make credential_identifiers mandatory for authorization_details flow #346
Conversation
paulbastian
requested review from
Sakurann,
peppelinux,
jogu,
David-Chadwick and
decentralgabe
| @@ -611,6 +611,12 @@ grant_type=authorization_code | |||
| &client_assertion=eyJhbGciOiJSU... | |||
| ``` | |||
|
|
|||
| ### Request Issuance of a Certain Credential using authorization_details Parameter | |||
|
|
|||
| Credential Issuers MAY support requesting authorization to issue a Credential using the authorization_details parameter. | |||
There was a problem hiding this comment.
Credential Issuers MAY allow the request for authorization to issue a specific Credential using the authorization_details parameter.
There was a problem hiding this comment.
| Credential Issuers MAY support requesting authorization to issue a Credential using the authorization_details parameter. | |
| Credential Issuers MAY support requesting authorization to issue a Credential using the `authorization_details` parameter. |
| @@ -721,8 +729,8 @@ For cryptographic binding, the Client has the following options defined in (#cre | |||
|
|
|||
| A Client makes a Credential Request to the Credential Endpoint by sending the following parameters in the entity-body of an HTTP POST request using the `application/json` media type. | |||
|
|
|||
| * `format`: REQUIRED when the `credential_identifiers` parameter was not returned from the Token Response. It MUST NOT be used otherwise. It is a String that determines the format of the Credential to be issued, which may determine the type and any other information related to the Credential to be issued. Credential Format Profiles consist of the Credential format specific parameters that are defined in (#format-profiles). When this parameter is used, the `credential_identifier` Credential Request parameter MUST NOT be present. | |||
| * `credential_identifier`: REQUIRED when `credential_identifiers` parameter was returned from the Token Response. It MUST NOT be used otherwise. It is a String that identifies a Credential that is being requested to be issued. When this parameter is used, the `format` parameter and any other Credential format specific parameters such as those defined in (#format-profiles) MUST NOT be present. | |||
| * `format`: REQUIRED if the `credential_identifiers` parameter was not returned from the Token Response. It MUST NOT be used otherwise. String that determines the format of the Credential to be issued, which may determine the type and any other information related to the Credential to be issued. Credential Format Profiles consist of the Credential format specific parameters that are defined in (#format-profiles). When this parameter is used, the `credential_identifier` Credential Request parameter MUST NOT be present. | |||
There was a problem hiding this comment.
| * `format`: REQUIRED if the `credential_identifiers` parameter was not returned from the Token Response. It MUST NOT be used otherwise. String that determines the format of the Credential to be issued, which may determine the type and any other information related to the Credential to be issued. Credential Format Profiles consist of the Credential format specific parameters that are defined in (#format-profiles). When this parameter is used, the `credential_identifier` Credential Request parameter MUST NOT be present. | |
| * `format`: REQUIRED if `credential_identifiers` was not returned in the Token Response. It MUST NOT be used otherwise. This string specifies the format of the Credential to be issued, including type and related details. Credential Format Profiles, which detail format-specific parameters, are defined in (#format-profiles). When using this parameter, `credential_identifier` MUST NOT be present in the Credential Request. |
| @@ -721,8 +729,8 @@ For cryptographic binding, the Client has the following options defined in (#cre | |||
|
|
|||
| A Client makes a Credential Request to the Credential Endpoint by sending the following parameters in the entity-body of an HTTP POST request using the `application/json` media type. | |||
|
|
|||
| * `format`: REQUIRED when the `credential_identifiers` parameter was not returned from the Token Response. It MUST NOT be used otherwise. It is a String that determines the format of the Credential to be issued, which may determine the type and any other information related to the Credential to be issued. Credential Format Profiles consist of the Credential format specific parameters that are defined in (#format-profiles). When this parameter is used, the `credential_identifier` Credential Request parameter MUST NOT be present. | |||
| * `credential_identifier`: REQUIRED when `credential_identifiers` parameter was returned from the Token Response. It MUST NOT be used otherwise. It is a String that identifies a Credential that is being requested to be issued. When this parameter is used, the `format` parameter and any other Credential format specific parameters such as those defined in (#format-profiles) MUST NOT be present. | |||
| * `format`: REQUIRED if the `credential_identifiers` parameter was not returned from the Token Response. It MUST NOT be used otherwise. String that determines the format of the Credential to be issued, which may determine the type and any other information related to the Credential to be issued. Credential Format Profiles consist of the Credential format specific parameters that are defined in (#format-profiles). When this parameter is used, the `credential_identifier` Credential Request parameter MUST NOT be present. | |||
There was a problem hiding this comment.
can we please stick to REQUIRED when or REQUIRED if throughout the specification text?
Co-authored-by: Kristina <[email protected]>
Co-authored-by: Giuseppe De Marco <[email protected]>
Co-authored-by: Kristina <[email protected]>
Co-authored-by: Kristina <[email protected]>
Co-authored-by: David Chadwick <[email protected]>
Co-authored-by: David Chadwick <[email protected]>
|
How does a user approve the value of the For example, when a client application makes an authorization request without the |
My understanding is the authorization server should return an access token with no more than the permissions that were already granted. The mechanism shouldn't be used to obtain new permissions without user approval. |
That's my view as well, authorization_details in Token Request is only really applicable to PreAuthCode Flow. |
Co-authored-by: Giuseppe De Marco <[email protected]> Co-authored-by: David Chadwick <[email protected]>
|
We discussed this PR on today's WG call and seemed to have consensus that this was good to merge once the two suggestions I posted above are applied (and the git conflicts fixed!). |
Co-authored-by: Joseph Heenan <[email protected]>
…re-of-issuance-flows
|
PR was discussed at latest DCP WG Call, I made the proposed changes and PR is ready from my side |
|
3 approvals, open for over a week, all comments addressed, discussed on last week's wg call - merging! |
Closes #294
There is a separate discussion to make
credential_identfiiersavailable to scope flow as well, I would try to keep the discussion separate from this PR