1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. connect
  4. Issues

Using ordinary global scopes instead of namespace'd scopes specific to OIDC4VC

Issue #1517 resolved
Tobias Looker created an issue

Currently the OpenID credential issuance spec offers a variation of the request that uses only scopes. However these scopes are structured in a way that has a pseudo-namespace style convention e.g openid_credential:<credential-type> which requires implementers to match and parse the scope value to extract the underlying credential type which then allows the provider to understand what credential type the client is requesting.

A simplified direction for this syntax would be to just support the credential type as the scope value instead of having the openid_credential: prefix. The only possible downside I see here is potential scope collision?

Comments (10)

  1. Michael Jones

    Ditching the prefix would be MUCH better. I know that AAD, for instance, cannot handle scopes with colons in them. (Yes, this is an implementation deficiency. We learned that when we discovered that AAD also can’t support FHIR structured scopes.)

    If we need a new parameter, define a new parameter. Don’t try to wedge parameters into structured scope values.

  2. David W Chadwick

    @Tobias. I believe the purpose of having structured scopes was to make them global rather than local. If scopes are local then there will indeed be collisions on the open Internet, in which many wallets are designed to operate. So we need to square the circle of being global and not structured.

  3. Mike Varley

    +1 to dropping the prefix on the scope and the Credential Authorization Request using Type Specific Scope option.

  4. Kristina Yasuda

    at June 23 SIOP call we discussed that adding `openid_credential:` does not make a scope globally unique without an IANA registry for `scopes`, only helps to structure scopes.

    We agreed to remove openid_credential: but add a note saying that scope should be understood between the entities interacting (for example using scopes_supported parameter in the metadata) - I can do a PR :)

  6. David W Chadwick

    Actually the note needs to say more than “should be understood”, because as I pointed out at the meeting, if the scope name is not global to the community using it, then two entities may understand the scope but place different interpretations on it. So all the interacting entities need to have a common understanding of the scope.

  8. Kristina Yasuda

    recording a comment from Torsten in a ML here:

    Just removing the prefix is not sufficient. Explanation: the way the spec works right now, the prefix shall be used by the issuer to determine it is a scope about issuance and determine the credential type from the rest of the scope value. That no longer works if the prefix is removed. Instead it would require a pre-registration or standardization of scope values, which resolve to a meaningful credential issuance authorization request. That’s basically fine with me (and I’m thinking about the same for presentation already) but requires a more significant change.

  11. Log in to comment
Assignee
Type
proposal
Priority
major
Status
resolved
Component
Credential Issuance
Milestone
Version
Votes
0
Watchers
1
Jira Software: the preferred issue tracker for Bitbucket. Join the team!