Openid4vci draft13 alignment (#63)

* Fix: Credential offer and response endpoints updated
* Fix: Updated authorisation request based on draft-13, supporting authorization_detail and scope
* Fix: Mandatory pushed authorisation request requirement
* Fix: Changed user_pin to txn_code in token req and auth_details in token response
* Fix: Update deferred credential handling to use transaction_id
* Fix: Update discovery to align with draft-13, add example for ietf-sd-jwt vc credential configuration
* Fix: Update to relative URLs
* Fix: Remove redundant title
* Fix: Minor fix to make pre_authorised as a code block
* Fix: Added missing redirect_uri param in token request
* Fix: Update OpenID4VCI specification URL to implementors draft 1 (WG draft 13)
* Fix: Added reference link for txn_code
* Fix: Renamed to credential_signing_alg_values_supported
* Fix: Removed format from credential response
* Fix: Added reviewers + fixed table issue in chapter 3.2
* Fix: Add OpenAPI specification for EWC RFC 001
* Fix: Remove EBSI references
* Fix: Add a note to indicate issuer metadata changes based on the different credential format supported.
* Fix: Add `pre-authorized_grant_anonymous_access_supported` to be true in the OAuth server metadata
* Fix: Remove  parameter from authorisation request examples
* Fix: Github markdown note admonition syntax
* Fix: Specify `token_endpoint_auth_methods_supported` in authorisation server metadata

Signed-off-by: Lal Chandran <[email protected]>
Signed-off-by: George J Padayatti <[email protected]>
Co-authored-by: George J Padayatti <[email protected]>

README.md

@@ -1,5 +1,3 @@
-# eudi-wallet-rfcs
-
 <h1 align="center">
     EWC - EUDI Wallet Request for Comments (RFCs) 
 </h1>
@@ -42,9 +40,9 @@ These are the approved RFCs identified to be specified towards wallet providers,
 
 | **RFC #** | **RFC Title**                                                                                                                                                           |
 | --------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| RFC-001   | [Issue Verifiable Credentials Workflow](https://github.com/EWC-consortium/eudi-wallet-rfcs/blob/main/ewc-rfc001-issue-verifiable-credential.md)                         |
-| RFC-002   | [Present Verifiable Credentials Workflow](https://github.com/EWC-consortium/eudi-wallet-rfcs/blob/main/ewc-rfc002-present-verifiable-credentials.md)                    |
-| RFC-100   | [EWC Interoperability Profile Towards ITB - v1.0](https://github.com/EWC-consortium/eudi-wallet-rfcs/blob/main/ewc-rfc100-interoperability-profile-towards-itb-v1.0.md) |
+| RFC-001   | [Issue Verifiable Credentials Workflow](ewc-rfc001-issue-verifiable-credential.md)                         |
+| RFC-002   | [Present Verifiable Credentials Workflow](ewc-rfc002-present-verifiable-credentials.md)                    |
+| RFC-100   | [EWC Interoperability Profile Towards ITB - v1.0](ewc-rfc100-interoperability-profile-towards-itb-v1.0.md) |
 
 ### Candidate RFCs (Work in progress)
 

ewc-supported-formats.csv

@@ -1,8 +1,5 @@
-Name,Type
-JSON Web Token - Verifiable Credential,jwt_vc
-JSON Web Token - Verifiable Presentation,jwt_vp
+Name,Format Identifier
 W3C JWT - Verifiable Credential,jwt_vc_json
 W3C JWT - Verifiable Presentation,jwt_vp_json
-Selective Disclosure - JSON Web Token,sd-jwt
 Selective Disclosure - JSON Web Token Verifiable Credential,vc+sd-jwt
 Selective Disclosure - JSON Web Token Verifiable Presentation,vp+sd-jwt

openapi-spec/Makefile

@@ -9,12 +9,11 @@ CONTAINER_DEFAULT_RUN_FLAGS := \
 	$(EXTRA_RUN_ARGS) \
 	-v $(CURDIR):/usr/share/nginx/html:ro
 
