authentication challenges & responses, and how to integrate with related IAM infrastructure.
Code: https://github.com/fido-alliance/webauthn-demo
Live slides: http://slides.com/herrjemand/jan-2018-fido-seminar-webauthn-tutorial#/
Verifiable Credentials in Self-Sovereign Identity (SSI)Evernym
On our March 12, 2020 webinar, Evernym Chief Architect Daniel Hardman provided a great introduction to verifiable credentials and compared them to the physical credentials (passports, driver's licenses, loyalty cards) we use every day. He then identified six lessons we can learn from today's physical credentials and how we're applying each to the world of self-sovereign identity.
Slides from the session about the emerging work on extending OpenID Connect for requesting and presenting Verifiable Credentials and Verifiable Presentations
Peer DIDs: a secure and scalable method for DIDs that’s entirely off-ledger –...SSIMeetup
https://ssimeetup.org/peer-dids-secure-scalable-method-dids-off-ledger-daniel-hardman-webinar-42/
Daniel Hardman, Chief Architect, Evernym / Secretary, Technical Governance Board – Sovrin Foundation will show how Peer DIDs will allow off-chain transactions for the self-sovereign identity (SSI) world.
Most documentation about decentralized identifiers (DIDs) describes them as identifiers that are rooted in a public source of truth like a blockchain, a database, a distributed filesystem, or similar. This publicness lets arbitrary parties resolve the DIDs to an endpoint and keys. It is an important feature for many use cases. However, the vast majority of relationships between people, organizations, and things have simpler requirements. When Alice(Corp|Device) and Bob want to interact, there are exactly and only 2 parties in the world who should care: Alice and Bob. Instead of arbitrary parties needing to resolve their DIDs, only Alice and Bob do. Peer DIDs are perfect in these cases. In many ways, peer DIDs are to public, blockchain-based DIDs what Ethereum Plasma or state channels are to on-chain smart contracts— or what Bitcoin’s Lightning Network is to on-chain cryptopayments. They move interactions off-chain, but offer options to connect back to a chain-based ecosystem as needed. Peer DIDs create the conditions for people, organizations, and things to have full control of their end of the digital relationships they sustain.
This presentation gives an overview on the work that is going on at OpenID Foundation in Liaison with Decentralized Identity Foundation to enable SSI applications based on OpenID Connect.
The European Union’s regulation on Digital Identity, eIDAS, is currently being overhauled to adopt decentralized identity principles. The goal is to provide all citizens and residents across the EU with highly secure and privacy preserving digital wallets that can be used to manage various digital credentials, from eIDs to diplomas to payment instruments. Decentralized identity principles aim at giving freedom of choice and control to the end-user. Ensuring security and interoperability, however, will be challenging — especially in the enormous scale in terms of users and use cases the EU is aiming at. The choices made in eIDAS will have a huge impact on digital identity in the EU and beyond.
The so-called “Architecture and Reference Framework” (ARF) defines the technical underpinnings of eIDAS v2. Many experts from the member states and the Commission have been working on this framework over the last year, trying to select the best combination of technologies and standards out of the enormous number available in the market today. This talk will introduce the ARF and explain what architectural patterns and technical standards are adopted and how the challenges mentioned above are addressed in order to leverage on the vision of the eIDAS v2 regulation.
What is a Verifiable Credential, and Why Does it Matter?
https://identiverse.com/idv2022/session/841421/
"A verifiable credential (VC) is an assertion with a secret weapon – called a verifiable presentation (VP). VCs and VPs are unique in that they enable users to directly hold and present claims about themselves, issued by many different authorities. This is an important addition to the domain-relative credentials that are presented today as part of federated sign-in or SSO contexts. You may ask – why is that direct presentation important? Kristina Yasuda will talk through how VCs and VPs work, what makes VCs different from common federated credentials, and what VCs could change about how we interact with data in the future."
