SlideShare a Scribd company logo

OpenID Connect for W3C Verifiable Credential Objects

Download as PPTX, PDF
T
Torsten Lodderstedt

This document discusses proposals for supporting the request and presentation of verifiable credentials in OpenID Connect. It presents three options for delivering verifiable credentials/presentations: 1) embedding the entire credential/presentation in a JWT claim in the ID token, 2) using aggregated or distributed claims to include the credential/presentation, or 3) using a separate "VP token" artifact containing the credential/presentation along with an ID token. The document analyzes the pros and cons of each approach and seeks feedback on the best option to pursue as well as next steps like discussing with the Connect working group and incorporating encryption.

Internet
1 of 18
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
OpenID Connect for W3C Verifiable Credential Objects IIW Spring 2021 Kristina Yasuda, Oliver Terbu, Torsten Lodderstedt, Adam Lemmon, Tobias Looker
Objectives - Support request and presentation of Verifiable Credentials in ID Tokens and Userinfo responses - Usable with all OpenID Connect Flows (SIOP, code, CIBA, …) - Leverage OpenID Connect as simple to use protocol for wallet integrations - Leverage W3C verifiable credentials to existing OpenID Connect deployments
Ideas - Request - via “claims” parameter - Simply claims or credential type or credential type + claims (selective disclosure) - 3 delivery options under discussion - 1) Define JWT claims to embed entire VP/VC in any format (awoie/vp-token-spec/pull/20) - https://github.com/Sakurann/vp-token-spec - 2) Aggregated & Distributed Claims (awoie/vp-token-spec/pull/23) - https://github.com/awoie/vp-token-spec/tree/adc - 3) VP Token as separate artifact + ID Token as Verifiable Presentation (current revision) - https://github.com/awoie/vp-token-spec
1) vp_jwt Claim parameters of ID Token
1) vp_ldp Claim parameters of ID Token
1) vc_jwt Claim parameters of ID Token Under discussion whether VCs can be directly embedded inside the ID Token.
1) vc_ldp Claim Under discussion whether VCs can be directly embedded inside the ID Token. parameters of ID Token
2) Aggregated Claims VP present in value
2) Distributed Claims Endpoint from which the VP can be retrieved
2) Distributed Claims - Obtain VP
3) Separate artifact - ‘VP Token’ ID Token contains a `vp_hash` ‘VP Token’ contains an entire VP `claims` parameter in the request
Pros and Cons: processing, RP adoption 1) Independent Claims for each proof type 2) Extended Aggregated/Distributed Claims (ADC) Syntax 3) Separate Artifact `VP Token` Pros - Standard extension point works with existing libraries. - VC/VP claims can be processed by the same generic JWT code that handles any other kind of optional claim - Explicit distinction of proof format and claim content - Extensibility via existing OIDC ADC syntax - Clear separation between OIDC assertion and VC/VP - Flexible re request (standard claims or VC/VP) and delivery (embedded or separate VC/VP) - Clear separation of new artifacts VPs/VCs from OIDC claims/contests (processing rules) - Could support vp_token only use cases (via new response type) Cons - The ID token signature over vp_jwt/vc_jwt could be misconceived to turn ID token into a VC/VP - ID Token must carry claims in addition to authentication data in case of implicit flow (no userinfo available) - RPs must inspect each container item to determine how to process the claim (dictionary can be added) - Some additions to the libraries to support new properties of ADC syntax - VP/VC claims carried in different way than other claims - Requires (significant) changes to existing libraries - standalone vp_tokens cannot be protected using established OIDC means
Next Steps ● Discuss and decide delivery method ● Ask Connect WG for adoption ● Incorporate encryption (e.g. confidentiality protection in case where OP is just a cloud agent)
Discussion ;-)
Requests
Request for Verifiable Presentation (Type)
Request for Verifiable Presentation (Type and Claims)
“Just” Request Claims