-
 .DEFAULT_GOAL := help
 .PHONY: help
 help:
 	@echo "------------------------------------------------------------------------"
-	@echo "EWC Wallet API documentation"
+	@echo "EWC RFC OpenAPI specification"
 	@echo "------------------------------------------------------------------------"
 	@grep -E '^[0-9a-zA-Z_/%\-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
 
@@ -23,4 +22,10 @@ run: ## Run dashboard locally for development purposes
 		$(CONTAINER_DEFAULT_RUN_FLAGS) \
 		-p 5000:80 \
 		--name "${CONTAINER_SWAGGER}" \
-		nginx:alpine
+		nginx:alpine
+
+check-swagger-cli:
+	@which swagger-cli > /dev/null || (echo "\033[31mPlease install swagger-cli before proceeding.\033[0m" && exit 1)
+
+bundle: check-swagger-cli ## Bundles swagger files
+	swagger-cli bundle index.yaml -o ./bundled.yaml -t yaml

openapi-spec/definitions/rfc001/authorisationCodeGrant.yaml

@@ -0,0 +1,19 @@
+type: object
+title: "Authorisation code grant"
+properties:
+  authorization_code:
+    type: object
+    description: "Authorisation code grant"
+    properties:
+      issuer_state:
+        type: string
+        description: >
+          "OPTIONAL. String value created by the Credential Issuer and opaque to the Wallet that is used to bind the subsequent Authorization Request with the Credential Issuer to a context set up during previous steps. 
+          If the Wallet decides to use the Authorization Code Flow and received a value for this parameter, it MUST include it in the subsequent Authorization Request to the Credential Issuer as the `issuer_state` parameter value"
+      authorization_server:
+        type: string
+        description: >
+          "OPTIONAL. String that the Wallet can use to identify the Authorization Server to use with this grant type when `authorization_servers` parameter in the Credential Issuer metadata has multiple entries. 
+          It MUST NOT be used otherwise. The value of this parameter MUST match with one of the values in the `authorization_servers` array obtained from the Credential Issuer metadata."
+required:
+  - authorization_code

openapi-spec/definitions/rfc001/authorisationCodeTokenRequest.yaml

@@ -0,0 +1,23 @@
+type: object
+title: Token Request (for authorisation code grant)
+properties:
+  grant_type:
+    type: string
+    description: |
+      The type of the grant being used. For example, 'authorization_code' indicates that the authorization code grant type is being used.
+    example: "authorization_code"
+  code:
+    type: string
+    description: |
+      The authorization code received from the authorization server in response to the authorization request. This code is used to obtain an access token from the token endpoint.
+  code_verifier:
+    type: string
+    description: |
+      The code verifier used in Proof Key for Code Exchange (PKCE). This is included in the token request to validate the code challenge that was used in the initial authorization request.
+  redirect_uri:
+    type: string
+    description: |
+      The redirect URI used in the authorization request. It must match the redirect URI used during the authorization request to ensure consistency and prevent attacks.
+required:
+  - grant_type
+  - code

openapi-spec/definitions/rfc001/authorisationDetails.yaml

@@ -0,0 +1,25 @@
+title: Authorisation Details
+type: object
+properties:
+  type:
+    type: string
+  locations:
+    type: array
+    items:
+      type: string
+  format:
+    type: string
+  credential_definition:
+    type: object
+    properties:
+      type:
+        type: array
+        items:
+          type: string
+    required:
+      - type
+required:
+  - type
+  - locations
+  - format
+  - credential_definition

openapi-spec/definitions/rfc001/authorisationResponse.yaml

@@ -0,0 +1,27 @@
+title: Authorisation response
+type: object
+properties:
+  state:
+    type: string
+    description: The client uses an opaque value to maintain the state between the request and callback.
+  client_id:
+    type: string
+    description: Decentralised identifier
+  redirect_uri:
+    type: string
+    description: For redirection of the response
+  response_type:
+    type: string
+    description: The value must be 'id_token' if the issuer requests DID authentication.
+  response_mode:
+    type: string
+    description: The value must be 'direct_post'
+  scope:
+    type: string
+    description: The value must be 'openid'
+  nonce:
+    type: string
+    description: A value used to associate a client session with an ID token and to mitigate replay attacks.
+  request_uri:
+    type: string
+    description: The authorisation server's private key signed the request.

