From ab70539f694f60d12fe8cdde6c098cd9cc6ab642 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcos=20C=C3=A1ceres?= Date: Tue, 10 Sep 2024 10:04:00 +1000 Subject: [PATCH 1/6] Remove W3C DC API examples As the W3C spec is changing a lot, it's best yet to not include any examples. --- openid-4-verifiable-presentations-1_0.md | 69 ++++-------------------- 1 file changed, 11 insertions(+), 58 deletions(-) diff --git a/openid-4-verifiable-presentations-1_0.md b/openid-4-verifiable-presentations-1_0.md index 264ac4c..d413d5c 100644 --- a/openid-4-verifiable-presentations-1_0.md +++ b/openid-4-verifiable-presentations-1_0.md @@ -1599,30 +1599,21 @@ The value of the `protocol` parameter of the W3C Digital Credentials API MUST be The `request` member of the W3C Digital Credentials API [@!w3c.digital_credentials_api] contains an OpenID4VP Authorization Request, where every OpenID4VP Authorization Request parameter is represented as a top-level JavaScript object member. -The following is a non-normative example of how the W3C Digital Credentials API can be used with an unsigned OpenID4VP request when advanced security features of OpenID4VP are not used: +The following is a non-normative example of an unsigned OpenID4VP request when advanced security features of OpenID4VP are not used: ```js -try { - const credential = await navigator.identity.get({ - digital: { - providers: [{ - protocol: "openid4vp", - request: { - response_type: "vp_token", - response_mode: "w3c_dc_api", - nonce: "n-0S6_WzA2Mj", - client_metadata: {...}, - presentation_definition: {...} - } - }] - } - }); -} catch (err) { - // Handle errors and/or fallback to other invocation mechanisms +{ + protocol: "openid4vp", + request: { + response_type: "vp_token", + response_mode: "w3c_dc_api", + nonce: "n-0S6_WzA2Mj", + client_metadata: {...}, + presentation_definition: {...} + } } ``` - -Out of the Authorization Request parameters defined in [@!RFC6749] and (#vp_token_request), the following are supported with this profile: +Out of the Authorization Request parameters defined in [@!RFC6749] and (#vp_token_request), the following are supported with this profile: * `client_id` * `response_type` @@ -1658,21 +1649,6 @@ The Verifier MAY send a signed request, for example, when identification and aut The signed Request Object MAY contain all the parameters listed in (#browser_api_request), except `request`. -Below is a non-normative example of such a request: - -```js -const credential = await navigator.identity.get({ - digital: { - providers: [{ - protocol: "openid4vp", - request: { - request: "eyJhbGciOiJF..." - } - }] - } -}); -``` - This is an example of the payload of a signed OpenID4VP request used with the W3C Digital Credentials API: <{{examples/digital_credentials_api/signed_request_payload.json}} @@ -1683,29 +1659,6 @@ The signed request allows the Wallet to authenticate the Verifier using a trust Every OpenID4VP Authorization Request results in a response being provided through the W3C Digital Credentials API. The response is an instance of the `DigitalCredential` interface, as defined in [@!w3c.digital_credentials_api], and the OpenID4VP Authorization Response parameters as defined for the Response Type are represented as an object within the `data` attribute. -The following is a non-normative example of processing an unsigned OpenID4VP response that could be received from the W3C Digital Credentials API: - -```js -const credential = await navigator.identity.get(request); -if (credential.protocol == "openid4vp") { - // Extract relevant data members - const { vp_token, presentation_submission } = credential.data; - // presentation_submission is a javascript object - // vp_token is a string or javascript object depending on the credential type -} -``` - -The following is a non-normative example of processing an encrypted OpenID4VP response that could be received from the W3C Digital Credentials API: - -```js -const credential = await navigator.identity.get(request); -if (credential.protocol == "openid4vp") { - // Extract encrypted response - const { response } = credential.data; - // response is a string containing a JWE, now decrypt it -} -``` - # Credential Format Profiles {#alternative_credential_formats} OpenID for Verifiable Presentations is Credential Format agnostic, i.e., it is designed to allow applications to request and receive Verifiable Presentations and Verifiable Credentials in any Credential Format. This section defines Credential Format Profiles for some of the known Credential Formats. Other specifications or deployments can define their own Credential Format Profiles. From d9b6ad6b107d248145a4883e50778366265abc4f Mon Sep 17 00:00:00 2001 From: Marcos Caceres Date: Mon, 16 Sep 2024 17:00:35 -0600 Subject: [PATCH 2/6] More corrections --- openid-4-verifiable-presentations-1_0.