Merge pull request #263 from openid/danielfett/client-id-scheme-prefixed

Change `client_id_scheme` to a prefix
openid · Oct 3, 2024 · ee26876 · ee26876
2 parents 304b4a8 + 38bf0dd
commit ee26876
Show file tree

Hide file tree

Showing 9 changed files with 92 additions and 59 deletions.
diff --git a/diagrams/request_uri_mode_post.md b/diagrams/request_uri_mode_post.md
@@ -12,9 +12,9 @@ participant "Verifier" as r
 u --> r : use
 activate r
 
-r --> u: authorization request\n(client_id, request_uri, request_uri_method=post, [client_id_scheme])
+r --> u: authorization request\n(client_id, request_uri, request_uri_method=post)
 deactivate r
-u --> w: authorization request\n(client_id, request_uri, request_uri_method=post, [client_id_scheme])
+u --> w: authorization request\n(client_id, request_uri, request_uri_method=post)
 activate w
 w --> w: [optional. Check client_id with trust framework]
 note over r,w
@@ -24,7 +24,7 @@ note over r,w
 end note
 w --> r: POST **request_uri** ([wallet_metadata][, wallet_nonce])
 r -> r: create and sign (and optionally encrypt) request object 
-r --> w: **signed (optionally encrypted) request object** (client_id, client_id_scheme, wallet_nonce, nonce, \nresponse_uri, presentation_definition, state)
+r --> w: **signed (optionally encrypted) request object** (client_id, wallet_nonce, nonce, \nresponse_uri, presentation_definition, state)
 w -> w: authenticate and\n authorize Verifier
 
 note over u, w: User authentication and Credential selection/confirmation

diff --git a/diagrams/request_uri_mode_post_through_browser_api.md b/diagrams/request_uri_mode_post_through_browser_api.md
@@ -16,20 +16,20 @@ participant "Wallet" as w
 u --> r : use
 activate r
 
-r -> wp: navigator.identity.get(\nprotocol="openid4vp",\nrequest="client_id,[client_id_scheme,] \nrequest_uri, request_uri_method=post, \npresentation_definition")
+r -> wp: navigator.identity.get(\nprotocol="openid4vp",\nrequest="client_id, \nrequest_uri, request_uri_method=post, \npresentation_definition")
 
 deactivate r
 activate wp
 
-wp -> ap: forward request (\norigin="example.verifier.com",\nprotocol="openid4vp",\nrequest="client_id,[client_id_scheme,] \nrequest_uri, request_uri_method=post,\n presentation_definition")
+wp -> ap: forward request (\norigin="example.verifier.com",\nprotocol="openid4vp",\nrequest="client_id, \nrequest_uri, request_uri_method=post,\n presentation_definition")
 deactivate wp
 activate ap
 
 ap -> ap: match wallet
 ap -> u: use this wallet?
 u -> ap: confirmation
 
-ap -> w: forward request (\norigin="example.verifier.com",\nprotocol="openid4vp",\nrequest="client_id,[client_id_scheme,] \nrequest_uri, request_uri_method=post,\n presentation_definition")
+ap -> w: forward request (\norigin="example.verifier.com",\nprotocol="openid4vp",\nrequest="client_id, \nrequest_uri, request_uri_method=post,\n presentation_definition")
 deactivate ap
 
 activate w
@@ -40,7 +40,7 @@ note over r,w
 end note
 w --> r: POST **request_uri** ([wallet_metadata][, wallet_nonce])
 r -> r: create and sign (and optionally encrypt) request object 
-r --> w: **signed (optionally encrypted) request object** (client_id, client_id_scheme, wallet_nonce, nonce, \npresentation_definition, state)
+r --> w: **signed (optionally encrypted) request object** (client_id, wallet_nonce, nonce, \npresentation_definition, state)
 w -> w: authenticate and\n authorize Verifier
 
 note over u, w: User authentication and Credential selection/confirmation

diff --git a/diagrams/request_uri_mode_post_through_browser_api.plantuml b/diagrams/request_uri_mode_post_through_browser_api.plantuml
@@ -16,20 +16,20 @@ participant "Wallet" as w
 u --> r : use
 activate r
 
