How to Build Interoperable Decentralized Identity Systems with OpenID for Verifiable Credentials
- 1. How to Build Interoperable Decentralized Identity Systems with OpenID for Verifiable Credentials Kristina Yasuda, Microsoft Dr. Torsten Lodderstedt, yes
- 2. What is Decentralized Identity? Issuer (Website) Verifier (Website) Wallet (user’s device, cloud or hybrid) Credential Issuance Credential Presentation User Interactions ● The User presenting the Identity data directly to the Verifier from the Wallet ○ <> In the federated model where Identity data is sent directly from the IdP to the Verifier ● Usually expressed with the flow below:
- 3. Verifiable Credentials: Benefits ● End-Users gain more privacy, and portability over their identity information. ● Cheaper, faster, and more secure identity verification, when transforming physical credentials into digital ones. ● Universal approach to handle identification, authentication, and authorization in digital and physical space
- 4. Why Protocol Layer Interoperability is Crucial. Issuer (Website) Credential Issuance Credential Presentation ● One entity needs to talk to the large the number of entities, to increase the value of “Decentralized Identity”. Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Wallet (user’s device, cloud or hybrid) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Verifier (Website) User Interactions
- 5. Problems we identified and how we solved them Problem Solution A lot of entirely new Protocols. (Hard to get security right, steep learning curve) ⇒ Building upon currently widely used protocols: OAuth 2.0 and OpenID Connect. (Secure, already understood) No clear winner among Credential Formats ⇒ Designing a Credential Format agnostic protocol Reluctance to use only DIDs. No clear winner among DID methods ⇒ Designing a protocol agnostic to the Key Resolution mechanism. (No need to use DIDs) Participating entities cannot typically establish trust upfront, using traditional mechanisms. ⇒ Flexibility in Trust Management. Third Party Trust.
- 6. OpenID for Verifiable Credential Issuance ...so here comes OpenID for Verifiable Credentials! Issuer (Website) Verifier (Website) Wallet (user’s device, cloud or hybrid) Credential Issuance Credential Presentation User Interactions OpenID for Verifiable Presentations Self-Issued OP v2
- 7. Adoption (selected use-cases) - The European Digital Identity Wallet Architecture and Reference Framework (eIDAS ARF/EUDIW) requires OID4VCI, OID4VP and SIOPv2 for online use-cases - DIF JWT VC Presentation Profile uses OID4VP for request and presentation of W3C JWT VCs and SIOPv2 for user authentication. Implementers: Ping Identity, Microsoft, IBM, Spruce, Auth0, Gen Digital - NIST National Cybersecurity Center of Excellence plans to implement reference implementation for OID4VP to present mdocs/mDL (Landing page, Project description (draft) )
- 8. ● Walt.id ○ https://github.com/walt-id/waltid-ssikit (Kotlin) ● Sphereon ○ https://github.com/Sphereon-Opensource/SIOP-OpenID4VP (Typescript) ○ https://github.com/Sphereon-Opensource/OpenID4VCI-client (Typescript) ○ https://github.com/Sphereon-Opensource/ssi-sdk (Typescript) ● Microsoft ○ https://github.com/microsoft/VerifiableCredential-SDK-Android (Kotlin) ○ https://github.com/microsoft/VerifiableCredential-SDK-iOS (Swift) ● Spruce ○ https://github.com/spruceid/oidc4vci-rs (Rust) ○ https://github.com/spruceid/oidc4vci-issuer (Rust) ● EBSI Open Source projects
- 9. Let us tell you more about the protocol
- 10. OpenID for Verifiable Credential Issuance (Highlights) - It’s an OAuth-protected API (Credential Endpoint at the Resource Server) - Supports various Security levels (including high security with hardware bound keys) - Various business requirements supported - remote and in-person provisioning - deferred and batch provisioning - Different user-experiences can be achieved - multiple ways to initiate the flow - Issuer can check Wallet’s capabilities & Wallet can discover Issuer metadata
- 11. Wallet Alice ⓪ Wallet requests & User authorizes credential issuance ③ Credential is issued ① access token(, refresh token) ② Wallet requests credential issuance Protocol Flow Credential Issuer
- 14. OpenID for Verifiable Presentations (Highlights) - Designed for high degree of privacy - Supports various Security levels (e.g. mutual authentication among the parties) - Different user-experience can be achieved (same-device and cross-device) - Presentation of multiple Credentials supported - Various Wallet deployment models supported - All local to a native app - Cloud Wallet with a backend - Browser wallet
- 17. Features of OpenID for Verifiable Credentials 1) It is NOT only about W3C Verifiable Credentials. 2) Does not require the usage of DLT (or Blockchain). 3) We are an open standardization community. Implementer’s feedback is incorporated in an agile and transparent manner. 4) It is modular and flexible to cater for the needs of different legislations and use-cases. 5) Complemented by active work on profiles to help the developers interoperate is ongoing.
- 18. OpenID for Verifiable Credential Issuance New additions to the family coming! Self-Issued OP v2 OpenID for Verifiable Presentations OpenID for Verifiable Presentations over BLE Security and Trust in OpenID for Verifiable Credentials Core specs additional specs Certification Suite High-Assurance Profile Issuer (Website) Verifier (Website) Wallet (user’s device, cloud or hybrid) Issue Credentials Present Credentials User Interactions
- 19. Call to Action: Implement, Implement, Implement - Implement the specifications to unlock your use cases and provide us feedback! - The information can be found at https://openid.net/openid4vc/
Editor's Notes
- #12: Option 1: The Issuer is an IdP and can authenticate the user at the Authorization Endpoint => Authorization Code flow Option 2: The Issuer authenticates the user using mechanisms other than OAuth idP (upload a pdf remotely, present documents in-person, etc.) => Pre-authorized Code flow
- #13: three ways how to begin the issuance wallet already has information about which issuer can issue which credential wallet does not know, so the issuer needs to send “credential offer” with that information (can be communicated via QR code, SMS, etc.) Issuance during presentation
- #14: Issuer can issue right away: Credential endpoint. Issues one credential per request Issuer cannot issuer right away: Deferring possible Requirement is to issue multiple Credentials at the same time: Batch Credential endpoin.
- #15: Device where the Credentials are stored and where the user is interacting with the Verifier can be same or different leaned always towards a more privacy preserving design. (direct_post over code which requires backend)