Using ordinary global scopes instead of namespace'd scopes specific to OIDC4VC
Currently the OpenID credential issuance spec offers a variation of the request that uses only scopes. However these scopes are structured in a way that has a pseudo-namespace style convention e.g openid_credential:<credential-type>
which requires implementers to match and parse the scope value to extract the underlying credential type which then allows the provider to understand what credential type the client is requesting.
A simplified direction for this syntax would be to just support the credential type as the scope value instead of having the openid_credential:
prefix. The only possible downside I see here is potential scope collision?
Comments (10)
-
-
@Tobias. I believe the purpose of having structured scopes was to make them global rather than local. If scopes are local then there will indeed be collisions on the open Internet, in which many wallets are designed to operate. So we need to square the circle of being global and not structured.
-
+1 to dropping the prefix on the scope and the Credential Authorization Request using Type Specific Scope option.
-
at June 23 SIOP call we discussed that adding `openid_credential:` does not make a scope globally unique without an IANA registry for `scopes`, only helps to structure scopes.
We agreed to remove
openid_credential:
but add a note saying thatscope
should be understood between the entities interacting (for example usingscopes_supported
parameter in the metadata) - I can do a PR :) -
- changed status to open
-
Actually the note needs to say more than “should be understood”, because as I pointed out at the meeting, if the scope name is not global to the community using it, then two entities may understand the scope but place different interpretations on it. So all the interacting entities need to have a common understanding of the scope.
-
The consensus to remove the prefixes is recorded in the 23-Jun-22 call notes.
-
recording a comment from Torsten in a ML here:
Just removing the prefix is not sufficient. Explanation: the way the spec works right now, the prefix shall be used by the issuer to determine it is a scope about issuance and determine the credential type from the rest of the scope value. That no longer works if the prefix is removed. Instead it would require a pre-registration or standardization of scope values, which resolve to a meaningful credential issuance authorization request. That’s basically fine with me (and I’m thinking about the same for presentation already) but requires a more significant change.
-
-
- changed status to resolved
PR merged
- Log in to comment
Ditching the prefix would be MUCH better. I know that AAD, for instance, cannot handle scopes with colons in them. (Yes, this is an implementation deficiency. We learned that when we discovered that AAD also can’t support FHIR structured scopes.)
If we need a new parameter, define a new parameter. Don’t try to wedge parameters into structured scope values.