1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. connect
  4. Issues

Multiple credentials of the same type

Issue #1601 resolved
David W Chadwick created an issue

Some issuers may issue multiple credentials of the same type. Examples include: two almost identical passports, once used by the holder to visit Israel and the other to visit Iran; or a current credit card that expires next month and a second one that starts the following month.

The current issuing API does not cater for this as the wallet can only specify the credential type and the issuer can only return a single credential. One solution would be to allow the issuer to return an array of credentials of the same type and format.

Comments (16)

  1. Kristina Yasuda

    I do not understand a use-case. Why would the issuer want to issue two same passports or two same credit cards to the same user - that sounds like a credential lifecycle management nightmare.

    Plus I do not think we need a separate issue for this, and this is in scope for issue #1544 and how we define “complicated credential endpoint“

  2. David W Chadwick reporter

    I am sorry if you do not understand the use cases, but I am sure many of us have had the same credit card issued by the same bank when one is due to expire. However, here is another use case. A very clever person has two degrees from the same university. All the details are the same except the topic of the degree.

    Why this is a separate issue is that it relates to the existing issuing end point which specifies the credential type but only allows one credential to be returned. So regardless of the outcome of 1544, even if it is rejected, this issue will need to be addressed since the user has no way to differentiate between the two credentials of the same type and the issuer can only return one of them.

  3. Tobias Looker

    Examples include: two almost identical passports, once used by the holder to visit Israel and the other to visit Iran;

    Can you elaborate on how these are different? Are the claims the same?

  4. David W Chadwick reporter

    Yes the claims are the same. The UK government does this so that the holder can get a visa in one passport for one country and a visa in the other passport for another country that is an enemy of the first country. It would not be possible for the person to travel to both countries using the same passport with both visas in it.

  5. Tobias Looker

    A wallet can already request two copies of a credential with the same access_token so im unsure why this isn’t already possible?

  6. David W Chadwick reporter

    Because the request only contains the credential_type parameter and has no way of differentiating between two credentials of the same type. So if the wallet makes two requests, does the issuer return the same credential each time, or cycle through the ones it has (remembering which one it sent last time)? Or does it return both in a set?

  7. Tobias Looker

    IMO the expected behaviour of the credential endpoint is that each request returns a credential based on the request, multiple requests with the same access_token requesting the same claims for the same credential type should yield two copies of a credential that contains the same information but unique issuer signatures. The behaviour is similar to the token endpoint in OAuth2 where if you make a token request with the same grant you get a unique access token issued.

  9. David W Chadwick reporter

    Yes it might, if the multiple requests contain as you say “the same access_token requesting the same claims for the same credential type” this will satisfy this issue. But currently the request does not contain the claims. If we add the required claims to the credential request then different claims for the same type would allow the university to determine which degree topic was required, using the same claims with different expiry dates would allow the parties to differentiate between credit cards with different expiry dates, and using identical everything would allow the government to issue two identical passports with different signatures and then the user could swap between them when requesting visas for different countries.

  10. Tobias Looker

    Sorry so just to clarify, the gap you are citing is that the credential request doesn’t allow the client/wallet to downscope their credential request to a subset of claims offered for the specific credential type it is requesting?

  11. Kristina Yasuda

    I am sure many of us have had the same credit card issued by the same bank when one is due to expire. However, here is another use case. A very clever person has two degrees from the same university.

    In both of the use-cases, I am quite sure wallet will be using a different access token to get both credentials. I doubt an access token used to get a credit card or Diploma A from few years ago will be still valid to get a replacement credit card or another diploma.

    If an issuer is not sure which claims to put into a credential of the same type, issuer re-authenticates the user and issues what is compliant to the issuer’s policy. so I don’t think any changes to the spec are needed.

  12. David W Chadwick reporter

    @ Tobias. Yes the current credential request is deficient in that it does not allow the wallet to be precise enough in informing the issuer which credential it actually wants. (there is another related issue about optional attributes that still needs to be addressed, so addressing that might resolve this issue as well - or vice versa).

  13. Kristina Yasuda

    the wallet can only specify the credential type and the issuer can only return a single credential. One solution would be to allow the issuer to return an array of credentials of the same type and format.

    This is solved by the batch credential endpoint. will close when that PR is merged.

    The conversation also relates to the credential type-format discussion in another PR/issue, where the current direction is separate credential types per format.

    I am not supportive of allowing the issuer to issue any credential format into the wallet without wallet explicitly asking for that format. the wallet being able to correctly generate a presentation is at the core of the security model of this new architecture. and wallet being able to handle each credential format correctly is fundamental to that.

  14. David W Chadwick reporter

    Sorry Kristina but the batch credential endpoint does not solve this issue because credential type and format alone are not sufficient to differentiate between two credentials with different claims e.g. two university degrees with different degree courses studied. The only solution that I can see is that the wallet specifies the claims that it wants in the request for a credential.

  17. Log in to comment
Assignee
Type
bug
Priority
major
Status
resolved
Component
Credential Issuance
Milestone
Version
Votes
0
Watchers
2
Jira: the preferred issue tracker for Bitbucket. Join the team!