OpenID for Verifiable Credentials is the next generation of OpenID that enables issuing and presenting verifiable credentials in a decentralized manner. It uses an issuer-holder-verifier model where credentials are issued to a holder (digital wallet) and then presented to a verifier (website). This allows decoupling of issuance from presentation and reuse of credentials. OpenID for Verifiable Credentials specifications provide standards for credential issuance, presentation, and authentication that build upon OAuth 2.0 and OpenID Connect to enable a variety of decentralized identity use cases.

1. OpenID for Verifiable Credentials
The next generation of OpenID
Kristina Yasuda, Microsoft
Dr. Torsten Lodderstedt, yes
Tobias Looker, MATTR

2. Issuer-Holder-Verifier Model: A Paradigm Shift
Issuer Verifier
Holder
(Digital Wallet)
Issue
Credentials
Present
Credentials
● Verifiable credential is a tamper-evident credential with a cryptographically
verifiable authorship that contains claims about a subject.
● This enables
○ decoupling issuance from presentation
○ multi-use of the credentials
○ combination of multiple credentials in a presentation

3. Decentralized Identity around you
Use Case 1: mobile Driving Licence Use Case 2: Vaccination QR Code

4. Verifiable Credentials: Benefits
- End-Users gain more control, privacy, and portability over their identity
information.
- Cheaper, faster, and more secure identity verification, when transforming
physical credentials into digital ones using verifiable credentials.
- Universal approach to handle identification, authentication, and
authorization in digital and physical space
- Issuers gain more flexibility

5. OpenID for Verifiable Credential Issuance
OpenID for Verifiable Credentials Overview
Issuer
(Website)
Verifier
(Website)
Wallet
(user’s device,
cloud or hybrid)
Issue Credentials Present Credentials
Self-Issued OP v2
OpenID for Verifiable Presentations
OpenID for Verifiable Presentations over BLE
User Interactions
Security and Trust in OpenID for Verifiable Credentials

6. Using OpenID4VCs as an authentication protocol to present and issue credentials allows implementers to
choose a combination of DID methods, credential formats and other components of the SSI tech stack.
OID4VCs allows variety of choices in the VC Tech Stack
VC Tech Stack component Implementer’s choices when using OpenID4VC
Identifiers Any DID method (End-Users, Verifiers, Issuers)
JWK Thumbprint (End-Users - `cnf` in the VP Token, `sub` in the ID Token)
Credential Format Any credential format (SD-JWT VC, ISO mDL, LDP-VC, JWT-VC,
AnonCreds, JWP, etc.) credential format survey started at IIW
XXXIV
Revocation Any mechanism (Status List 2021, etc.)
additional trust mechanisms Any mechanism (Trust List, X.509s, .well-known DID configuration, etc.)
Cryptography Any cryptosuite (EdDSA, ES256K, etc.)

7. - EU adopted OpenID4VC in eIDAS Architecture and Reference Framework for
Online Use Cases
- NIST NCCoE will be implementing OID4VP in ISO mDL context
- Improved OID4VP specification
- Second Implementer’s Drafts (ID) for OID4VPs under
way, voting started yesterday (please vote now!)
- Started work on overall Security Analysis
- Started work on OID4VP over BLE (with MOSIP)
Progress since last IIW

8. Latest Changes and Work in Progress
• OpenID 4 VP
• Added Signed & Encrypted Presentation Responses (JARM)
• Combination of direct_post and redirect for same device and
improved cross device security
• Added Client Identifier Schemes
• Enhanced Security and Implementation Considerations
• Wallet Attestation and Implementation Considerations on
Credential Refresh
• Preparing (next) Implementers Drafts for OID4VCI and SIOP v2

9. - Most widely used identity standards today (small and big companies,
government, health, open banking, mobile operators, …)
- Known for simplicity, lots of library support
- Security has been formally analysed, Security Recommendations are
constantly evolved (e.g. through OAuth Security BCP)
- Interoperability through automated Test Suites
- Eases enhancement of existing OAuth/OpenID Connect
implementations to support decentralized identity
Build upon OAuth 2.0 and OpenID Connect

10. OpenID for Verifiable Presentations (OID4VPs)

11. Same Device Presentation

12. Cross Device Presentation

13. - Query language to granularly
specify what kind of credential
Verifier wants. (utilizes DIF
Presentation Exchange 2.0)
- Verifiable Presentations* are
returned in a newly defined VP
Token
- Simple overall architecture,
e.g. device local
communication when same
device flow is used
OpenID for Verifiable Presentations
Website or App
(RP)
Wallet
OP
Alice
⓪ User tries to get
access to a resource
Stored Verifiable Credentials
② Wallet issues Verifiable
Presentation(s) in VP Token
① RP requests
Credential(s)
*can be any credential/presentation format, not limited to not limited to W3C Verifiable Credentials.