More Related Content

PPTX
OpenID for Verifiable Credentials
Torsten Lodderstedt
 
PDF
OpenID for Verifiable Credentials
Torsten Lodderstedt
 
PDF
OpenID for SSI
Torsten Lodderstedt
 
PDF
OpenID for Verifiable Credentials @ IIW 36
Torsten Lodderstedt
 
PDF
OpenID for Verifiable Credentials (IIW 35)
Torsten Lodderstedt
 
PDF
OpenID Connect 4 SSI
Torsten Lodderstedt
 
PDF
OIDC4VP for AB/C WG
Torsten Lodderstedt
 
PDF
Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sove...
SSIMeetup
 
OpenID for Verifiable Credentials
Torsten Lodderstedt
 
OpenID for Verifiable Credentials
Torsten Lodderstedt
 
OpenID for SSI
Torsten Lodderstedt
 
OpenID for Verifiable Credentials @ IIW 36
Torsten Lodderstedt
 
OpenID for Verifiable Credentials (IIW 35)
Torsten Lodderstedt
 
OpenID Connect 4 SSI
Torsten Lodderstedt
 
OIDC4VP for AB/C WG
Torsten Lodderstedt
 
Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sove...
SSIMeetup
 

What's hot (20)

PDF
OpenID 4 Verifiable Credentials + HAIP (Update)
Torsten Lodderstedt
 
PDF
OpenID Connect 4 SSI (DIFCon F2F)
Torsten Lodderstedt
 
PPTX
An Introduction to OAuth2
Aaron Parecki
 
PPTX
IBM: Hey FIDO, Meet Passkey!.pptx
FIDO Alliance
 
PDF
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
Torsten Lodderstedt
 
PDF
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
Torsten Lodderstedt
 
PDF
OpenID Connect 4 SSI (at EIC 2021)
Torsten Lodderstedt
 
PDF
Demystifying OAuth 2.0
Karl McGuinness
 
PPTX
FIDO Workshop-Demo Breakdown.pptx
FIDO Alliance
 
ODP
Overview of Decentralized Identity
Jim Flynn
 
PDF
FIDO2 Specifications Overview
FIDO Alliance
 
PDF
FIDO2 & Microsoft
FIDO Alliance
 
PDF
What is self-sovereign identity (SSI)?
Evernym
 
PDF
Web Authentication API
FIDO Alliance
 
PPTX
HSM Key change flow using thales
Galih Lasahido
 
PDF
Verifiable credentials explained by CCI
Kaliya "Identity Woman" Young
 
PDF
Blockchain, Self-Sovereign Identity and Credentials
StrategyWorks
 
PDF
Google & FIDO Authentication
FIDO Alliance
 
PDF
Digital Identity Wallets: What They Mean For Banks
Evernym
 
PDF
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
OpenID 4 Verifiable Credentials + HAIP (Update)
Torsten Lodderstedt
 
OpenID Connect 4 SSI (DIFCon F2F)
Torsten Lodderstedt
 
An Introduction to OAuth2
Aaron Parecki
 
IBM: Hey FIDO, Meet Passkey!.pptx
FIDO Alliance
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
Torsten Lodderstedt
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
Torsten Lodderstedt
 
OpenID Connect 4 SSI (at EIC 2021)
Torsten Lodderstedt
 
Demystifying OAuth 2.0
Karl McGuinness
 
FIDO Workshop-Demo Breakdown.pptx
FIDO Alliance
 
Overview of Decentralized Identity
Jim Flynn
 
FIDO2 Specifications Overview
FIDO Alliance
 
FIDO2 & Microsoft
FIDO Alliance
 
What is self-sovereign identity (SSI)?
Evernym
 
Web Authentication API
FIDO Alliance
 
HSM Key change flow using thales
Galih Lasahido
 
Verifiable credentials explained by CCI
Kaliya "Identity Woman" Young
 
Blockchain, Self-Sovereign Identity and Credentials
StrategyWorks
 
Google & FIDO Authentication
FIDO Alliance
 
Digital Identity Wallets: What They Mean For Banks
Evernym
 
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
Ad

Similar to OpenID Connect for W3C Verifiable Credential Objects (20)

PPTX
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
Torsten Lodderstedt
 
PPTX
Jeremy Cowan's AWS user group presentation "AWS Greengrass & IoT demo"
AWS Chicago
 
PDF
VocBench 2.0: A Web Application for Collaborative Development of Multilingual...
AIMS (Agricultural Information Management Standards)
 