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop Kristina Yasuda
Presentation I gave on Self-Issued OpenID Provider during the second OpenID Foundation Virtual Workshop covering:
1. What is Self-Issued OpenID Provider (SIOP) ?
2. SIOP Requirements (draft)
3. Initial discussion points deep-dive
Self-Issued OpenID Providers are personal OpenID Providers that issue self-signed ID Tokens, enabling portability of the identities among providers
Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sove...SSIMeetup
Drummond Reed, Chief Trust Officer at Evernym, will explain in our second Webinar "Decentralized Identifiers (DIDs) - Building Block of Self-Sovereign Identity (SSI)" giving us the background on how DIDs work, where they come from and why they are important for Blockchain based Digital Identity.
A tutorial on how the process of writing an application using a browser’s WebAuthn API, plus how to install a server, how to generate authentication challenges & responses, and how to integrate with related IAM infrastructure.
Code: https://github.com/fido-alliance/webauthn-demo
Live slides: http://slides.com/herrjemand/jan-2018-fido-seminar-webauthn-tutorial#/
Verifiable Credentials in Self-Sovereign Identity (SSI)Evernym
On our March 12, 2020 webinar, Evernym Chief Architect Daniel Hardman provided a great introduction to verifiable credentials and compared them to the physical credentials (passports, driver's licenses, loyalty cards) we use every day. He then identified six lessons we can learn from today's physical credentials and how we're applying each to the world of self-sovereign identity.
Slides from the session about the emerging work on extending OpenID Connect for requesting and presenting Verifiable Credentials and Verifiable Presentations
Peer DIDs: a secure and scalable method for DIDs that’s entirely off-ledger –...SSIMeetup
https://ssimeetup.org/peer-dids-secure-scalable-method-dids-off-ledger-daniel-hardman-webinar-42/
Daniel Hardman, Chief Architect, Evernym / Secretary, Technical Governance Board – Sovrin Foundation will show how Peer DIDs will allow off-chain transactions for the self-sovereign identity (SSI) world.
Most documentation about decentralized identifiers (DIDs) describes them as identifiers that are rooted in a public source of truth like a blockchain, a database, a distributed filesystem, or similar. This publicness lets arbitrary parties resolve the DIDs to an endpoint and keys. It is an important feature for many use cases. However, the vast majority of relationships between people, organizations, and things have simpler requirements. When Alice(Corp|Device) and Bob want to interact, there are exactly and only 2 parties in the world who should care: Alice and Bob. Instead of arbitrary parties needing to resolve their DIDs, only Alice and Bob do. Peer DIDs are perfect in these cases. In many ways, peer DIDs are to public, blockchain-based DIDs what Ethereum Plasma or state channels are to on-chain smart contracts— or what Bitcoin’s Lightning Network is to on-chain cryptopayments. They move interactions off-chain, but offer options to connect back to a chain-based ecosystem as needed. Peer DIDs create the conditions for people, organizations, and things to have full control of their end of the digital relationships they sustain.
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"Andreas Falk
Microservice architectures bring many benefits to software applications. But at the same time, new challenges of distributed systems have also been introduced. One of these challenges is how to implement a flexible, secure and efficient authentication and authorization scheme in such architectures.
The common solution for this is to use stateless token-based authentication and authorization by adopting standard protocols like OAuth 2.0 and OpenID Connect (OIDC).
In this talk, you will get a concise introduction into OAuth 2.0 and OIDC.
We will look at OAuth 2.0 and OIDC grant flows and discuss the differences between OAuth 2.0 and OpenID Connect. Finally, you will be introduced to the current best practices currently evolved by the working group.
