-
assigned issue to
- edited description
OIDC4VCI: Alternative Authorization Flow
The spec currently utilizes the traditional OIDC/OAuth code flow to authorize access to the credential issuance endpoint. That works well for use cases, where the wallet starts the issuance process towards the issuer. There are, however, use cases, where the user starts the process ultimately resulting in the issuance of credentials at the issuer’s site. For those cases, we should add an alternative flow.
Sketch: the issuer generates a code and sends it to the wallet (or renders a QR code that is scanned with the user’s device). The wallet uses this code (working title pre-authorized code) to obtain an access token for the credential endpoint. There are additional security measures required to prevent replay of the pre-authorized code. Initial ideas include user pins, FIDO keys, and call backs/approvals by the user on the device where the flow started.
I will create a PR.
Comments (2)
-
reporter -
- changed status to resolved
Resolved by merging PR #138.
- Log in to comment