OpenID for Verifiable Credential Issuance #17616
Replies: 9 comments 19 replies
-
Sorry for asking, Is it currently a proposal or idea for Keycloak to have native/built-in integration with SSI/DIDs? Or is there any other 3rd party for bridging the IAM (web2 based) to SSI/DIDs (web3 based). |
Beta Was this translation helpful? Give feedback.
-
Proceeding toward the implementation of the GAIN POC, we will be moving on with following two scenarios, that require minimal modification on Keycloak (KC): Scenario-1: Keycloak as Credential IssuerThis is a sample interaction in which KC functionality is extended with the the ability to produce VCs for all tokens produced by KC. Including the one produced through token exchange requests (as they present the first mean of selective disclosure so far). sequenceDiagram
Actor User
participant Wallet
box Keycloak
participant CME as Credential Metadata<br/>Endpoint
participant AME as Authorization Matadata<br/>Endpoint
participant PARE as PAR<br/>Endpoint
participant AZE as Authorization<br/>Endpoint
participant TE as Token<br/>Endpoint
end
User ->> Wallet: Interact with user
%% Only new endpoint required
Wallet ->> CME: Metadata /.well-known/openid-credential-issuer
Note right of Wallet: Only new end point in this scenario
CME -->> Wallet : Credential issuer metadata
Wallet ->> AME: /.well-known/openid-configuration
AME -->> Wallet: Auth server metadata
Wallet ->> Wallet : Construct PAR (evtl. with RAR)
Note right of Wallet: [single|batch],credential=true, all VC|token info
Wallet ->> PARE: Post PAR
PARE-->>Wallet: request_uri
Wallet->>AZE: Authorization Request
AZE ->> AZE: Authorize User
Note right of AZE: evtl. with consent
AZE-->>Wallet: Authorization Response (code)
Wallet->>TE: Token Request (code)
TE-->>Wallet: Token Response (VCs)
In the first implementation, we could start with Scenario-2: Keycloak with External Credential IssuerIn this scenario, all what we need is a consumable RAR, that will allow KC to produce a corresponding access token. Access token will be converted into VC by credential issuer. sequenceDiagram
Actor User
participant Wallet
box Credential Issuer
participant CME as Credential Metadata<br/>Endpoint
participant CE as Credential<br/>Endpoint
end
box Keycloak
participant AME as Authorization Matadata<br/>Endpoint
participant PARE as PAR<br/>Endpoint
participant AZE as Authorization<br/>Endpoint
participant TE as Token<br/>Endpoint
end
User ->> Wallet: Interact with user
%% Only new endpoint required
Wallet ->> CME: Metadata /.well-known/openid-credential-issuer
Note right of Wallet: Only new end point in this scenario
CME -->> Wallet : Credential issuer metadata
Wallet ->> AME: /.well-known/openid-configuration
AME -->> Wallet: Auth server metadata
Wallet ->> Wallet : Construct PAR (evtl. with RAR)
Note right of Wallet: [single|batch],credential=true, all VC|token info
Wallet ->> PARE: Post PAR
PARE-->>Wallet: request_uri
Wallet->>AZE: Authorization Request
AZE ->> AZE: Authorize User
Note right of AZE: evtl. with consent
AZE-->>Wallet: Authorization Response (code)
Wallet->>TE: Token Request (code)
TE-->>Wallet: Access Token, Refresh Token
Wallet->>CE: Credential Issuance Request
CE-->>Wallet: VCs
|
Beta Was this translation helpful? Give feedback.
-
As an enrichment of diagrams in here, below are two more diagrams from @coxchrisw with both auth code flow and pre-auth code flow. In these cases all current Keycloak endpoints are inside the participant Authorization Server. It is also essential to witness the role of an attestation endpoint. This is the component responsible for producing/certifying credentials (attestation tokens) used by Wallets (as OIDC Client) and by Verifiers (if necessary in their role as RP) to access the authorization server. Scenario-A: Authorisation Code FlowsequenceDiagram
Actor User
participant Wallet
participant CI as Credential<br/>Issuer
participant ATE as Attestation<br/>Endpoint
participant AS as Authorisation<br/>Server
User->>Wallet: Interact with wallet
Wallet->>CI: Obtain Credential Issuer metadata
CI-->>Wallet: Credential Issuer metadata
Wallet->>ATE: Create Client Attestation
ATE-->>Wallet: Client Attestation
Wallet->>AS: Construct PAR Request
note right of AS: use client attestation<br/>in par request<br/>contains VC to grant
AS -->> Wallet: PAR Response
Wallet ->> AS: Authorisation Request
note right of AS: use PAR response<br/>in Auth request
AS ->> AS: Authenticate User
AS -->> Wallet: Authorisation Response
Wallet ->> AS: Token Request (code)
note right of AS: use client attestation<br>in token request
AS -->> Wallet: Token Response (access_token)
Wallet->> CI: Credential Request (access_token, proof(s))
CI -->> Wallet: Credential Response (credential(s) OR acceptance_token)
Scenario-B: Pre-Authorisation Code FlowsequenceDiagram
Actor User
participant Wallet
participant CI as Credential<br/>Issuer
participant ATE as Attestation<br/>Endpoint
participant AS as Authorisation<br/>Server
User->>CI: User provides information required for the issuance of a certain Credential
CI-->>Wallet: Credential Offer (Pre-Authorized Code)
note left of CI: could be QR or<br/>Deep Link
Wallet->>CI: Obtain Credential Issuer metadata
CI-->>Wallet: Credential Issuer metadata
Wallet->>ATE: Create Client Attestation
ATE-->>Wallet: Client Attestation
Wallet ->> AS: Token Request (code)
note right of AS: use client attestation<br>in token request
AS -->> Wallet: Token Response (access_token)
Wallet->> CI: Credential Request (access_token, proof(s))
CI -->> Wallet: Credential Response (credential(s) OR acceptance_token)
|
Beta Was this translation helpful? Give feedback.