14. Same Device (VP Token in redirect URI)

15. Cross-Device Flow (VP Token sent via HTTP POST)

16. Same Device (VP Token sent via HTTP POST + redirect)

17. Presentation Request
{
"id": "example_ldp_vc",
"input_descriptors": [
{
"id": "id_card_credential",
"format": {
"ldp_vc": {
"proof_type": [
"Ed25519Signature2018"
]
}
},
"constraints": {
"fields": [
{
"path": [
"$.type"
],
"filter": {
"type": "array",
"contains": {
"const": "IDCredential"
}
}
}
]
}
}
]
}
GET /authorize?
response_type=vp_token
&client_id=https%3A%2F%2Fclient.example.org%2Fcb
&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
&presentation_definition=...
&nonce=n-0S6_WzA2Mj HTTP/1.1
Host: wallet.example.com
presentation_definition

18. Presentation Response
{
"definition_id": "example_ldp_vc",
"id": "example_ldp_vc_presentation_submission",
"descriptor_map": [
{
"id": "id_credential",
"path": "$",
"format": "ldp_vp",
"path_nested": {
"format": "ldp_vc",
"path": "$.verifiableCredential[0]"
}
}
]
}
{
"@context": [
"https://www.w3.org/2018/credentials/v1"
],
"type": [
"VerifiablePresentation"
],
"verifiableCredential": [
{
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://www.w3.org/2018/credentials/examples/v1"
],
"id": "https://example.com/credentials/1872",
"type": [
"VerifiableCredential",
"IDCredential"
],
"issuer": {
"id": "did:example:issuer"
},
"issuanceDate": "2010-01-01T19:23:24Z",
"credentialSubject": {
"given_name": "Max",
"family_name": "Mustermann",
"birthdate": "1998-01-11",
"address": {
"street_address": "Sandanger 25",
"locality": "Musterstadt",
"postal_code": "123456",
presentation_submission
vp_token
HTTP/1.1 302 Found
Location: https://client.example.org/cb#
presentation_submission=...
&vp_token=...

19. Self-Issued OP (SIOP v2)

20. Self-Issued OP v2
Website (RP)
User
Agent
OP
Trust in cryptographically
verifiable identifier
② OP on the user
device issues
subject-signed ID Token
Alice
⓪ User tries to access a
resource
① RP requests ID Token
- SIOP v2 allows users to authenticate
towards RPs using self-controlled
identifiers
- ID Tokens are signed with user-controlled
key material (pseudonymous
authentication with pairwise subject
identifiers)
- Can be used in combination with
OD4VPs, when the use case requires
end-user authentication

21. VC presentation and Authentication using OID4VPs & SIOP v2
- Simple & secure protocol based on OAuth 2.0
- Uniform protocol across different credential formats
- Same device & cross device scenarios, offline
- Privacy preserving mutual authentication of RP and wallet
- Pseudonymous authentication of End-User to RPs through SIOP v2
- Works well with OAuth for authorization of API-based payments (e.g. PSD2) and
remote signature creation (e.g. CSC)
- Note: referenced by draft ISO/IEC 18013-7 and 23220-4 and eIDAS ARF

22. OpenID for Verifiable Presentation over BLE

23. - Latest addition to OID4VC protocol family (WG document)
- Allows presentation in offline scenarios
- Verifier (e.g. POS terminal or kiosk) acts as “BLE Peripheral”
- Wallet connects to Verifier via QR Code or BLE Advertisement (NFC
tap under consideration)
- Connection encrypted using session key (DH key exchange)
- Presentation Request and Response use standard OID4VP syntax
- First implementation by MOSIP (https://github.com/mosip/tuvali)
OpenID for Verifiable Presentation over BLE

24. Cross-Device Flow (BLE)

25. OpenID for Verifiable Credential Issuance (OID4VCI)

26. - Issuance via OAuth-protected Credential Endpoint
- Two authorization flows:
- Code flow (others OAuth 2.0 grant types possible): authorization for one
or more credentials at the Authorization Endpoint once the wallet is
invoked
- Pre-authorized code flow (new grant type): authorization for one or more
credentials prior to the Wallet being invoked.
- Supports different methods for the Wallet to prove possession of key material
used to bind credential
Design Principles

27. Authorization Code Flow

28. Pre Authorized Code Flow

29. Credential
Issuer
Website or App
(RP)
Wallet
OP
Alice
⓪ User tries to log in RP
Stored
Verifiable Credentials
② Wallet issues Verifiable
Presentation(s)
① RP requests
Credential(s)
⓪ Wallet requests & User
authorizes credential issuance
③ Credential is issued
① access token(, refresh token)
② Wallet requests credential issuance
Credential issuance via simple OAuth-authorized API
OpenID for Verifiable Credential Issuance