So If you finally want to understand the base concepts of OAuth 2.0 and OIDC in a short time then this is the talk you should go for.
apidays LIVE India 2022_Standardizing Biometric Device Integration for Identi...apidays
apidays LIVE India 2022: Accelerating India’s digitisation with APIs
May 11 & 12, 2022
Building a Modular Open Source Identity Platform
Sanath Kumar Varambally, Knowledge Management Consultant & Vishwanath V, Architect at Modular Open Source Identity Platform (MOSIP)
------------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Deep dive into the API industry with our reports:
https://www.apidays.global/industry-reports/
Subscribe to our global newsletter:
https://apidays.typeform.com/to/i1MPEW
Identity Server ha sido durante mucho tiempo el framework para OpenIdConnect y OAuth 2 más utilizado en el ámbito de .NET. Usándolo conectábamos de modo seguro front y back, conseguíamos Single Sign-On y en general manejábamos aspectos relativos a la seguridad de nuestras aplicaciones.
Pero nada es eterno, y en Octubre de 2020, desde Duende Software, fundada por los mantainers de Identity Server anunciaban que el soporte se acabaría junto al de .NET Core 3.1 ¡Y eso se acerca! En noviembre de 2022 dejará de mantenerse, y por tanto dejaremos de recibir actualizaciones de seguridad.
¿Qué opciones tenemos?
Veremos algunas de ellas, entre las que están otros paquetes open source y soluciones que Microsoft nos ofrece en Azure, como Azure AD B2C.
Java EE Application Security With PicketLinkpigorcraveiro
In this presentation we will take a look at PicketLink, a security framework for Java EE and learn how its identity management, authentication and authorization features can be used to address the security requirements for all aspects of application development.
As the industry’s first enterprise identity bus (EIB), WSO2 Identity Server is the central backbone that connects and manages multiple identities across applications, APIs, the cloud, mobile, and Internet of Things devices, regardless of the standards on which they are based. The multi-tenant WSO2 Identity Server can be deployed directly on servers or in the cloud, and has the ability to propagate identities across geographical and enterprise borders in a connected business environment.
Microservices architecture is becoming a prominent design principle and a service development methodology, we have now started to see many microservices in production. Yet, security is a less concerned aspect, most of the time development teams are much focus on edge security but due to distributed and disposable nature of microservices, it's equally important to pay attention to securing service-to-service communication both during the transmission and sharing end-user context among services in order to cover vast attack surface.
Building IAM for OpenStack, presented at CIS (Cloud Identity Summit) 2015.
Discuss Identity Sources, Authentication, Managing Access and Federating Identities
An online training course run by the FIWARE Foundation in conjunction with the i4Trust project. The core part of this virtual training camp (21-24 June 2021) covered all the necessary skills to develop smart solutions powered by FIWARE. It introduces the basis of Digital Twin programming using linked data concepts - JSON-LD and NGSI-LD and combines these with common smart data models for the sharing and augmentation of context data.
In addition, it covers the supplementary FIWARE technologies used to implement the common functions typically required when architecting a complete smart solution: Identity and Access Management (IAM) functions to secure access to digital twin data and functions enabling the interface with IoT and 3rd systems, or the connection with different tools for processing and monitoring current and historical big data.
This 12-hour online training course can be used to obtain a good understanding of FIWARE and NGSI Interfaces and form the basis of studying for the FIWARE expert certification.
Extending this core part, the virtual training camp adds introductory and deep-dive sessions on how FIWARE and iSHARE technologies, brought together under the umbrella of the i4Trust initiative, can be combined to provide the means for the creation of data spaces in which multiple organizations can exchange digital twin data in a trusted and efficient manner, collaborating in the creation of innovative services based on data sharing. In addition, SMEs and Digital Innovation Hubs (DIHs) that go through this complete training and are located in countries eligible under Horizon 2020 will be equipped with the necessary know-how to apply to the recently launched i4Trust Open Call.
Profesia, Lynx Group, presenta la quinta puntata della serie di master class sulla tecnologia WSO2 di cui è Distributore esclusivo per l'Italia.
Il webinar, con la partecipazione straordinaria di WSO2, descrive come implementare nei client l'autorizzazione OAUTH2.
Scrivi a contact@profesia.it se stai pensando a una trasformazione digitale per evolvere verso un business agile
OpenID Connect 4 Identity Assurance is an extension to OpenID Connect Core enabling RPs to request and OP to provide End-User claims along with metadata about the verification proecss and status of the claims.
