Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rework W3C DC API examples #254

Merged
merged 15 commits into from
Oct 23, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 0 additions & 4 deletions diagrams/request_uri_mode_post_through_browser_api.md
Sakurann marked this conversation as resolved.
Show resolved Hide resolved
Original file line number Diff line number Diff line change
Expand Up @@ -14,11 +14,7 @@ participant "App Platform" as ap
participant "Wallet" as w

u --> r : use
activate r

r -> wp: navigator.identity.get(\nprotocol="openid4vp",\nrequest="client_id, \nrequest_uri, request_uri_method=post, \npresentation_definition")
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

so isn't this better be something like

r -> wp: send OpenID4VP request over the W3C Digital Credentials API


deactivate r
activate wp

wp -> ap: forward request (\norigin="example.verifier.com",\nprotocol="openid4vp",\nrequest="client_id, \nrequest_uri, request_uri_method=post,\n presentation_definition")
Expand Down
4 changes: 0 additions & 4 deletions diagrams/request_uri_mode_post_through_browser_api.plantuml
Original file line number Diff line number Diff line change
Expand Up @@ -14,11 +14,7 @@ participant "App Platform" as ap
participant "Wallet" as w

u --> r : use
activate r

r -> wp: navigator.identity.get(\nprotocol="openid4vp",\nrequest="client_id, \nrequest_uri, request_uri_method=post, \npresentation_definition")
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same as above. shouldn't this better be something like

r -> wp: send OpenID4VP request over the W3C Digital Credentials API


deactivate r
activate wp

wp -> ap: forward request (\norigin="example.verifier.com",\nprotocol="openid4vp",\nrequest="client_id, \nrequest_uri, request_uri_method=post,\n presentation_definition")
Expand Down
1 change: 0 additions & 1 deletion diagrams/signed_request_uri_through_browser_api.plantuml
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,6 @@ activate r
note over r,wp
Note that the signed request object contains the Verifier's origin.
end note
r -> wp: navigator.identity.get(\nprotocol="openid4vp",\nrequest="client_id, request")
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same as above. shouldn't this better be something like

r -> wp: send OpenID4VP request over the W3C Digital Credentials API


deactivate r
activate wp
Expand Down
67 changes: 12 additions & 55 deletions openid-4-verifiable-presentations-1_0.md
Original file line number Diff line number Diff line change
Expand Up @@ -1593,36 +1593,25 @@ And lastly, as part of the request, the Wallet is provided with information abou

## Protocol

The value of the `protocol` parameter of the W3C Digital Credentials API MUST be set to `openid4vp` for this profile.
For the profile defined in this section, the value of the exchange protocol used with the W3C Digital Credentials API [@!w3c.digital_credentials_api], is `openid4vp`.

## Request {#browser_api_request}

The `request` member of the W3C Digital Credentials API [@!w3c.digital_credentials_api] contains an OpenID4VP Authorization Request, where every OpenID4VP Authorization Request parameter is represented as a top-level JavaScript object member.
The Verifier MAY send all the OpenID4VP request parameters to the W3C Digital Credentials API as defined in [@!w3c.digital_credentials_api].

The following is a non-normative example of how the W3C Digital Credentials API can be used with an unsigned OpenID4VP request when advanced security features of OpenID4VP are not used:
The following is a non-normative example of an unsigned OpenID4VP request (when advanced security features of OpenID4VP are not used) that can be sent over the W3C Digital Credentials API :

```js
try {
const credential = await navigator.identity.get({
digital: {
providers: [{
protocol: "openid4vp",
request: {
response_type: "vp_token",
response_mode: "w3c_dc_api",
nonce: "n-0S6_WzA2Mj",
client_metadata: {...},
presentation_definition: {...}
}
}]
}
});
} catch (err) {
// Handle errors and/or fallback to other invocation mechanisms
{
response_type: "vp_token",
response_mode: "w3c_dc_api",
nonce: "n-0S6_WzA2Mj",
client_metadata: {...},
presentation_definition: {...}
Copy link
Member

@bc-pi bc-pi Oct 22, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

}
```

Out of the Authorization Request parameters defined in [@!RFC6749] and (#vp_token_request), the following are supported with this profile:
Out of the Authorization Request parameters defined in [@!RFC6749] and (#vp_token_request), the following are supported with this profile:

* `client_id`
* `response_type`
Expand Down Expand Up @@ -1658,19 +1647,10 @@ The Verifier MAY send a signed request, for example, when identification and aut

The signed Request Object MAY contain all the parameters listed in (#browser_api_request), except `request`.

Below is a non-normative example of such a request:
Below is a non-normative example of such a request sent over the W3C Digital Credentials API:

```js
const credential = await navigator.identity.get({
digital: {
providers: [{
protocol: "openid4vp",
request: {
request: "eyJhbGciOiJF..."
}
}]
}
});
{ request: "eyJhbGciOiJF..." }
```

This is an example of the payload of a signed OpenID4VP request used with the W3C Digital Credentials API:
Expand All @@ -1683,29 +1663,6 @@ The signed request allows the Wallet to authenticate the Verifier using a trust

Every OpenID4VP Authorization Request results in a response being provided through the W3C Digital Credentials API. The response is an instance of the `DigitalCredential` interface, as defined in [@!w3c.digital_credentials_api], and the OpenID4VP Authorization Response parameters as defined for the Response Type are represented as an object within the `data` attribute.

The following is a non-normative example of processing an unsigned OpenID4VP response that could be received from the W3C Digital Credentials API:

```js
const credential = await navigator.identity.get(request);
if (credential.protocol == "openid4vp") {
// Extract relevant data members
const { vp_token, presentation_submission } = credential.data;
// presentation_submission is a javascript object
// vp_token is a string or javascript object depending on the credential type
}
```

The following is a non-normative example of processing an encrypted OpenID4VP response that could be received from the W3C Digital Credentials API:

```js
const credential = await navigator.identity.get(request);
if (credential.protocol == "openid4vp") {
// Extract encrypted response
const { response } = credential.data;
// response is a string containing a JWE, now decrypt it
}
```

# Credential Format Profiles {#alternative_credential_formats}

OpenID for Verifiable Presentations is Credential Format agnostic, i.e., it is designed to allow applications to request and receive Verifiable Presentations and Verifiable Credentials in any Credential Format. This section defines Credential Format Profiles for some of the known Credential Formats. Other specifications or deployments can define their own Credential Format Profiles.
Expand Down