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openid-4-verifiable-presentations-1_0.md b/openid-4-verifiable-presentations-1_0.md index d413d5c..ce28bda 100644 --- a/openid-4-verifiable-presentations-1_0.md +++ b/openid-4-verifiable-presentations-1_0.md @@ -1593,11 +1593,11 @@ And lastly, as part of the request, the Wallet is provided with information abou ## Protocol -The value of the `protocol` parameter of the W3C Digital Credentials API MUST be set to `openid4vp` for this profile. +When used with the W3C Digital Credentials API [@!w3c.digital_credentials_api], the exchange protocol is the string `openid4vp` for this profile. ## Request {#browser_api_request} -The `request` member of the W3C Digital Credentials API [@!w3c.digital_credentials_api] contains an OpenID4VP Authorization Request, where every OpenID4VP Authorization Request parameter is represented as a top-level JavaScript object member. +The W3C Digital Credentials API [@!w3c.digital_credentials_api] contains an OpenID4VP Authorization Request, where every OpenID4VP Authorization Request parameter is represented as a top-level JavaScript object member. The following is a non-normative example of an unsigned OpenID4VP request when advanced security features of OpenID4VP are not used: From c6b83bfc89d461a9fa34742fc65efe70e6a331ac Mon Sep 17 00:00:00 2001 From: Marcos Caceres Date: Mon, 16 Sep 2024 17:09:04 -0600 Subject: [PATCH 3/6] Remove API usage from diagrams --- diagrams/request_uri_mode_post_through_browser_api.md | 2 -- diagrams/request_uri_mode_post_through_browser_api.plantuml | 2 -- diagrams/signed_request_uri_through_browser_api.plantuml | 1 - 3 files changed, 5 deletions(-) diff --git a/diagrams/request_uri_mode_post_through_browser_api.md b/diagrams/request_uri_mode_post_through_browser_api.md index 97e30d1..78bf75f 100644 --- a/diagrams/request_uri_mode_post_through_browser_api.md +++ b/diagrams/request_uri_mode_post_through_browser_api.md @@ -16,8 +16,6 @@ participant "Wallet" as w u --> r : use activate r -r -> wp: navigator.identity.get(\nprotocol="openid4vp",\nrequest="client_id, \nrequest_uri, request_uri_method=post, \npresentation_definition") - deactivate r activate wp diff --git a/diagrams/request_uri_mode_post_through_browser_api.plantuml b/diagrams/request_uri_mode_post_through_browser_api.plantuml index 97e30d1..78bf75f 100644 --- a/diagrams/request_uri_mode_post_through_browser_api.plantuml +++ b/diagrams/request_uri_mode_post_through_browser_api.plantuml @@ -16,8 +16,6 @@ participant "Wallet" as w u --> r : use activate r -r -> wp: navigator.identity.get(\nprotocol="openid4vp",\nrequest="client_id, \nrequest_uri, request_uri_method=post, \npresentation_definition") - deactivate r activate wp diff --git a/diagrams/signed_request_uri_through_browser_api.plantuml b/diagrams/signed_request_uri_through_browser_api.plantuml index e245aba..341ade3 100644 --- a/diagrams/signed_request_uri_through_browser_api.plantuml +++ b/diagrams/signed_request_uri_through_browser_api.plantuml @@ -19,7 +19,6 @@ activate r note over r,wp Note that the signed request object contains the Verifier's origin. end note -r -> wp: navigator.identity.get(\nprotocol="openid4vp",\nrequest="client_id, request") deactivate r activate wp From 1fb91d223d1e3283a4a01608455da991bfbf632b Mon Sep 17 00:00:00 2001 From: Marcos Caceres Date: Mon, 16 Sep 2024 17:10:55 -0600 Subject: [PATCH 4/6] Remove another ref --- openid-4-verifiable-presentations-1_0.