The talk gives an introduction to the NextGenPSD2 OAuth SCA mode and explains security considerations implementors should take into account when implementing it. This advice will go beyond the text of the NextGenPSD2 Spec and will be based on the latest OAuth Security Guidelines (https://tools.ietf.org/html/draft-ietf-oauth-security-topics) and work being conducted at OpenID Foundations FAPI working group.
Rich Authorization Requests allows clients to pass fine grained authorization data in the OAuth authorization request. It's been developed based on experiences in open banking and other security sensitive areas.
Pushed authorization requests allow clients to push the payload of an OAuth 2.0 authorization request to the authorization server via a direct request and provides them with a request URI that is used as reference to the data in a subsequent authorization request.
OpenID Connect for Identity Assurance allows IDPs explicit attestation of verification status of
Claims (what, how, when, according to what rules, using what evidence). It's intended to be used for use cases requiring strong identity assurance, such as Anti-money Laundering, eGovernment & eSigning.
PLEASE NOTE: there is an updated version of this deck at https://www.slideshare.net/TorstenLodderstedt/nextgenpsd2-oauth-sca-mode-security-recommendations-186812074
The talk gives an introduction to the NextGenPSD2 OAuth SCA mode and explains security considerations implementors should take into account when implementing it. This advice will go beyond the text of the NextGenPSD2 Spec and will be based on the latest OAuth Security Guidelines (https://tools.ietf.org/html/draft-ietf-oauth-security-topics) and work being conducted at OpenID Foundations FAPI working group.
Identiverse: PSD2, Open Banking, and Technical InteroperabilityTorsten Lodderstedt
The Payment Service Directive 2 (PSD2) is a huge leap forward for Open Banking as it obliges every financial institution operating in the European Union to provide APIs for Access to Account Information and Payment Initiation. The need for more then six thousand financial institutions to provide APIs caused a tremendous push forward for financial API design and accompanying authorization and authentication technologies. Based on the experiences gathered while supporting some of the PSD2 API initiatives in the context of OpenID Foundation’s FAPI working group, this talk will give an introduction to PSD2 and related technical standards, dig into some remarkable aspects of authorization for financial APIs and points out the potential impact on the future of OAuth.
The OAuth working group recently decided to discourage use of the implicit grant. But that’s just the most prominent recommendation the working group is about to publish in the upcoming OAuth 2.0 Security Best Current Best Practice (https://tools.ietf.org/html/draft-ietf-oauth-security-topics), which will elevate OAuth security to the next level. The code flow shall be used with PKCE only and tokens should be sender constraint to just mention a few. Development of this enhanced recommendations was driven by several factors, including experiences gathered in the field, security research results, the increased dynamics and sensitivity of the use cases OAuth is used protect and technological changes. This session will present the new security recommendations in detail along with the underlying rationales.
A slide deck I prepared for a session at Internet Identity Workshop describing use cases, requirements and a solution for requesting and representing verified user data.
Understanding User Behavior with Google Analytics.pdfSEO Article Boost
Unlocking the full potential of Google Analytics is crucial for understanding and optimizing your website’s performance. This guide dives deep into the essential aspects of Google Analytics, from analyzing traffic sources to understanding user demographics and tracking user engagement.
Traffic Sources Analysis:
Discover where your website traffic originates. By examining the Acquisition section, you can identify whether visitors come from organic search, paid campaigns, direct visits, social media, or referral links. This knowledge helps in refining marketing strategies and optimizing resource allocation.
User Demographics Insights:
Gain a comprehensive view of your audience by exploring demographic data in the Audience section. Understand age, gender, and interests to tailor your marketing strategies effectively. Leverage this information to create personalized content and improve user engagement and conversion rates.
Tracking User Engagement:
Learn how to measure user interaction with your site through key metrics like bounce rate, average session duration, and pages per session. Enhance user experience by analyzing engagement metrics and implementing strategies to keep visitors engaged.