openapi-spec/definitions/rfc001/authorisationServerMetadata.yaml

@@ -0,0 +1,48 @@
+title: Authorisation Server Metadata
+type: object
+description: "As described in Chapter 3 of [OpenID Connect Discovery 1.0 specification](https://openid.net/specs/openid-connect-discovery-1_0.html)."
+properties:
+  issuer:
+    type: string
+    description: REQUIRED. URL using the https scheme with no query or fragment components that the OP asserts as its Issuer Identifier.
+  authorization_endpoint:
+    type: string
+    description: REQUIRED. URL of the OP's OAuth 2.0 Authorization Endpoint [OpenID.Core]. This URL MUST use the https scheme and MAY contain port, path, and query parameter components.
+  pushed_authorization_request_endpoint:
+    type: string
+    description: The URL of the pushed authorization request endpoint at which a client can post an authorization request to exchange for a request_uri value usable at the authorization server.
+  require_pushed_authorization_requests:
+    type: boolean
+    description: Boolean parameter indicating whether the authorization server accepts authorization request data only via PAR. If omitted, the default value is false.
+  token_endpoint:
+    type: string
+    description: URL of the OP's OAuth 2.0 Token Endpoint [OpenID.Core]. This URL MUST use the https scheme and MAY contain port, path, and query parameter components.
+  jwks_uri:
+    type: string
+    description: REQUIRED. URL of the OP's JWK Set [JWK] document, which MUST use the https scheme. This contains the signing key(s) the RP uses to validate signatures from the OP. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs to encrypt requests to the Server. When both signing and encryption keys are made available, a use (public key use) parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage. Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate. The JWK Set MUST NOT contain private or symmetric key values.
+  response_types_supported:
+    type: array
+    items:
+      type: string
+    description: REQUIRED. JSON array containing a list of the OAuth 2.0 response_type values that this OP supports.
+  subject_types_supported:
+    type: array
+    items:
+      type: string
+    description: REQUIRED. JSON array containing a list of the Subject Identifier types that this OP supports. Valid types include pairwise and public.
+  id_token_signing_alg_values_supported:
+    type: array
+    items:
+      type: string
+    description: REQUIRED. JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token to encode the Claims in a JWT [JWT]. The algorithm RS256 MUST be included. The value none MAY be supported but MUST NOT be used unless the Response Type used returns no ID Token from the Authorization Endpoint (such as when using the Authorization Code Flow).
+  pre-authorized_grant_anonymous_access_supported:
+    type: boolean
+    description: OPTIONAL. A boolean indicating whether the Credential Issuer accepts a Token Request with a Pre-Authorized Code but without a client_id. The default is false.
+required:
+  - issuer
+  - authorization_endpoint
+  - token_endpoint
+  - jwks_uri
+  - response_types_supported
+  - subject_types_supported
+  - id_token_signing_alg_values_supported

openapi-spec/definitions/rfc001/clientMetadata.yaml

@@ -0,0 +1,37 @@
+title: Client Meta Data
+type: object
+properties:
+  vp_formats_supported:
+    type: object
+    properties:
+      jwt_vp:
+        type: object
+        properties:
+          alg:
+            type: array
+            items:
+              type: string
+        required:
+          - alg
+      jwt_vc:
+        type: object
+        properties:
+          alg:
+            type: array
+            items:
+              type: string
+        required:
+          - alg
+    required:
+      - jwt_vp
+      - jwt_vc
+  response_types_supported:
+    type: array
+    items:
+      type: string
+  authorization_endpoint:
+    type: string
+required:
+  - vp_formats_supported
+  - response_types_supported
+  - authorization_endpoint

