- edited description
[has-PR] Clarify how silent credential refresh is done in OpenID4VCI
Issue #1552
resolved
-
Wallet uses Access Token to send Credential Request to the Credential Endpoint
- if Refresh Token is used, need to exchange it with a fresh Access Token at Token Endpoint first
- long-lived Access Token can be used directly
-
can be issuer initiated or wallet initiated
- issuer initiated where issuer communicates to the wallet the need to refresh credential
- wallet initiated is when the wallet initiates refresh request to the credential endpoint - there may or may not be a refreshed credential available at the issuer
-
No need for the User Interaction as long as user has given consent to refresh in the original Authorization Request - Access Token embodies that consent
- yes, wallet would need to store Access Tokens/Refresh Tokens per credential
- difference btw refresh and re-issuance would be whether user interaction/consent is needed or not
(needs PR)
Comments (9)
-
reporter
-
I would supplement the above with
- no need for user interaction as long as the credential has not changed, and
- difference between refresh and re-issuance is whether the credential has changed or not.
-
have we determined that a method exists for an issuer to initiate an interchange with a wallet?
-
I’d also clarify that if DPoP enabled access tokens are being used, then they may be issued for longer period of time and negate the need for a refresh token.
-
reporter
-
reporter
-
assigned issue to
Kristina Yasuda
-
assigned issue to
-
reporter
- changed title to [has-PR] Clarify how silent credential refresh is done in OpenID4VCI
-
reporter
- changed status to open
-
reporter
- changed status to resolved
PR #261 merged
- Log in to comment
- Assignee
- Type
- Priority
- Status
- resolved
- Component
- Credential Issuance
- Milestone
- Implementer's Draft
- Version
- –
- Votes
- 0
- Watchers
- 1