Conversion Rate Optimization:
Understand the importance of conversion rates and how to track them using Google Analytics. Set up Goals, analyze conversion funnels, segment your audience, and employ A/B testing to optimize your website for higher conversions. Utilize ecommerce tracking and multi-channel funnels for a detailed view of your sales performance and marketing channel contributions.
Custom Reports and Dashboards:
Create custom reports and dashboards to visualize and interpret data relevant to your business goals. Use advanced filters, segments, and visualization options to gain deeper insights. Incorporate custom dimensions and metrics for tailored data analysis. Integrate external data sources to enrich your analytics and make well-informed decisions.
This guide is designed to help you harness the power of Google Analytics for making data-driven decisions that enhance website performance and achieve your digital marketing objectives. Whether you are looking to improve SEO, refine your social media strategy, or boost conversion rates, understanding and utilizing Google Analytics is essential for your success.
Italy Agriculture Equipment Market Outlook to 2027harveenkaur52
Agriculture and Animal Care
Ken Research has an expertise in Agriculture and Animal Care sector and offer vast collection of information related to all major aspects such as Agriculture equipment, Crop Protection, Seed, Agriculture Chemical, Fertilizers, Protected Cultivators, Palm Oil, Hybrid Seed, Animal Feed additives and many more.
Our continuous study and findings in agriculture sector provide better insights to companies dealing with related product and services, government and agriculture associations, researchers and students to well understand the present and expected scenario.
Our Animal care category provides solutions on Animal Healthcare and related products and services, including, animal feed additives, vaccination
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...JeyaPerumal1
A cellular network, frequently referred to as a mobile network, is a type of communication system that enables wireless communication between mobile devices. The final stage of connectivity is achieved by segmenting the comprehensive service area into several compact zones, each called a cell.
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
2. OpenID for SSI
• Aims at specifying a set of protocols based on OpenID
Connect and OAuth2.0 to enable SSI applications
• Initiative conducted at OpenID Foundation in liaison with the
Decentralized Identity Foundation (DIF)
• One of the specifications is built up on DID-SIOP in DIDAuth
WG in DIF and SIOPv1 chapter 7 in OIDC Core
3. - Self-Issued OP (SIOP) already provides good starting point
- Leveraging the simplicity and security of OpenID Connect and
OAuth2.0 for SSI applications
- Existing libraries, only HTTPS communication, developer familiarity
- Great for mobile applications, no firewall hassles
- Security of OpenID Connect has been tested and formally analysed
- Allow existing OpenID Connect RPs to access SSI credentials and
existing OpenID Connect OPs to issue credentials
Why use OpenID Connect/OAuth2.0 as basis?
4. ③ OpenID Connect for Verifiable Credential Issuance
(Issuance of Verifiable Credentials)
OpenID Connect for SSI Components
Issuer
(Website)
Verifier
(Website)
Holder
(Digital Wallet)
Issue
Credentials
Present
Credentials
① Self-Issued OP v2
(key exchange and authentication)
② OpenID Connect for Verifiable Presentations
(Presentation of Verifiable Credentials)
Can be hosted locally on the
user’s device, have cloud
components, or be entirely
hosted in the cloud
5. Using OIDC4SSI as an authentication protocol to present and issue credentials allows implementers to
choose a combination of DID methods, credential formats and other components of the SSI tech stack.
OIDC4SSI allows variety of choices in the SSI tech stack
SSI Tech Stack component Implementer’s choices when using OIDC4SSI as a protocol
Identifiers Any DID method
- user’s identifier can also be a JWK Thumbprint (`sub` in the ID Token)
- verifier’s identifier can also be a unique string (`client_id` in the request)
Credential Format Any credential format (AnonCreds, LDP-VC, JWT-VC, ISO mDL, etc.)
Revocation Any mechanism (Status List 2021, etc.)
additional trust
mechanisms
Any mechanism (.well-known DID configuration, etc.)
Cryptography Any cryptosuite (EdDSA, ES256K, etc.)