openapi-spec/definitions/rfc001/credentialIssuerMetadata.yaml

@@ -0,0 +1,102 @@
+title: Credential Issuer Metadata
+type: object
+properties:
+  credential_issuer:
+    type: string
+    description: REQUIRED. The Credential Issuer's identifier, as defined in Section 11.2.1.
+  authorization_servers:
+    type: string
+    description: >
+      OPTIONAL. Array of strings, where each string is an identifier of the OAuth 2.0 Authorization Server (as defined in [RFC8414]) the Credential Issuer relies on for authorization. 
+      If this parameter is omitted, the entity providing the Credential Issuer is also acting as the Authorization Server, i.e., the Credential Issuer's identifier is used to obtain the Authorization Server metadata. 
+      The actual OAuth 2.0 Authorization Server metadata is obtained from the oauth-authorization-server well-known location as defined in Section 3 of [RFC8414]. 
+      When there are multiple entries in the array, the Wallet may be able to determine which Authorization Server to use by querying the metadata; for example, by examining the grant_types_supported values, the Wallet can filter the server to use based on the grant type it plans to use. 
+      When the Wallet is using authorization_server parameter in the Credential Offer as a hint to determine which Authorization Server to use out of multiple, the Wallet MUST NOT proceed with the flow if the authorization_server Credential Offer parameter value does not match any of the entries in the authorization_servers array.
+  credential_endpoint:
+    type: string
+    description: REQUIRED. URL of the Credential Issuer's Credential Endpoint. This URL MUST use the https scheme and MAY contain port, path, and query parameter components.
+  deferred_credential_endpoint:
+    type: string
+    description: OPTIONAL. URL of the Credential Issuer's Deferred Credential Endpoint. This URL MUST use the https scheme and MAY contain port, path, and query parameter components. If omitted, the Credential Issuer does not support the Deferred Credential Endpoint.
+  batch_credential_endpoint:
+    type: string
+    description: OPTIONAL. URL of the Credential Issuer's Batch Credential Endpoint. This URL MUST use the https scheme and MAY contain port, path, and query parameter components. If omitted, the Credential Issuer does not support the Batch Credential Endpoint.
+  notification_endpoint:
+    type: string
+    description: OPTIONAL. URL of the Credential Issuer's Notification Endpoint. This URL MUST use the https scheme and MAY contain port, path, and query parameter components. If omitted, the Credential Issuer does not support the Notification Endpoint.
+  credential_response_encryption:
+    type: object
+    description: OPTIONAL. Object containing information about whether the Credential Issuer supports encryption of the Credential and Batch Credential Response on top of TLS.
+    properties:
+      alg_values_supported:
+        type: array
+        description: >
+          REQUIRED. Array containing a list of the JWE [RFC7516] encryption algorithms (alg values) [RFC7518] supported by the Credential and Batch Credential Endpoint to encode the Credential or Batch Credential Response in a JWT [RFC7519].
+        items:
+          type: string
+      enc_values_supported:
+        description: >
+          REQUIRED. Array containing a list of the JWE [RFC7516] encryption algorithms (enc values) [RFC7518] supported by the Credential and Batch Credential Endpoint to encode the Credential or Batch Credential Response in a JWT [RFC7519].
+        type: array
+        items:
+          type: string
+      encryption_required:
+        description: >
+          REQUIRED. Boolean value specifying whether the Credential Issuer requires the additional encryption on top of TLS for the Credential Response. 
+          If the value is true, the Credential Issuer requires encryption for every Credential Response and therefore the Wallet MUST provide encryption keys in the Credential Request. 
+          If the value is false, the Wallet MAY chose whether it provides encryption keys or not.
+        type: boolean
+
+  display:
+    type: array
+    description: OPTIONAL. Array of objects, where each object contains display properties of a Credential Issuer for a certain language.
