Presentation During Issuance #509
Conversation
Sakurann
requested review from
jogu,
tlodderstedt,
cre8,
c2bo,
paulbastian,
awoie,
Sakurann and
bc-pi
|
thank you! changes to the PAR section are editorial, and not related to presentation during issuance, right? |
|
Thank you for the proposal! From a business requirements point of view (financial services in this case), I can confirm that there is a requirement for the issuer to have the option to ensure that the credential to be issued ends up in the same wallet unit as where the other one was presented from, both without and with DC API. I also believe that in this presentation-during-issuance scenario, the issuer receives 2x key material from/for holder binding and 2x the WUA. Processing these could be a way to achieve the binding between presentation and issuance beyond a auth_session/presentation_during_issuance_session parameter. |
|
I don't think going via a new endpoint is necessary. It was done by following the first party draft approach, where the new endpoint gets the information via a post request. But since we already have the par endpoint, we can reuse it as it is. The only thing then to extend is the authorization error response I am not sure if this is a good practice since it the server could either return an error via 302 (current approach) or the 400 (new approach). Edit: I mixed up one approach, so pls forget my suggestion above. Going via a new endpoint sounds like a good way to got. Open question is what should the verifier return when the wallet is using the other endpoint (for some reasons) and not the new one. |
| @@ -578,6 +578,28 @@ response_type=code | |||
| &authorization_details=... | |||
| ``` | |||
|
|
|||
| If the request is successful, the Authorization Server MUST respond with a 201 Created status code and the Location header field containing the URL of the Authorization Request URI. | |||
There was a problem hiding this comment.
text mentions Location header but missing in the example
|
I think the Authorization Challenge Response should be more like the Pushed Authorization Request response, where a request URI is provided for the authorization endpoint. This way there is still issuer interactivity after the credential is presented to the issuer. This is needed for use cases where there are extra steps to perform, not just relying on the presentation of the credential, for example biometric face matching to ensure that the current user performing the action is the same person as described by the credential, or the user providing extra information for record matching. The use cases this would applicable to are for example:
|
|
|
||
| #todo: Determine whether we needs presentation_during_issuance_session | ||
|
|
||
| ### Error - Show Website |
There was a problem hiding this comment.
Is the show website in this case the "normal" par flow, or just a generic webpage not used for authorization?
In the first party auth spec the challenge endpoint could fallback to behave like the par endpoint and return a request_uri, i think it will be useful to add this here as well, since a wallet won't know beforehand whether to use authorization challenge or PAR endpoint (so in our wallet we default to authorization challenge endpoint if available).
Currently i see no way to handle the case where normal par must be used and the wallet calls the challenge endpoint
Please also see requirement ACP_07 on https://eu-digital-identity-wallet.github.io/eudi-doc-architecture-and-reference-framework/1.10.0/discussion-topics/k-combined-presentation-of-attestations/ for further context. |
| POST /op/par HTTP/1.1 | ||
| Host: as.example.com | ||
| POST /par HTTP/1.1 | ||
| Host: server.example.com | ||
| Content-Type: application/x-www-form-urlencoded |
There was a problem hiding this comment.
Not a new problem, but the lack of any form of client authentication in this request is slightly disturbing :)
There was a problem hiding this comment.
can you please open a separate issue on this so that we can fix it in another PR?
|
|
||
| ### Error - Request Presentation | ||
|
|
||
| The Authorization Server MAY request a Credential Presentation by responding with the `error` code `insufficient_authorization`. In this case, it MUST include a `presentation` parameter containing an Authorization Request as defined in Section 5 of [@!OpenID4VP], encoded in JSON. |
There was a problem hiding this comment.
I think one of the direct_post response modes needs to be used too. At least I'm having trouble seeing how the below 'repeat the authorization challenge' could work if response_mode=query was used?
I think there's also a need to ignore the redirect_uri in the direct_post response?
|
|
||
| ### Error - Show Website | ||
|
|
||
| #todo: Determine whether we need this. May need to include privacy considerations. |
There was a problem hiding this comment.
It intuitively feels necessary to me - I'm sure there are cases where the issuer is going to need to interact directly with the user, perhaps a simple case might be needing to ask the user for an email address so they can inform the user when the credential is ready or something...
re: your query on this: " The first-part apps draft right now only contains a fallback to the regular web flow, not a flexible way to open an in-app browser tab. If we add something like this, we may need to include privacy considerations."
I believe the correct interpretation of the first-party app drafts is that a fallback to the regular web flow would(should) open an in-app browser tab as per https://datatracker.ietf.org/doc/rfc8252/ - is there more flexibility needed?
What extra privacy considerations might we need considering a PAR request can already do this and I don't think we have any extra text around that?
|
|
||
| ### Authorization Code Response | ||
|
|
||
| Once the Authorization Server has successfully processed the Authorization Challenge Request, it MUST respond with a 200 OK response containing the `authorization_code` parameter. |
There was a problem hiding this comment.
The JSON body/content-type requirement is missing?
This would make the cases where the issuer doesn't need interactivity weird I think. The issuer can already force interactivity assuming we do go ahead with the web flow fallback Daniel has proposed in the text, I think that would mean both cases are possible at the issuers discretion. |
PAR isn't mandatory in VCI. I think either the first party draft or Daniel's proposal could choose to reuse/mandate PAR, I don't think there's anything inherently different between the two. I think if we did reuse the PAR endpoint there are other things we'd need to think about, like giving the wallet a way to indicate if it is willing/able to do presentation during issuance perhaps. The first party draft also seems to be considering using the PAR endpoint: oauth-wg/oauth-first-party-apps#134 |
Co-authored-by: Joseph Heenan <[email protected]>
First, minimal version of Presentation During Issuance (Issue #473) . Work in Progress.
There are four open todos:
presentation_during_issuance_sessionparameter, for binding the presentation response to the issuance process. Do we need this, and if yes, how do we define it?