8. Standard OpenID Connect vs SIOP v2
Self-Issued OP model
⓪ User tries to get
access to a resource
Website (RP)
User
Agent
OP
Trust in cryptographically
verifiable identifier
② OP on the user
device issues
subject-signed ID Token
Alice
User-controlled OpenID Connect OP is able to self-sign ID
Tokens and authenticate using the user-controlled key
material (raw public keys or Decentralized identifiers (DIDs))
① RP requests ID Token
OpenID Connect standard model
⓪ User tries to log in
Website (RP)
User
Agent
OP
(3P OpenID Provider)
Trust in 3rd party
Alice ② 3rd Party OP
issues an ID Token
① RP requests ID
Token
10. Credential
Issuer
③ Verify Credential from
Trusted Credential Issuer
(obtain Issuer’s public key and optionally
check revocation list)
SIOP v2 + OpenID Connect 4 Verifiable Presentations
Presenting Credentials
Website or App
(RP)
User
Agent
OP
Alice
Trust in cryptographically
authenticated identifier
⓪ User tries to get
access to a resource
Stored Verifiable Credentials
Trust in Credential Issuer(s)
② SIOP issues ID Token &
Verifiable Presentation(s)
① RP requests ID Token
and Credential(s)
Status list
(revocation)
Issuer’s
Public Key
11. - Protocol is credential/presentation format agnostic
- Examples for AnonCreds and mDL in OIDC4VP spec
- passing `presentation_definition` PE object by value or by reference
- Support for Trust Schemes
- for example, request credentials issued by an issuer that is part of a Trust Framework
- Dynamic SIOP discovery and invocation via HTTPS URLs
- enables use of app/universal links and web wallets
- Leverages all OpenID Connect Flows
- SIOP can be entirely locally hosted, have cloud components, be entirely cloud-based
- Cross Device Flow enabled
- Leverages OpenID Connect Metadata for verifiers and wallet management
- Clarify that the key feature of SIOP is ability to sign ID Token using a subject-controlled key material
(iss==sub in ID Token)
- Ongoing: wallet & key attestation
Credentials Presentation (Key & New Features)
12. - First Implementer’s Drafts of OpenID Connect SIOPV2 and OIDC4VP approved.
Targeting Second Implementer’s Draft by the end of 2022
- Latest Editor’s drafts can be published at:
- https://openid.net/specs/openid-connect-self-issued-v2-1_0.html
- https://openid.net/specs/openid-connect-4-verifiable-presentations-1_0.html
- Existing & ongoing Implementations:
- The European Blockchain Services Infrastructure (EBSI)
- Microsoft
- Workday
- Ping Identity
- Convergence.Tech
- IDunion
- walt.id (eSSIF-Lab)*
- Sphereon
- Gimly
*Some ESSIF projects already utilizes SIOP (based on DID-SIOP & OpenID Connect 4 Identity Assurance)
Credential Presentation (Status)
14. IDunion Prototype
•Implemented within IDunion project
•Team: Sebastian Bickerle, Paul Wenzel,
Fabian Hauck, & Dr. Daniel Fett
•Use Case: Login to NextCloud using
Verifiable Credentials
•Based on
• Existing NextCloud OpenID Connect Plugin
• Lissi Wallet
• Hyperledger Indy & Indy SDK & AnonCreds
15. European Banking Identity Prototype
•eSSIF-Lab founded project
•Team: yes.com & walt.id
• Presentation & Issuance via OIDC4SSI
•Based on
• walt.id Wallet (Web Wallet)
• JSON LD based credentials
• did:key (did:ebsi)
eSSIF-Lab is funded by the European Commission, as
part of the Horizon 2020 Research and Innovation
Programme, under Grant Agreement Nº 871932 and it's
framed under Next Generation Internet Initiative.