PDF
AWS NYC Meetup - May 2017 - "AWS IoT and Greengrass"
Chris Munns
 
PPTX
Day6
madamewoolf
 
PDF
PolygonID Zero-Knowledge Identity Web2 & Web3
SSIMeetup
 
PDF
Blockcerts: The Open Standard for Blockchain Credentials
SSIMeetup
 
PDF
CertsOut Cisco-350-701 SCOR Exam Dumps PDF
Dumps Cafe
 
PDF
PaaS Lessons: Cisco IT Deploys OpenShift to Meet Developer Demand
Cisco IT
 
PPTX
Keystone - Openstack Identity Service
Prasad Mukhedkar
 
PDF
Deciphering 'Claims-based Identity'
Oliver Pfaff
 
PPTX
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Joris Poelmans
 
PDF
Demystify blockchain development with hyperledger fabric
Benjamin Fuentes
 
PPT
SOA Security - So What?
Oliver Pfaff
 
PDF
Digital Locker Dedicated Repository Api Specification v1 4
DigiLocker
 
PDF
Digital Locker Dedicated Repository API Specification v1 4
Amit Ranjan
 
PPTX
Debugging Microservices - QCON 2017
Idit Levine
 
PDF
ISO mdoc 101 session presented to Internet Identity Workshop IIW (IIWXXXIX)
Andrew Hughes
 
PDF
Orion context broker webminar 2013 06-19
Fermin Galan
 
PDF
Hyperledger Fabric update Meetup 20181101
Arnaud Le Hors
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
Torsten Lodderstedt
 
Jeremy Cowan's AWS user group presentation "AWS Greengrass & IoT demo"
AWS Chicago
 
VocBench 2.0: A Web Application for Collaborative Development of Multilingual...
AIMS (Agricultural Information Management Standards)
 
AWS NYC Meetup - May 2017 - "AWS IoT and Greengrass"
Chris Munns
 
Day6
madamewoolf
 
PolygonID Zero-Knowledge Identity Web2 & Web3
SSIMeetup
 
Blockcerts: The Open Standard for Blockchain Credentials
SSIMeetup
 
CertsOut Cisco-350-701 SCOR Exam Dumps PDF
Dumps Cafe
 
PaaS Lessons: Cisco IT Deploys OpenShift to Meet Developer Demand
Cisco IT
 
Keystone - Openstack Identity Service
Prasad Mukhedkar
 
Deciphering 'Claims-based Identity'
Oliver Pfaff
 
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Joris Poelmans
 
Demystify blockchain development with hyperledger fabric
Benjamin Fuentes
 
SOA Security - So What?
Oliver Pfaff
 
Digital Locker Dedicated Repository Api Specification v1 4
DigiLocker
 
Digital Locker Dedicated Repository API Specification v1 4
Amit Ranjan
 
Debugging Microservices - QCON 2017
Idit Levine
 
ISO mdoc 101 session presented to Internet Identity Workshop IIW (IIWXXXIX)
Andrew Hughes
 
Orion context broker webminar 2013 06-19
Fermin Galan
 
Hyperledger Fabric update Meetup 20181101
Arnaud Le Hors
 
Ad

More from Torsten Lodderstedt (15)

PDF
The European Union goes Decentralized
Torsten Lodderstedt
 
PPTX
GAIN Presentation.pptx
Torsten Lodderstedt
 
PPTX
Comprehensive overview FAPI 1 and FAPI 2
Torsten Lodderstedt
 
PDF
Comprehensive overview FAPI 1 and 2
Torsten Lodderstedt
 
PDF
OpenID Connect 4 Identity Assurance at IIW #32
Torsten Lodderstedt
 
PPTX
Identity Assurance with OpenID Connect
Torsten Lodderstedt
 
PPTX
NextGenPSD2 OAuth SCA Mode Security Recommendations
Torsten Lodderstedt
 
PDF
Rich Authorization Requests
Torsten Lodderstedt
 
PDF
Pushed Authorization Requests
Torsten Lodderstedt
 
PDF
OpenID Connect for Identity Assurance
Torsten Lodderstedt
 
PPTX
NextGenPSD2 OAuth SCA Mode Security Recommendations
Torsten Lodderstedt
 
PPTX
Identiverse: PSD2, Open Banking, and Technical Interoperability
Torsten Lodderstedt
 