30. Pre-Authorized Code Flow (in detail)

31. Example: Token Request
POST /token HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded
grant_type=urn:ietf:params:oauth:grant-type:pre-authorized_code
&pre-authorized_code=SplxlOBeZQQYbYS6WxSbIA
&user_pin=493536

32. Example: Credential Issuance
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
{
"format": "vc+sd-jwt",
"credential" : "eyJhbGciOiAiRVMyNTYifQ.eyJfc2QiOiBbIl
...
gImVtYWlsIiwgInRlc3RAZXhhbXBsZS5jb20iXQ"
}
POST /credential HTTP/1.1
Host: server.example.com
Content-Type: application/json
Authorization: BEARER czZCaGRSa3F0MzpnWDFmQmF0M2JW
{
"format":"vc+sd-jwt",
"type":"Identity",
"proof":{
"proof_type":"jwt",
"jwt":"eyJhbGciOiJFUzI1NiIsInR5cCI6Im9wZW5pZDR2Y2ktcHJvb2Yrand0Iiw
...
jhe0xQmfIBCQz20xVjaM91ODdIt5JX_ztrcq4nkglH907Ofbugg"
}
}
Request Response

33. Example: Issued Credential
{
"iss": "https://credential-issuer.example.com",
"iat": 1516239022,
"exp": 1516247022,
"type": "Identity",
"_sd": [
"UiuRGkTW7e_5UQauGeQRQdF8u3WYevS4Fs0IuB_DgYM",
"tmPlXq0MID-oRXbUNHyoVZrc9Qkm8cwJTohVyOVlUgQ",
"vTz0JI103v4k4pKIloT83Yzi33L1SdZlWBPmsfJBefk"
],
"_sd_alg": "sha-256",
"cnf": {
"jwk": {
"kty": "EC",
"crv": "P-256",
"x": "TCAER19Zvu3OHF4j4W4vfSVoHIP1ILilDls7vCeGemc",
"y": "ZxjiWWbZMQGHVWKVQ4hbSIirsVfuecCE6t4jT9F2HZQ"
}
}
}

34. VC issuance using OID4VCI
● Simple & Secure OAuth protected API
○ Can be built & operated on top of existing OAuth libraries/deployments
○ Simple way for existing AS/IDPs to become PID/(Q)EAA issuers
○ Leverages OAuth security mechanisms
● Customizable for different credential formats, proof of possession and attestation
methods
● Hardware-backed key material for cryptographic binding of attribute attestations
(leveraging HSMs, SEs, TEEs)
● Same device and cross device scenarios
● Mutual authentication of wallet and issuer
● Note: referenced by draft ISO 23220-3 and EU eIDAS ARF

35. - EU’s eIDAS v2 Architecture &
Reference Framework
- The European Blockchain Services
Infrastructure (EBSI)
- Finnish ID
- Microsoft
- Mattr
- IDunion
- walt.id & yes.com & BCDiploma
(eSSIF-Lab)
- Talao.io
Planned and ongoing implementations
- Workday
- Ping Identity
- Trinsic/Dentity (incl. Auth0
plugin)
- Convergence.Tech
- Sphereon
- Gimly
- CAS Software AG
- Verimi/Deutsche Telekom
- Gen (Avast, Evernym)
- Mee Foundation

36. Open Source projects
• Walt-id
• https://github.com/walt-id/waltid-ssikit
• Sphereon
• https://github.com/Sphereon-Opensource/SIOP-OpenID4VP
• https://github.com/Sphereon-Opensource/OpenID4VCI-client
• https://github.com/Sphereon-Opensource/ssi-sdk
• Microsoft
• https://github.com/microsoft/VerifiableCredential-SDK-Android
• https://github.com/microsoft/VerifiableCredential-SDK-iOS
• Spruce
• https://github.com/spruceid/oidc4vci-rs
• https://github.com/spruceid/oidc4vci-issuer

37. Call to Action
Implement the specifications to unlock your use cases and provide us feedback
(mailing list)
• https://openid.net/specs/openid-4-verifiable-presentations-1_0.html
• https://openid.net/specs/openid-connect-self-issued-v2-1_0.html
• https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html
• https://openid.bitbucket.io/connect/openid-4-verifiable-presentations-over-ble-1_0.html
• https://openid.bitbucket.io/connect/openid-4-vc-security-and-trust-1_0.html
Latest information can be found at https://openid.net/openid4vc/

38. Q&A

39. Issuer Initiates Process (cross device)