1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. connect
  4. Issues

Do new entity types required for OID4VP/SIOPv2 to use Entity Statements defined in OpenID Federation?

Issue #1781 resolved
Kristina Yasuda created an issue

Brought up during Connect call. I am honestly not sure. MikeJ said it is up to the editors of OID4VP. guidelines how to think about the need would be appreciated.

Comments (13)

  3. Giuseppe De Marco

    OIDC Federation:

    1. allows new metadata types to be defined to support use cases outside OpenID Connect federations.
    2. The metadata type identifier will uniquely identify which metadata specification to utilize.
    3. The metadata document MUST be a JSON object. Beyond that, there is no restriction.

    said that, I can imagine this in an Entity Configuration:

    "metadata" : {
    "openid_self_issued_provider": {},
    "openid_credential_issuer": {},
}

    even if the openid_credential_issuer may be simply configured as oauth_authorization_server
    this should be valid also for OpenID4VP, it could be defined as oauth_authorization_server

  4. Kristina Yasuda reporter

    so guess the recommendation is to define in the OpenID4VC specs if needed?

    PS openid_credential_issuer should not use oauth_authorization_server because it is a resource server, and has a separate metadata file from the AS per the VCI spec.

  5. Giuseppe De Marco

    Good, I wrote it then i delete and that was good, as optionally mixed with oauth protected resource if both services are on the same entity. All returns, thank you for the hint

  6. Giuseppe De Marco

    Regarding the OIDC Federation Entity Type oauth_resource , [here](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#section-5.1.2) I read

    If the Credential Issuer metadata contains an authorization_server property, it is RECOMMENDED to use a resource parameter [RFC8707] 
whose value is the Credential Issuer's identifier value to allow the AS to differentiate credential issuers.

    @Kristina what about including an example or a guidance in the Metadata section [here](https://openid.bitbucket.io/connect/openid-4-verifiable-credential-issuance-1_0.html#section-10) to clarify the role of OAuth protected resource according to https://datatracker.ietf.org/doc/html/draft-jones-oauth-resource-metadata?

    please correct me if something is wrong

  7. Michael Jones

    It’s absolutely appropriate for specs other than the Federation spec to define any new entity types that they need.

    As discussed on the 13-Jan-23 Federation Editors' call, we believe the question asked in the issue has been answered. We plan to close this on that basis in a week unless a reason to keep it open is raised.

  8. Michael Jones

    A week has passed with no further comments. Closing during the 20-Jan-23 Federation Editors' call, as proposed last week.

  9. Kristina Yasuda reporter
    • changed status to open

    I think we were discussing if we need a text in openid4vc specs and I don't have an answer yet. it should not be closed yet.

  11. Giuseppe De Marco

    I’ve learned that Verifiers/RP uses "client_metadata" as defined in OpenID4VP. It's so wide ... considering that it is a just VC verfifier, but that would be another story.

    OpenID4VCI defines openid-credential-issuer and it makes sense.

    Then we should have also wallet_provider ?

  12. Giuseppe De Marco

    The new entity types proposed, as a result of the experience of the implementers, are listed below:

    • wallet_provider
    • wallet_relying_party

    while the wallet instance metadata should be carried in the wallet instance attestation.

  14. Log in to comment
Assignee
Type
bug
Priority
major
Status
resolved
Component
Verifiable Presentation
Milestone
Version
Votes
0
Watchers
1
Jira: the preferred issue tracker for Bitbucket. Join the team!