PDF
OAuth 2.0 Security Reinforced
Torsten Lodderstedt
 
PDF
OAuth Security 4 Dummies iiw#27
Torsten Lodderstedt
 
PDF
Identity Proofing with OpenID Connect
Torsten Lodderstedt
 
The European Union goes Decentralized
Torsten Lodderstedt
 
GAIN Presentation.pptx
Torsten Lodderstedt
 
Comprehensive overview FAPI 1 and FAPI 2
Torsten Lodderstedt
 
Comprehensive overview FAPI 1 and 2
Torsten Lodderstedt
 
OpenID Connect 4 Identity Assurance at IIW #32
Torsten Lodderstedt
 
Identity Assurance with OpenID Connect
Torsten Lodderstedt
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
Torsten Lodderstedt
 
Rich Authorization Requests
Torsten Lodderstedt
 
Pushed Authorization Requests
Torsten Lodderstedt
 
OpenID Connect for Identity Assurance
Torsten Lodderstedt
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
Torsten Lodderstedt
 
Identiverse: PSD2, Open Banking, and Technical Interoperability
Torsten Lodderstedt
 
OAuth 2.0 Security Reinforced
Torsten Lodderstedt
 
OAuth Security 4 Dummies iiw#27
Torsten Lodderstedt
 
Identity Proofing with OpenID Connect
Torsten Lodderstedt
 

Recently uploaded (20)

PDF
FINAL CALL-6th International Conference on Networks & IOT (NeTIOT 2025)
IJMIT JOURNAL
 
PPT
tcp ip networks nd ip layering assotred slides
pakadamfdp
 
PDF
Sims 4 Historia para lo sims 4 para jugar
lolpopy34
 
PDF
Tenda Login Guide: Access Your Router in 5 Easy Steps
tendawifi16
 
PDF
Introduction to the IoT system, how the IoT system works
TinBinh
 
PPTX
522797556-Unit-2-Temperature-measurement-1-1.pptx
msar8888
 
PPTX
Introuction about ICD -10 and ICD-11 PPT.pptx
naveenithkrishnan
 
PPTX
E -tech empowerment technologies PowerPoint
kylebalatero12
 
PDF
Best Practices for Testing and Debugging Shopify Third-Party API Integrations...
CartCoders
 
PPT
Design_with_Watersergyerge45hrbgre4top (1).ppt
DiogoRibeiro730590
 
PPTX
innovation process that make everything different.pptx
SoumyadipPaul18
 
PDF
Decoding a Decade: 10 Years of Applied CTI Discipline
Andreas Sfakianakis
 
DOCX
Unit-3 cyber security network security of internet system
shivangisharma636228
 
PDF
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
APNIC
 
PPT
isotopes_sddsadsaadasdasdasdasdsa1213.ppt
Kenneth James Alamillo
 
PPTX
INTERNET------BASICS-------UPDATED PPT PRESENTATION
poonam62133
 
PPTX
Job_Card_System_Styled_lorem_ipsum_.pptx
Jeffkigen
 
PPTX
presentation_pfe-universite-molay-seltan.pptx
yahyamohibme
 
PPTX
artificial intelligence overview of it and more
yafotin445
 
PDF
Automated vs Manual WooCommerce to Shopify Migration_ Pros & Cons.pdf
CartCoders
 
FINAL CALL-6th International Conference on Networks & IOT (NeTIOT 2025)
IJMIT JOURNAL
 
tcp ip networks nd ip layering assotred slides
pakadamfdp
 
Sims 4 Historia para lo sims 4 para jugar
lolpopy34
 
Tenda Login Guide: Access Your Router in 5 Easy Steps
tendawifi16
 
Introduction to the IoT system, how the IoT system works
TinBinh
 
522797556-Unit-2-Temperature-measurement-1-1.pptx
msar8888
 
Introuction about ICD -10 and ICD-11 PPT.pptx
naveenithkrishnan
 
E -tech empowerment technologies PowerPoint
kylebalatero12
 
Best Practices for Testing and Debugging Shopify Third-Party API Integrations...
CartCoders
 
