add an option to use credential_configuration_id in credential request #392
Conversation
Sakurann
requested review from
danielfett,
jogu,
tlodderstedt,
selfissued,
c2bo,
tplooker,
paulbastian,
awoie and
bc-pi
Co-authored-by: Joseph Heenan <[email protected]>
There was a problem hiding this comment.
My understanding from the discussion around #294 was that credential_configuration_idoption replaces the format option. I would rather replace an option than adding a third one. Apart from them, everything seems fine to me.
|
This is missing an entry for the document history |
I don't think we can do it without removing format option in authorization request |
|
discussed in the WG call, ask the ML if implementers using format + type would be against removing that option in favor of using credential_configuration_id only. and that does not necessarily mean that implementations that do not use issuer metadata are not allowed because we could say that implementations that do not use issuer metadata should define the mapping between scope (optionally), format, type and credential_configuration_id out of band. @pmhsfelix pointed out that after ID-1 we have already made a change that prohibited using format + type with RAR. |
Email sent to mailing list requesting feedback within the next week: https://lists.openid.net/pipermail/openid-specs-digital-credentials-protocols/Week-of-Mon-20240923/000455.html |
|
I think that
|
I couldn't agree more |
|
Wasn't the |
I would suggest creating a particular issue for removing the |
Good morning, @awoie For every feature/option removed there was an implementation.
The |
|
@babisRoutis @paulbastian i am repeating myself, but what you are suggesting needs to be done in conjunction with the changes to the format+type option in the authorization request and text explaining how the protocol works without issuer metadata, for example by saying that |
Looks like a good suggestion to me. Anything else that would be missing apart from clarifications that issuer metadata or similar conventions could be communicated out of band? |
|
We still need to allow some format specific parameters on authorization requests using RAR, such as:
PS. And for credential requests, when a |
|
Talked to @tlodderstedt, who said that it is better to close this PR and keep things as-is, because...
|
I don't agree on closing the PR. VCI is all about allowing wallet to place a credential request. It doesn't seem consistent that throughout the issuance process (offer, If there isn't a consensus to remove format + type from credential request, at least , we should have the alternative option to use |
What do you expect the wallet to know, when it starts the process? I would expect the wallet to know format and type of the credential the holder is looking for. That's what is being standardized not a credential configuration id. Just as an example, ISO 18013-05 defines the mDL doc type. It does not define how the credential configuration id of an OID4VCI issuer supporting this doc types is. As this is a most likely locally defined metadata identifier. And it is protocol specific. So how to cope with this situation?
What would you prefer and why? |
I think option 1 is the way to go. For an issuance process, that is initiated at issuer's site, wallet's participation begins with a credential offer (No format/type) On the other hand, for a wallet-initiated issuance, wallet should know (or could search, to a local or trusted registry of issuers, for):
Of course, holder is interested to get a specific credential type, from a trusted issuer. Few would care or even understand about formats. With these three values, wallet can "assemble" on its own a stateless credential offer as follows:
So, actually, I believe that wallet has to have always a credential offer (issuer provided or locally created) to interact with the issuer. Format/type can be used as criteria to just query issuer's metadata. With this problem solved, I find no reason to use format/type in any of the subsequent steps (authorization, authorization_details & credential request), should this PR be accepted. |
|
Is credential configuration identifier specific to each issuer or specific to a use-case and is determined by multiple issuers? |
|
In the most general case, every issuer has its own credential configuration ids. Implementation experience will tell whether there are situations with shared credential configuration definitions. |
|
Dear @Sakurann
I think it is clearly the former. Every issuer is free to define its own values for scope & credential configuration id for a given credential.
We can agree, I guess, that the wallet has to lookup credential issuer's metadata, in any case:
So, if wallet cannot avoid grabbing the metadata, then it can easily determine the configuration for the format/type the holder is looking for, by querying the metadata.
Format/Type have a business value for (or recognized by) the holder and the verifier. With regards to VCI, we already have format/type to our metadata. Moving towards 1.0, perhaps, it would be more reasonable to use credential configuration id instead of format/type, and if there is a need/demand add the format/type afterwards. |
|
It looks like we have 3 options on the table and I'm unclear if we have consensus around any of them. I'll add them as separate comments, can people please thumbs up options they like, ignore options they can live with, and thumbs down options they hate? |
|
Option 1. We close this PR and keep the spec as is, for scopes you would need to use format+type in the credential request |
|
Option 2. We merge this PR as is, and for scopes there is a choice of two possible credential requests - format+type or credential_configuration_id (potentially removing one of these options in the future as we see how they get used) |
|
Option 3. We remove the format+type option in this PR before merging it |
|
Can we change the title of the PR if we discuss removing certain functionality? |
|
discussed in a WG:
|
|
If I understand correctly, this would also remove the format-specific attributes such as For example, in the sd-jwt-vc profile, the This creates considerable complexity just to use Hence, we may have two kind of flows:
Aside from potentially breaking some implementations (ours included), in what scenarios does only maintaining @jogu, this continues the chat at last WG. |
|
I applied the changes discussed in hybrid call to this PR. Please check @Sakurann @jogu @babisRoutis @tlodderstedt @c2bo @jruizaranguren @nemqe |
Co-authored-by: Nemanja Patrnogic <[email protected]>
| @@ -665,7 +665,7 @@ The Authorization Server might decide to authorize issuance of multiple instance | |||
|
|
|||
| In addition to the response parameters defined in [@!RFC6749], the Authorization Server MAY return the following parameters: | |||
|
|
|||
| * `authorization_details`: REQUIRED when the `authorization_details` parameter is used to request issuance of a certain Credential Configuration as defined in (#authorization-details). It MUST NOT be used otherwise. It is an array of objects, as defined in Section 7 of [@!RFC9396]. In addition to the parameters defined in (#authorization-details), this specification defines the following parameter to be used with the authorization details type `openid_credential` in the Token Response: | |||
There was a problem hiding this comment.
Please verify that this is your interpretation of the Hybrid DCP Call
I find it ready for implementation 😄 |
Closes one remaining item from PR #294 as agreed on May 29th 2024 call.
Closes #132
Closes #175
enables to use credential_configuration_id in the credential request.
I am increasingly in favor of dropping an option to use format + type in authorization request and credential request, and instead clarify that implementations that do not use issuer metadata should define the mapping between scope (optionally), format, type and credential_configuration_id out of band? #234 is the related issue though it proposes a different solution. (probably needs discussion with torsten on the call)
also resolves #342