-r -> wp: navigator.identity.get(\nprotocol="openid4vp",\nrequest="client_id,[client_id_scheme,] \nrequest_uri, request_uri_method=post, \npresentation_definition")
+r -> wp: navigator.identity.get(\nprotocol="openid4vp",\nrequest="client_id, \nrequest_uri, request_uri_method=post, \npresentation_definition")
 
 deactivate r
 activate wp
 
-wp -> ap: forward request (\norigin="example.verifier.com",\nprotocol="openid4vp",\nrequest="client_id,[client_id_scheme,] \nrequest_uri, request_uri_method=post,\n presentation_definition")
+wp -> ap: forward request (\norigin="example.verifier.com",\nprotocol="openid4vp",\nrequest="client_id, \nrequest_uri, request_uri_method=post,\n presentation_definition")
 deactivate wp
 activate ap
 
 ap -> ap: match wallet
 ap -> u: use this wallet?
 u -> ap: confirmation
 
-ap -> w: forward request (\norigin="example.verifier.com",\nprotocol="openid4vp",\nrequest="client_id,[client_id_scheme,] \nrequest_uri, request_uri_method=post,\n presentation_definition")
+ap -> w: forward request (\norigin="example.verifier.com",\nprotocol="openid4vp",\nrequest="client_id, \nrequest_uri, request_uri_method=post,\n presentation_definition")
 deactivate ap
 
 activate w
@@ -40,7 +40,7 @@ note over r,w
 end note
 w --> r: POST **request_uri** ([wallet_metadata][, wallet_nonce])
 r -> r: create and sign (and optionally encrypt) request object 
-r --> w: **signed (optionally encrypted) request object** (client_id, client_id_scheme, wallet_nonce, nonce, \npresentation_definition, state)
+r --> w: **signed (optionally encrypted) request object** (client_id, wallet_nonce, nonce, \npresentation_definition, state)
 w -> w: authenticate and\n authorize Verifier
 
 note over u, w: User authentication and Credential selection/confirmation

diff --git a/diagrams/signed_request_uri_through_browser_api.plantuml b/diagrams/signed_request_uri_through_browser_api.plantuml
@@ -19,20 +19,20 @@ activate r
 note over r,wp
     Note that the signed request object contains the Verifier's origin.
 end note
-r -> wp: navigator.identity.get(\nprotocol="openid4vp",\nrequest="client_id,[client_id_scheme,] request")
+r -> wp: navigator.identity.get(\nprotocol="openid4vp",\nrequest="client_id, request")
 
 deactivate r
 activate wp
 
-wp -> ap: forward request (\norigin="example.verifier.com",\nprotocol="openid4vp",\nrequest="client_id,[client_id_scheme,] request")
+wp -> ap: forward request (\norigin="example.verifier.com",\nprotocol="openid4vp",\nrequest="client_id, request")
 deactivate wp
 activate ap
 
 ap -> ap: match wallet
 ap -> u: use this wallet?
 u -> ap: confirmation
 
-ap -> w: forward request (\norigin="example.verifier.com",\nprotocol="openid4vp",\nrequest="client_id,[client_id_scheme,] request")
+ap -> w: forward request (\norigin="example.verifier.com",\nprotocol="openid4vp",\nrequest="client_id, request")
 deactivate ap
 
 activate w

diff --git a/examples/digital_credentials_api/signed_request_payload.json b/examples/digital_credentials_api/signed_request_payload.json
@@ -1,6 +1,5 @@
 {
   "client_id": "https://client.example.org",
-  "client_id_scheme": "entity_id",
   "expected_origins": [
     "https://origin1.example.com",
     "https://origin2.example.com"

diff --git a/examples/request/request_object_client_id_did.json b/examples/request/request_object_client_id_did.json
@@ -1,6 +1,5 @@
 {
   "client_id": "did:example:123",
-  "client_id_scheme": "did",
   "response_type": "vp_token",
   "redirect_uri": "https://client.example.org/callback",
   "nonce": "n-0S6_WzA2Mj",

diff --git a/examples/response/jarm_jwt_vc_json_body.json b/examples/response/jarm_jwt_vc_json_body.json
@@ -1,6 +1,6 @@
 {
   "iss": "did:example:ebfeb1f712ebc6f1c276e12ec21",
-  "aud": "https://client.example.org/cb",
+  "aud": "redirect_uri:https://client.example.org/cb",
   "exp": 1573029723,
   "vp_token": "eyJhb...YMetA",
   "presentation_submission": {

diff --git a/examples/response/jwt_vp.json b/examples/response/jwt_vp.json
@@ -1,7 +1,7 @@
 {
   "iss": "did:example:ebfeb1f712ebc6f1c276e12ec21",
   "jti": "urn:uuid:3978344f-8596-4c3a-a978-8fcaba3903c5",
-  "aud": "https://client.example.org/cb",
+  "aud": "x509_san_uri:https://client.example.org/cb",
   "nbf": 1541493724,
   "iat": 1541493724,
   "exp": 1573029723,