Section 5.3 - Issue credential in the token response

Comments (9)

1. 

   Edmund Jay reporter

   • changed title to Section 4 - Use credential to issue token

   • 2021-08-18T01:07:10+00:00
2. 

   Kristina Yasuda

   • changed title to Section 4 - Issue credential in the token response

   • 2021-08-24T05:00:00+00:00
3. 

   Nat Sakimura

   • changed title to Section 5.3 - Issue credential in the token response
   • marked as proposal

   Section 4 is Abbreviation. I think this comment was towards Section 5.3

   • 2021-08-26T13:29:50+00:00
4. 

   Nat Sakimura

   So, that’s the parallel of ID Token?

   That would require the user to provide “consent” at the IA each time. Unless that “credential” is allowed to be replayed many times by the wallet, which would cause other issues, would it not be too onerous from the user experience point of view?

   Good point for this approach is:

   • We do not need to support a new endpoint for constrained claims access.

   Disadvantages:

   • Onerous user experience unless the format of the claims (“credential”) implements further selection mechanism (e.g., mDL)
   • The wallet needs to implement such selection mechanisms.
   • A replay of the issued “credential” would have different security and privacy characteristics, depending on “credential” format.

   ‌

   ‌

   • 2021-08-26T13:40:35+00:00
5. 

   Tobias Looker

   Originally in Credential provider we supported obtaining the credential only via the token response, however this was limiting because re-issuance including credential refresh would require End-User authentication and consent eachtime. Therefore it was dropped in favour of a back-channel endpoint. Supporting both token response flow and back channel endpoint in my opinion would make the protocol more complex and potentially harm interoperability.

   • 2021-08-27T04:12:27+00:00
6. 

   Nat Sakimura

   I agree with Tobias, but it may also be good to hear back from product developers as well. > @ Vittorio.

   • 2021-08-31T00:03:26+00:00
7. 

   Nat Sakimura

   • changed status to open

   • 2021-08-31T00:04:18+00:00
8. 

   Jeremie Miller Account Deactivated

   We have a roadmap to support single-use credentials (one presentation per credential) which can be fetched in small quantities and cached a short time for offline use-cases.

   This pattern only works well with a back-channel endpoint, which also offers the advantage of using a scope’d access token to a dedicated credential issuance service.

   Even though we don’t have any current plans to utilize credentials issued as part of the token response it is probably a simpler option for other use-cases.

   I’m not sure it’s possible to pick one or the other?

   • 2021-08-31T00:21:54+00:00
9. 

   Nat Sakimura

   So, back-channel endpoint approach covers token endpoint use-case as well. The token endpoint approach does not cover the back-channel endpoint use-cases. Thus, if we were to pick just one, it will be the backchannel endpoint approach.

   We could potentially support both but the downside is:

   • More effort to implement and support two ways of doing it for developers on both server and client products.
   • Less certaininty about what is being supported from the point of view of the deployment, i.e., interoperability issues. This may potentially be somewhat alleviated by mandating the backchannel endpoint approach as mandatory to implement (MTI). In this case, we will need server metadata to represent the option as well.

   ‌

   • 2021-08-31T00:32:54+00:00
10. Log in to comment