Design_with_Watersergyerge45hrbgre4top (1).ppt
DiogoRibeiro730590
 
innovation process that make everything different.pptx
SoumyadipPaul18
 
Decoding a Decade: 10 Years of Applied CTI Discipline
Andreas Sfakianakis
 
Unit-3 cyber security network security of internet system
shivangisharma636228
 
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
APNIC
 
isotopes_sddsadsaadasdasdasdasdsa1213.ppt
Kenneth James Alamillo
 
INTERNET------BASICS-------UPDATED PPT PRESENTATION
poonam62133
 
Job_Card_System_Styled_lorem_ipsum_.pptx
Jeffkigen
 
presentation_pfe-universite-molay-seltan.pptx
yahyamohibme
 
artificial intelligence overview of it and more
yafotin445
 
Automated vs Manual WooCommerce to Shopify Migration_ Pros & Cons.pdf
CartCoders
 

OpenID Connect for W3C Verifiable Credential Objects

  • 1. OpenID Connect for W3C Verifiable Credential Objects IIW Spring 2021 Kristina Yasuda, Oliver Terbu, Torsten Lodderstedt, Adam Lemmon, Tobias Looker
  • 2. Objectives - Support request and presentation of Verifiable Credentials in ID Tokens and Userinfo responses - Usable with all OpenID Connect Flows (SIOP, code, CIBA, …) - Leverage OpenID Connect as simple to use protocol for wallet integrations - Leverage W3C verifiable credentials to existing OpenID Connect deployments
  • 3. Ideas - Request - via “claims” parameter - Simply claims or credential type or credential type + claims (selective disclosure) - 3 delivery options under discussion - 1) Define JWT claims to embed entire VP/VC in any format (awoie/vp-token-spec/pull/20) - https://github.com/Sakurann/vp-token-spec - 2) Aggregated & Distributed Claims (awoie/vp-token-spec/pull/23) - https://github.com/awoie/vp-token-spec/tree/adc - 3) VP Token as separate artifact + ID Token as Verifiable Presentation (current revision) - https://github.com/awoie/vp-token-spec
  • 6. 1) vc_jwt Claim parameters of ID Token Under discussion whether VCs can be directly embedded inside the ID Token.
  • 7. 1) vc_ldp Claim Under discussion whether VCs can be directly embedded inside the ID Token. parameters of ID Token
  • 9. 2) Distributed Claims Endpoint from which the VP can be retrieved
  • 11. 3) Separate artifact - ‘VP Token’ ID Token contains a `vp_hash` ‘VP Token’ contains an entire VP `claims` parameter in the request
  • 12. Pros and Cons: processing, RP adoption 1) Independent Claims for each proof type 2) Extended Aggregated/Distributed Claims (ADC) Syntax 3) Separate Artifact `VP Token` Pros - Standard extension point works with existing libraries. - VC/VP claims can be processed by the same generic JWT code that handles any other kind of optional claim - Explicit distinction of proof format and claim content - Extensibility via existing OIDC ADC syntax - Clear separation between OIDC assertion and VC/VP - Flexible re request (standard claims or VC/VP) and delivery (embedded or separate VC/VP) - Clear separation of new artifacts VPs/VCs from OIDC claims/contests (processing rules) - Could support vp_token only use cases (via new response type) Cons - The ID token signature over vp_jwt/vc_jwt could be misconceived to turn ID token into a VC/VP - ID Token must carry claims in addition to authentication data in case of implicit flow (no userinfo available) - RPs must inspect each container item to determine how to process the claim (dictionary can be added) - Some additions to the libraries to support new properties of ADC syntax - VP/VC claims carried in different way than other claims - Requires (significant) changes to existing libraries - standalone vp_tokens cannot be protected using established OIDC means
  • 13. Next Steps ● Discuss and decide delivery method ● Ask Connect WG for adoption ● Incorporate encryption (e.g. confidentiality protection in case where OP is just a cloud agent)
  • 16. Request for Verifiable Presentation (Type)
  • 17. Request for Verifiable Presentation (Type and Claims)

Editor's Notes

  • #6: claim names in JSON-LD,
  • #8: claim names in JSON-LD,