Which Self-issued OP gets invoked

Issue #1199 resolved
Kristina Yasuda created an issue

If there are several SIOP wallets on my mobile device (or in a web browser), which one gets invoked when SIOP request is received?

currently, SIOP wallets would register custom schema openid://. However, there are certain dependencies on the OS: 1/ Android allows only one wallet of user’s choice to be invoked, and 2/ iOS invokes a wallet that was the first to register a custom schema.

One idea was to have a “capability broker“, where a list of SIOP wallets and the identifier methods they support (jwk thumb or did methods) are registered and either user chooses which wallet to invoke or wallet appropriate to RP req automatically gets invoked. (similar to Samsung phones allowing users to use both Samsung pay and Android pay)

Is there a way to make this work without OS support (ideal), or should the conversation with OS vendors be initiated (hard)?

related to issue #1198 on RP starting a req to SIOP.

Comments (10)

  1. Anthony nadalin

    I don’t like the broker idea at all, this should just be in the metadata as we don’t want to get into OS dependencies at all. Also wallet invocation is optional at best.

  2. Michael Jones

    This was discussed during the 14-Jan-21 working group call. I hoped that people would have either zero or one wallets to avoid complexity. Others said that that may not be realistic, as different wallets may have different capabilities. In that case, might the RP know how to ask for a wallet meeting its needs?

  3. Kristina Yasuda reporter

    From several discussions, the best idea at this stage looks like:

    1. Acknowledge the fact that different wallets may use different custom URI schemes or HTTPS domains (e.g., "samplewallet://" or "https://samplewallet.com/app/" -- this would lead to having the NASCAR interface, which should be made as painless as it can be, by standardizing all the parameters even if prefixes vary
    2. Recommend that mobile wallet apps can register openid:// in addition to any other schemes or App Claimed Link prefixes, but warn that the UX may be broken when more than one wallet has been installed on a device

  4. Kristina Yasuda reporter

    on 02-09-2021 call, Tim encouraged the group to keep looking for the solutions - mainly reaching out to OS vendors - to solve this issue, and not settle with the current mechanisms. It was also mentioned that Apple may not be supporting custom schemas in the future

  5. Alen Horvat


    1. User has 1 or more wallets
    2. RP may support only specific DID methods/etc
    3. RP may require that the user uses a certified wallet
    4. User may choose which wallet he/she wants to use

    In the ideal case, where RP supports all wallets and all DID methods, user can choose whatever wallet he/she wants. The only info that is passed to the user is: use wallet to authenticate.

    In all the other cases, additional communication between the RP/Wallet/Capability broker is required.

    At the moment I see 2 options (none of which is ideal):

    1. capability broker
    2. RP lists the supported wallets (User selects → authenticate with SSI → select the wallet you have installed)

    Another multi-wallet issue (out of this context): What is RP supports only wallet A and I have the credentials requested by the RP in my wallet B).

  6. Log in to comment