-
Detailed Schema: Keycloak as a Verifiable Credential IssuerDealing with client attestation in this schema. In the GAIN POC, Stage-1 does not required trusting the wallet attestation. Touching affected Keycloak components. sequenceDiagram
Actor User
participant Wallet
box Keycloak
participant CME as Credential Metadata<br/>Endpoint
participant AME as Authorization Matadata<br/>Endpoint
participant PARE as PAR<br/>Endpoint
participant DCR as DCR<br/>Endpoint
participant AZE as Authorization<br/>Endpoint
participant TE as Token<br/>Endpoint
end
User ->> Wallet: interacts
Wallet ->> CME: (1) Obtains Credential Issuer metadata <br>/.well-known/openid-credential-issuer
Note right of Wallet: 10.2 New endpoint<br/>do we need /issuer? see 10.2.1
CME -->> Wallet : Credential issuer metadata
Note right of Wallet: <br/>credential_issuer:<br/>authorization_server:<br/>credential_endpoint:<br/>batch_credential_endpoint:<br/>
Wallet ->> AME: (1) Obtains Authorization Server metadata <br>/.well-known/openid-configuration
AME -->> Wallet: Auth server metadata
Wallet ->> Wallet: create wallet attestation
Note right of Wallet: Self signed attestation<br/>GAIN PoC stage 1
Wallet ->> DCR: Register Wallet(Wallet Attestation)<br/>Endpoint: auth_server_metadata:registration_endpoint<br/>GAIN: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-attestation-based-client-auth-00
Note left of DCR: Configured KC to<br/>consume self signed<br/>attestations
DCR -->> Wallet: Wallet Client Credentials
Wallet ->> Wallet : Construct RAR
Note over Wallet : RAR type openid_credential<br/>[single|batch]<br/>credential=true<br/>all VC|token info
Wallet ->> PARE: Post PAR<br/>attestation-based-client-auth
Note left of PARE: Configured KC to<br/>consume self signed<br/>attestations
PARE-->>Wallet: request_uri
Wallet->>AZE: Authorization Request
AZE ->> AZE: Authorize User
Note right of AZE: evtl. with consent
AZE-->>Wallet: Authorization Response (code)
Wallet->>TE: Token Request (code)
Note left of TE: Configured KC to<br/>consume self signed<br/>attestations
TE-->>Wallet: Token Response (VCs)
Note right of Wallet: Token might be a<br/>verifiable credential
|
Beta Was this translation helpful? Give feedback.
-
Hello, We are now working on Support Authorization Code Flow for VC Issuance , We would like to break this issue into two sub-issues:
In the first PR, we would like to issue VC in pre-determined Credential Type, not considering a value of scope parameter. In the second PR, we plan to bind a scope value with
What do you think about these procedures for issuing a VC? I would be happy if you have comment on them. |
Beta Was this translation helpful? Give feedback.
-
@babisRoutis As for |
Beta Was this translation helpful? Give feedback.
-
First of all, thank you all contributors. There are a couple of things I want to make sure about the implementation. Here is the first one: From code merged with PR #27931, Am I right about that? |
Beta Was this translation helpful? Give feedback.
-
Hi, Let me make sure one more thing about the implementation of the relation between VC and mapper. Especially about how to figure out which mapper should be executed for a requested VC On the implementation for now, it looks you can not control mappers executed depend on a requested VC. For each mapper you can set Supported Credential Types. Maybe I better create new issue for this? |
Beta Was this translation helpful? Give feedback.
-
Hi all, Now I am working on "scope" parameter support on OID4VCI, which originally came up for discussion in the thread like following:
At first, let me make something clear about use case of "scope" parameter.
Please let me know something missing here. |
Beta Was this translation helpful? Give feedback.
-
Hi everyone,
OpenID Verifiable Credential Issuance (OIDC4VC) has been discussed a lot in the Self-Soverin Identity (SSI) especially due to European Commission having released a Framework for eIDASv2. The later tends to chose OIDC4VC as a protocol to issue Verifiable Credential (VC) and to present Verifiable Presentation (VP).
For simplicity, VC is a token generally in JSON-LD format issued by OpenID Provider to the User whereas VP is a token presented by User to Relying Party for authentication and authorizations purposes. A VP can be the result of an aggregation of multiples VCs or simply a subset of attributes of a single VC. OIDC4VP and SIOPv2 have been introduced for the purposes of presenting Verifiable Presentation from USER to Relying Party.
In this context, multiple wroking groups have started discussions about a concrete implementation of these specifications. As the largest open source SSO software, will we start working on this ? @thomasdarimont
Cheers,
Hoan
Beta Was this translation helpful? Give feedback.
All reactions