Add support for the Digital Credentials API #476
Conversation
Adds a new annex to defining support for the DC API
|
Still work in progress, but can get some initial comments |
|
|
||
| * `status`: REQUIRED. A string containing one of the status codes defined in this section. | ||
|
|
||
| The following status codes are supported: |
There was a problem hiding this comment.
TODO: Need to decide what error codes to support here.
There was a problem hiding this comment.
probably offer_declined?
| credential_issuer: "...", | ||
| credential_configuration_ids: [...], | ||
| grants: {...} | ||
| credential_issuer_metadata: {...}, | ||
| authorization_server_metadata: {...} |
There was a problem hiding this comment.
Grouping it like this, may enable to reuse the existing object used from vanilla vci flows
| credential_issuer: "...", | |
| credential_configuration_ids: [...], | |
| grants: {...} | |
| credential_issuer_metadata: {...}, | |
| authorization_server_metadata: {...} | |
| credential-offer: { | |
| credential_issuer: "...", | |
| credential_configuration_ids: [...], | |
| grants: {...} | |
| } | |
| credential_issuer_metadata: {...}, | |
| authorization_server_metadata: {...} |
|
|
||
| ## Credential Offer {#dc_api_credential_offer} | ||
|
|
||
| The Issuer sends the Credential Offer object to the Digital Credentials API. All of the Credential Offer parameters MAY be used. The Credential Offer object has been extended to include the following parameters: |
There was a problem hiding this comment.
| The Issuer sends the Credential Offer object to the Digital Credentials API. All of the Credential Offer parameters MAY be used. The Credential Offer object has been extended to include the following parameters: | |
| The Issuer sends the Credential Offer object to the Digital Credentials API. All of the Credential Offer parameters MAY be used. As some implementations of the DC API may not allow to network calls, the Credential Offer object is extended to include the following parameters: |
There was a problem hiding this comment.
I think it's more "to allow all the installed wallets to figure out if they can handle the request without fetching external data that may result in data being leaked without user consent"? Not sure.
There was a problem hiding this comment.
Agree with @jogu as its highlighting why some DC API implementations have this limitation.
|
|
||
|
|
||
| * `credential_issuer_metadata`: REQUIRED. The Issuer's Credential Issuer Metadata object as defined in (#credential-issuer-parameters). | ||
| * `authorization_server_metadata`: OPTIONAL. The Authorization Server metadata object as defined by Section 2 of [@!RFC8414]. When provided the `authorization_server` parameter must not be present. |
There was a problem hiding this comment.
| * `authorization_server_metadata`: OPTIONAL. The Authorization Server metadata object as defined by Section 2 of [@!RFC8414]. When provided the `authorization_server` parameter must not be present. | |
| * `authorization_server_metadata`: REQUIRED. The Authorization Server metadata object as defined in (#as-metadata). |
|
|
||
| * `status`: REQUIRED. A string containing one of the status codes defined in this section. | ||
|
|
||
| The following status codes are supported: |
There was a problem hiding this comment.
probably offer_declined?
|
|
||
| * `openid4vci-v1` | ||
|
|
||
| ## Credential Offer {#dc_api_credential_offer} |
There was a problem hiding this comment.
I see potential for other requests, i.e. calling DC-API to continue a deferred issuance with transaction_id
There was a problem hiding this comment.
Do you mean like using the DC API to notify the wallet that a deferred issuance is now ready for issuance?
| The Issuer sends the Credential Offer object to the Digital Credentials API. All of the Credential Offer parameters MAY be used. The Credential Offer object has been extended to include the following parameters: | ||
|
|
||
|
|
||
| * `credential_issuer_metadata`: REQUIRED. The Issuer's Credential Issuer Metadata object as defined in (#credential-issuer-parameters). |
There was a problem hiding this comment.
feels somewhat redundant?
| * `credential_issuer_metadata`: REQUIRED. The Issuer's Credential Issuer Metadata object as defined in (#credential-issuer-parameters). | |
| * `credential_issuer_metadata`: REQUIRED. The Credential Issuer Metadata object as defined in (#credential-issuer-parameters). |
| The name "Digital Credentials API" (DC API) encompasses the W3C Digital Credentials API [@!W3C.Digital_Credentials_API] | ||
| as well as its native App Platform equivalents in operating systems (such as [Credential Manager on Android](https://developer.android.com/jetpack/androidx/releases/credentials)). | ||
| The DC API allows web sites and native apps acting as Issuers to initiate the issuance of verifiable credentials. | ||
| The API itself is agnostic to the Credential issuance protocol and can be used with different protocols. | ||
| The Web Platform, working in conjunction with other layers, such as the app platform/operating system, and based on the permission of the End-User, will send the credential offer along with the Origin of the Issuer to the End-User's chosen Wallet. |
There was a problem hiding this comment.
| The name "Digital Credentials API" (DC API) encompasses the W3C Digital Credentials API [@!W3C.Digital_Credentials_API] | |
| as well as its native App Platform equivalents in operating systems (such as [Credential Manager on Android](https://developer.android.com/jetpack/androidx/releases/credentials)). | |
| The DC API allows web sites and native apps acting as Issuers to initiate the issuance of verifiable credentials. | |
| The API itself is agnostic to the Credential issuance protocol and can be used with different protocols. | |
| The Web Platform, working in conjunction with other layers, such as the app platform/operating system, and based on the permission of the End-User, will send the credential offer along with the Origin of the Issuer to the End-User's chosen Wallet. | |
| The term "Digital Credentials API" (DC API) encompasses the W3C Digital Credentials API [@!W3C.Digital_Credentials_API] | |
| as well as its native App Platform equivalents in operating systems (such as [Credential Manager on Android](https://developer.android.com/jetpack/androidx/releases/credentials)). | |
| The API itself is agnostic to the Credential issuance protocol and can be used with different protocols. | |
| When the DC API is used with this specification, it allows web sites and native apps acting as Issuers to initiate the issuance of verifiable credentials. | |
| The Web Platform, working in conjunction with other layers, such as the app platform/operating system, and based on the permission of the End-User, will send the Credential Offer along with the Origin of the Issuer to the End-User's chosen Wallet. |
|
|
||
| To use OpenID4VCI with the Digital Credentials API (DC API), the exchange protocol value has the following format: `openid4vci-v<version>`. | ||
|
|
||
| The value `1` MUST be used for the `<version>` field to indicate the request and response are compatible with this version of the specification. |
There was a problem hiding this comment.
Do we need to be explicit here that the version essentially constitutes a MAJOR version as per semver and therefore implementations should adopt the robustness principle when it comes to things like ignoring unknown elements in maps/objects to support forward compatibility with minor changes?
|
|
||
| The following status codes are supported: | ||
|
|
||
| `offer_accepted`: |
There was a problem hiding this comment.
Clarifying question: is the idea the issuer sends the offer and gets a confirmation from the wallet, but the actual issuance happens in a separate, parallel process within the wallet?
There was a problem hiding this comment.
That would be my understanding right now, the DC API flow basically succeeds with reaching a wallet and the "real" issuance flow starts from there from the Wallet.
Adds a new annex to defining support for the DC API
closes #410