OpenIDVPs: register vp_token response type

Comments (9)

1. 

   Thomas Bellebaum

   Since OpenID4VP is an “addon” to OAuth and OIDC, we probably also want the following:

   • code vp_token
   • id_token vp_token
   • token vp_token
   • code id_token vp_token
   • code token vp_token
   • id_token token vp_token
   • code id_token token vp_token

   Why was this scheme chosen again? The registry currently is listing any combination of code, id_token and token anyway…

   • 2022-07-18T09:13:15+00:00
2. 

   Torsten Lodderstedt reporter

   The verifier requests credential presentation via the presentation_definition request parameter.

   The new response type „vp_token“ is only needed to fulfill OAuth protocol requirements for the case where the vp token is the only artifact the AS responds. One just needs to specify something.

   In all other cases, there is a pre-existing response type, like „id_token“ or „code“ and the vp token is returned with the id token or the access token. So no need to register other response types and require verifiers to use them, it would just duplicate information.

   Note: retuning access tokens in the front channel is discouraged by the OAuth Security BCP. Another reason not to do it.

   • 2022-07-18T09:44:54+00:00
3. 

   Thomas Bellebaum

   Take id_token vp_token as an example (a use case would be OpenID4VP over SIOP).
   This expects to be returned two tokens. Also, there are probably request parameters scope and credential_definition.

   By the logic above, we do not need to include vp_token in the response type, since we have a parameter called credential_definition.
   But by the same logic, we could instead also omit id_token, since we check for openid in the scope parameter.

   Applying the same logic to both seems more consistent.

   • 2022-07-18T11:07:55+00:00
4. 

   Torsten Lodderstedt reporter

   It would. However, OAuth (https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1) requires a response type to be present. That’s the reason why we need “vp_token”.

   • 2022-07-18T11:49:27+00:00
5. 

   Michael Jones

   I believe we decided on the last SIOP call to not register all the combinatorial possibilities of vp_token with other response types - just vp_token by itself. I believe that https://bitbucket.org/openid/connect/pull-requests/237/clarify-how-response-type-vp_token-is-used is being updated to do just that.

   • 2022-07-19T02:11:28+00:00
6. 

   Kristina Yasuda

   +1 to Mike’s comment. we should not enable a whole list of combinations other than vp_token and vp_token id_token and only those two should be registered.

   • 2022-07-19T05:37:58+00:00
7. 

   Kristina Yasuda

   • changed status to open

   • 2023-01-03T21:44:57+00:00
8. 

   Kristina Yasuda

   Justin Richer knows how to do registry in IANA without an RFC. finding out more.

   • 2023-03-29T03:59:00+00:00
9. 

   Kristina Yasuda

   • changed status to resolved

   there is an IANA registry for vp_token. let's open a separate issue once we are closer to final and are ready to actually register with IANA

   • 2023-06-29T07:28:29+00:00
10. Log in to comment