+    items:
+      type: object
+      properties:
+        name:
+          type: string
+          description: OPTIONAL. String value of a display name for the Credential Issuer.
+        locale:
+          type: string
+          description: String value that identifies the language of this object represented as a language tag taken from values defined in BCP47 [RFC5646]. There MUST be only one object for each language identifier.
+        logo:
+          type: object
+          description: OPTIONAL. Object with information about the logo of the Credential Issuer.
+          properties:
+            uri:
+              type: string
+              description: >
+                REQUIRED. String value that contains a URI where the Wallet can obtain the logo of the Credential Issuer. The Wallet needs to determine the scheme, since the URI value could use the https: scheme, the data: scheme, etc.
+            alt_text:
+              type: string
+              description: >
+                OPTIONAL. String value of the alternative text for the logo image.
+          required:
+            - uri
+            - alt_text
+  credential_identifiers_supported:
+    type: boolean
+    description: >
+      OPTIONAL. Boolean value specifying whether the Credential Issuer supports returning credential_identifiers parameter in the authorization_details Token Response parameter, with true indicating support. 
+      If omitted, the default value is false.
+  signed_metadata:
+    type: string
+    description: >
+      OPTIONAL. String that is a signed JWT. 
+      This JWT contains Credential Issuer metadata parameters as claims. 
+      The signed metadata MUST be secured using JSON Web Signature (JWS) [RFC7515] and MUST contain an iat (Issued At) claim, an iss (Issuer) claim denoting the party attesting to the claims in the signed metadata, and sub (Subject) claim matching the Credential Issuer identifier. 
+      If the Wallet supports signed metadata, metadata values conveyed in the signed JWT MUST take precedence over the corresponding values conveyed using plain JSON elements. 
+      If the Credential Issuer wants to enforce use of signed metadata, it omits the respective metadata parameters from the unsigned part of the Credential Issuer metadata. 
+      A signed_metadata metadata value MUST NOT appear as a claim in the JWT. 
+      The Wallet MUST establish trust in the signer of the metadata, and obtain the keys to validate the signature before processing the metadata. 
+      The concrete mechanism how to do that is out of scope of this specification and MAY be defined in the profiles of this specification.
+  credential_configurations_supported:
+    oneOf:
+      - $ref: "../../definitions/rfc001/jwtVcJsonCredentialConfiguration.yaml"
+      - $ref: "../../definitions/rfc001/ietfSdJwtVcCredentialConfiguration.yaml"
+      - $ref: "../../definitions/rfc001/msoMdocCredentialConfiguration.yaml"
+required:
+  - credential_issuer
+  - authorization_servers
+  - credential_endpoint
+  - credential_configurations_supported

openapi-spec/definitions/rfc001/credentialOffer.yaml

@@ -0,0 +1,24 @@
+title: Credential Offer
+type: object
+properties:
+  credential_issuer:
+    type: string
+    description: >
+      "REQUIRED. The URL of the Credential Issuer, from which the Wallet is requested to obtain one or more Credentials. 
+      The Wallet can also use it to obtain the Credential Issuer's Metadata."
+  credential_configuration_ids:
+    type: array
+    item:
+      type: string
+    description: >
+      "REQUIRED. Array of unique strings that each identify one of the keys in the name/value pairs stored in the `credential_configurations_supported` Credential Issuer metadata. 
+      The Wallet uses these string values to obtain the respective object that contains information about the Credential being offered. 
+      For example, these string values can be used to obtain scope values to be used in the Authorization Request."
+  grants:
+    oneOf:
+      - $ref: "./../../definitions/rfc001/authorisationCodeGrant.yaml"
+      - $ref: "./../../definitions/rfc001/preAuthorisedCodeGrant.yaml"
+required:
+  - credential_issuer
+  - credential_configuration_ids
+  - grants