Presentation During Issuance #509
Conversation
Sakurann
requested review from
Sakurann,
awoie,
bc-pi,
c2bo,
cre8,
jogu,
paulbastian and
tlodderstedt
|
thank you! changes to the PAR section are editorial, and not related to presentation during issuance, right? |
|
Thank you for the proposal! From a business requirements point of view (financial services in this case), I can confirm that there is a requirement for the issuer to have the option to ensure that the credential to be issued ends up in the same wallet unit as where the other one was presented from, both without and with DC API. I also believe that in this presentation-during-issuance scenario, the issuer receives 2x key material from/for holder binding and 2x the WUA. Processing these could be a way to achieve the binding between presentation and issuance beyond a auth_session/presentation_during_issuance_session parameter. |
|
I don't think going via a new endpoint is necessary. It was done by following the first party draft approach, where the new endpoint gets the information via a post request. But since we already have the par endpoint, we can reuse it as it is. The only thing then to extend is the authorization error response I am not sure if this is a good practice since it the server could either return an error via 302 (current approach) or the 400 (new approach). Edit: I mixed up one approach, so pls forget my suggestion above. Going via a new endpoint sounds like a good way to got. Open question is what should the verifier return when the wallet is using the other endpoint (for some reasons) and not the new one. |
|
I think the Authorization Challenge Response should be more like the Pushed Authorization Request response, where a request URI is provided for the authorization endpoint. This way there is still issuer interactivity after the credential is presented to the issuer. This is needed for use cases where there are extra steps to perform, not just relying on the presentation of the credential, for example biometric face matching to ensure that the current user performing the action is the same person as described by the credential, or the user providing extra information for record matching. The use cases this would applicable to are for example:
|
Please also see requirement ACP_07 on https://github.com/eu-digital-identity-wallet/eudi-doc-architecture-and-reference-framework/blob/main/docs/discussion-topics/k-combined-presentation-of-attestations.md for further context. |
This would make the cases where the issuer doesn't need interactivity weird I think. The issuer can already force interactivity assuming we do go ahead with the web flow fallback Daniel has proposed in the text, I think that would mean both cases are possible at the issuers discretion. |
PAR isn't mandatory in VCI. I think either the first party draft or Daniel's proposal could choose to reuse/mandate PAR, I don't think there's anything inherently different between the two. I think if we did reuse the PAR endpoint there are other things we'd need to think about, like giving the wallet a way to indicate if it is willing/able to do presentation during issuance perhaps. The first party draft also seems to be considering using the PAR endpoint: oauth-wg/oauth-first-party-apps#134 |
Co-authored-by: Joseph Heenan <joseph@authlete.com>
|
Discussed on today's WG call: People are happy with the general direction, Daniel to fill out the missing sections tomorrow. Should be extensible but we won't define how to solve other use cases in VCI 1.0. Referencing OID4VP security considerations make sense. Presenting during issuance using DC API can come in a later version of VCI once we have implementation experience. Gareth, Tobias to review on Thursday. |
Co-authored-by: Joseph Heenan <joseph@authlete.com>
Co-authored-by: Joseph Heenan <joseph@authlete.com>
Co-authored-by: Joseph Heenan <joseph@authlete.com>
| } | ||
| ``` | ||
|
|
||
| Once this phase of the Authorization process is completed, the Authorization Server MUST redirect back to the Wallet as per [@RFC6749]. If the Authorization process is complete when this redirect occurs, the Authorization Server returns a response with the `authorization_code` parameter as per Section 1.3.1 of [@RFC6749]. If the Authorization process is not complete when this redirect occurs, the Authorization Server returns a response with the `auth_session` parameter. In the event a Wallet receives a response from the Authorization Server which features the `auth_session` parameter, the Wallet MUST make a follow-up request as per (#follow-up-request) to continue the Authorization process. |
There was a problem hiding this comment.
What does "to the Wallet" mean here? To the redirect URI?
There was a problem hiding this comment.
"returns a response with" means that the parameter is appended to the redirect URI?
There was a problem hiding this comment.
Yes on both accounts here, what about.
Once this phase of the Authorization process is completed, the Authorization Server MUST redirect the user-agent back to the Wallet as per [@RFC6749]. If the Authorization process is complete when this redirect occurs, the Authorization Server returns the `authorization_code` based authorisation response as per Section 1.3.1 of [@RFC6749]. If the Authorization process is not complete when this redirect occurs, the Authorization Server returns an authorisation response with the `auth_session` parameter. In the event a Wallet receives a response from the Authorization Server which contains the `auth_session` parameter, the Wallet MUST make a follow-up request as per (#follow-up-request) to continue the Authorization process.
There was a problem hiding this comment.
The language around redirection I lifted from RFC 6749.
| } | ||
| ``` | ||
|
|
||
| Once this phase of the Authorization process is completed, the Authorization Server MUST redirect back to the Wallet as per [@RFC6749]. If the Authorization process is complete when this redirect occurs, the Authorization Server returns a response with the `code` parameter as per Section 1.3.1 of [@RFC6749]. If the Authorization process is not complete when this redirect occurs, the Authorization Server returns a response with the `auth_session` parameter. In the event a Wallet receives a response from the Authorization Server which features the `auth_session` parameter, the Wallet MUST make a follow-up request as per (#follow-up-request) to continue the Authorization process. |
There was a problem hiding this comment.
| Once this phase of the Authorization process is completed, the Authorization Server MUST redirect back to the Wallet as per [@RFC6749]. If the Authorization process is complete when this redirect occurs, the Authorization Server returns a response with the `code` parameter as per Section 1.3.1 of [@RFC6749]. If the Authorization process is not complete when this redirect occurs, the Authorization Server returns a response with the `auth_session` parameter. In the event a Wallet receives a response from the Authorization Server which features the `auth_session` parameter, the Wallet MUST make a follow-up request as per (#follow-up-request) to continue the Authorization process. | |
| Once this phase of the authorization process is completed, the Authorization Server MUST redirect the user-agent back to the Wallet as per [@RFC6749]. If the authorization process is complete when this redirect occurs, the Authorization Server returns the authorization code based response as per Section 1.3.1 of [@RFC6749]. If the authorization process is not complete when this redirect occurs, the Authorization Server returns an authorisation response with the `auth_session` parameter. In the event a Wallet receives a response from the Authorization Server which contains the `auth_session` parameter, the Wallet MUST make a follow-up request as per (#follow-up-request) to continue the authorization process. |
@danielfett copied my suggestion from your comment to here.
There was a problem hiding this comment.
- @danielfett waiting on the input from @aaronpk if there are any security conciderations we need to add about
auth_sessionbeing returned in the redirect. - another mix-up attack is introduced here?
@tplooker to open a PR with the suggestion made here so that we can continue security considerations discussion there.
…onse too Co-authored-by: Oliver Terbu <oliver.terbu@mattr.global>
Sakurann
requested review from
Sakurann,
TimoGlastra,
awoie,
bc-pi,
sloops77 and
tplooker
tplooker
left a comment
tplooker
left a comment
There was a problem hiding this comment.
Approving on the basis that we address the residual concerns with follow up PRs before v1.0
First, minimal version of Presentation During Issuance (Issue #473) . Work in Progress.
There are four open todos:
presentation_during_issuance_sessionparameter, for binding the presentation response to the issuance process. Do we need this, and if yes, how do we define it?