16. Architecture
Verifier
Ledger
Frontend Wallet
redirects (HTTPS GET)
(3) “response”
(HTTPS POST)
Backend
polling
on device
cross device
ledger access
(1) QR Code
e.g. DID resolution, revocation info, schema and credential definition
(2) Request payload
(GET request_uri)
22. Credential
Issuer
③ Verify Credential from
Trusted Credential Issuer
(obtain Issuer’s public key and optionally
check revocation)
OpenID Connect 4 Verifiable Credentials Issuance
Issuing Credentials
Website or App
(RP)
User
Agent
OP
Alice
Trust in cryptographically
authenticated identifier
⓪ User tries to log in RP
Stored Verifiable Credentials
Trust in Credential Issuer(s)
② SIOP issues ID Token &
Verifiable Presentation(s)
① RP requests ID Token
and Credential(s)
⓪ User requests
Credential
① Credential Issuer
issues credential
23. - Issuance via OAuth-protected Credential Endpoint
- Currently two authorization flows:
- Code flow (others possible)
■ invoked by Wallet requesting authorization for one or more credentials at
the Authorization Endpoint (may trigger by presentation request during
the issuance)
■ Issuer takes screen control and can authenticate/identify user with
means at Issuer’s discretion
- Pre-authorized code flow (new grant type)
■ Wallet is invoked after completion of process with the Issuer (QR Code
or redirect)
Design Principles
24. - Protocol is credential format agnostic
- W3C Verifiable Credentials, ISO mobile Driving Licence/electronic ID, SMART Health Cards
- Can be customized to use different methods for proofs of possession of key material
- for example, `jwt` proof type that includes a signature by a key material tied to a DID
- Allows Credential Issuance during Presentation Request (inline issuance)
- Requested credential not found in the wallet
- Allows just-in-time and batch credential issuance as well as credential refresh
- Allows Presentation Request during Credential Issuance
- Issuer is requesting to present a VC as a way to identify a user during Issuance
- Can be built on top of existing OAuth/OpenID implementations
- Leverages OpenID Connect Metadata for wallet & issuer management
- Ongoing: wallet & key attestation to build Issuer’s trust in the wallet
Credential Issuance (Key Features)
25. - Specification adopted by the working group. Targeting First Implementer’s draft
by the end of 2022.
- https://openid.net/specs/openid-connect-4-verifiable-credential-issuance-1_0.html
- Planned and ongoing implementations:
- The European Blockchain Services Infrastructure (EBSI)
- Microsoft
- Mattr
- IDunion
- walt.id & yes.com & BCDiploma (eSSIF-Lab)
- Sphereon
- Talao.io
- Convergence.Tech
Credential Issuance (Status)
27. European Banking Identity Prototype
•eSSIF-Lab founded project
•Team: yes.com & walt.id
• Presentation & Issuance via OIDC4SSI
•Based on
• walt.id Wallet (Web Wallet)
• JSON LD based credentials
• did:key (did:ebsi)
eSSIF-Lab is funded by the European Commission, as
part of the Horizon 2020 Research and Innovation
Programme, under Grant Agreement Nº 871932 and it's
framed under Next Generation Internet Initiative.
31. - Interoperability profile relying on SIOP v2 and OIDC4VP
- Microsoft
- Workday
- Ping Identity
- (Mattr)
- (IBM)
Demo 2
32. Using OIDC4SSI as an authentication protocol to present and issue credentials allows implementers to
choose a combination of DID methods, credential formats and other components of the SSI tech stack.
OIDC4SSI allows variety of choices in the SSI tech stack
SSI Tech Stack component Implementer’s choices when using OIDC4SSI as a protocol
Identifiers Any DID method
- user’s identifier can also be a JWK Thumbprint (`sub` in the ID Token)
- verifier’s identifier can also be a unique string (`client_id` in the request)
Credential Format Any credential format (AnonCreds, LDP-VC, JWT-VC, ISO mDL, etc.)
Revocation Any mechanism (Status List 2021, etc.)
additional trust
mechanisms
Any mechanism (.well-known DID configuration, etc.)
Cryptography Any cryptosuite (EdDSA, ES256K, etc.)