Allow for alternative AuthZ flows
Aggregated Claims may serve as attestation of claims to a generic class of identities. These identities may be users that are capable of following an OIDC Authorization flow, but they may also add identities to e.g. devices registered as clients to the IA.
Therefore, we should clearly separate the following two phases and their purposes:
-
Setup Phase Establishing the IA-known identity (e.g. a legal entity) on behalf of which claims are issued, as well as ensuring consent of that entity.
-
Delivery Phase Binding aggregated claims to a (possibly purpose-bound, freshly generated) IdA-chosen identity (e.g. a DID).
This approach has the advantage that we do not necessarily rely on the OIDC Authorization flow for the setup phase. Devices wishing to have their claims attested by an IA may use e.g. the client_credentials
grant type to gain an access token at the token endpoint and may then use this token at the claims endpoint.
Comments (4)
-
-
reporter I am not entirely sure I understand your comment. The idea was to extend the possibilities to issue e.g. Verifiable Credentials given by the draft to non-people. This communication should never involve a SIOP, wallet etc. acting as an OP, but rather as a subject and, in many cases, a RP. The communication endpoint would usually be a trusted non-SIOP OP which could issue credentials to the e.g. wallet for it to show a data-minimized presentation to a requesting party demanding proof of the wallet’s identity.
The write-up seems to deal mostly with credentials for “people”. Please correct me if I am wrong.
-
Yeah, I guess that non human interactions seemed out-of-scope to me. Perhaps that’s the discussion that needs to happen.
-
reporter I have made some necessary changes in this fork, if anyone is interested in checking out how much (or not much at all) would have to be changed in order to support non-human identities in this draft.
I would file a Pull Request to thoroughly discuss this, but need to wait for company approval before I may sign the Intellectual Property and Contribution Agreements.
- Log in to comment
nah - think big. There are very few authz flows that will be able to speak to only one op or siop or wallet, or whatever. Need to think Credential Aggregation – i have a modest write up
Credential Aggregation - MgmtWiki (tcwiki.azurewebsites.net)