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openid-4-verifiable-presentations-1_0.md b/openid-4-verifiable-presentations-1_0.md index ce28bda..c4a539c 100644 --- a/openid-4-verifiable-presentations-1_0.md +++ b/openid-4-verifiable-presentations-1_0.md @@ -1657,7 +1657,7 @@ The signed request allows the Wallet to authenticate the Verifier using a trust ## Response -Every OpenID4VP Authorization Request results in a response being provided through the W3C Digital Credentials API. The response is an instance of the `DigitalCredential` interface, as defined in [@!w3c.digital_credentials_api], and the OpenID4VP Authorization Response parameters as defined for the Response Type are represented as an object within the `data` attribute. +Every OpenID4VP Authorization Request results in a response being provided through the W3C Digital Credentials API. The response is an instance of the `DigitalCredential` interface, as defined in [@!w3c.digital_credentials_api], and the OpenID4VP Authorization Response parameters as defined for the Response Type are represented as part of the returned `DigitalCredential` object. # Credential Format Profiles {#alternative_credential_formats} From 3b0d32c5c0fc22f7383bf256c74be5b764e0c782 Mon Sep 17 00:00:00 2001 From: Marcos Caceres Date: Fri, 4 Oct 2024 15:13:19 +1000 Subject: [PATCH 5/6] Bring back object --- openid-4-verifiable-presentations-1_0.md | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/openid-4-verifiable-presentations-1_0.md b/openid-4-verifiable-presentations-1_0.md index c4a539c..5b60a4c 100644 --- a/openid-4-verifiable-presentations-1_0.md +++ b/openid-4-verifiable-presentations-1_0.md @@ -1613,6 +1613,7 @@ The following is a non-normative example of an unsigned OpenID4VP request when a } } ``` + Out of the Authorization Request parameters defined in [@!RFC6749] and (#vp_token_request), the following are supported with this profile: * `client_id` @@ -1649,6 +1650,21 @@ The Verifier MAY send a signed request, for example, when identification and aut The signed Request Object MAY contain all the parameters listed in (#browser_api_request), except `request`. +Below is a non-normative example of such a request: + +```js +{ + digital: { + providers: [{ + protocol: "openid4vp", + request: { + request: "eyJhbGciOiJF..." + } + }] + } +} +``` + This is an example of the payload of a signed OpenID4VP request used with the W3C Digital Credentials API: <{{examples/digital_credentials_api/signed_request_payload.json}} @@ -1657,7 +1673,7 @@ The signed request allows the Wallet to authenticate the Verifier using a trust ## Response -Every OpenID4VP Authorization Request results in a response being provided through the W3C Digital Credentials API. The response is an instance of the `DigitalCredential` interface, as defined in [@!w3c.digital_credentials_api], and the OpenID4VP Authorization Response parameters as defined for the Response Type are represented as part of the returned `DigitalCredential` object. +Every OpenID4VP Authorization Request results in a response being provided through the W3C Digital Credentials API. The response is an instance of the `DigitalCredential` interface, as defined in [@!w3c.digital_credentials_api], and the OpenID4VP Authorization Response parameters as defined for the Response Type are represented as an object within the `data` attribute. # Credential Format Profiles {#alternative_credential_formats} From b553f17ed52a45461f9e70cbd9724b972d993233 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcos=20C=C3=A1ceres?= Date: Fri, 4 Oct 2024 15:36:42 +1000 Subject: [PATCH 6/6] Update openid-4-verifiable-presentations-1_0.md Co-authored-by: Kristina <52878547+Sakurann@users.noreply.github.com> --- openid-4-verifiable-presentations-1_0.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openid-4-verifiable-presentations-1_0.md b/openid-4-verifiable-presentations-1_0.md index 5b60a4c..c3e6aee 100644 --- a/openid-4-verifiable-presentations-1_0.md +++ b/openid-4-verifiable-presentations-1_0.md @@ -1593,7 +1593,7 @@ And lastly, as part of the request, the Wallet is provided with information abou ## Protocol -When used with the W3C Digital Credentials API [@!w3c.digital_credentials_api], the exchange protocol is the string `openid4vp` for this profile. +For the profile defined in this section, the value of the exchange protocol used with the W3C Digital Credentials API [@!w3c.digital_credentials_api], is the `openid4vp`. ## Request {#browser_api_request}