From 585f09d9c9348a713e69ded79bb9676d97fcd531 Mon Sep 17 00:00:00 2001 From: Lal Chandran Date: Fri, 6 Sep 2024 15:32:16 +0200 Subject: [PATCH] Openid4vci draft13 alignment (#63) * Fix: Credential offer and response endpoints updated * Fix: Updated authorisation request based on draft-13, supporting authorization_detail and scope * Fix: Mandatory pushed authorisation request requirement * Fix: Changed user_pin to txn_code in token req and auth_details in token response * Fix: Update deferred credential handling to use transaction_id * Fix: Update discovery to align with draft-13, add example for ietf-sd-jwt vc credential configuration * Fix: Update to relative URLs * Fix: Remove redundant title * Fix: Minor fix to make pre_authorised as a code block * Fix: Added missing redirect_uri param in token request * Fix: Update OpenID4VCI specification URL to implementors draft 1 (WG draft 13) * Fix: Added reference link for txn_code * Fix: Renamed to credential_signing_alg_values_supported * Fix: Removed format from credential response * Fix: Added reviewers + fixed table issue in chapter 3.2 * Fix: Add OpenAPI specification for EWC RFC 001 * Fix: Remove EBSI references * Fix: Add a note to indicate issuer metadata changes based on the different credential format supported. * Fix: Add `pre-authorized_grant_anonymous_access_supported` to be true in the OAuth server metadata * Fix: Remove parameter from authorisation request examples * Fix: Github markdown note admonition syntax * Fix: Specify `token_endpoint_auth_methods_supported` in authorisation server metadata Signed-off-by: Lal Chandran Signed-off-by: George J Padayatti Co-authored-by: George J Padayatti --- README.md | 8 +- ewc-rfc001-issue-verifiable-credential.md | 654 +++++---- ewc-supported-formats.csv | 5 +- openapi-spec/Makefile | 11 +- openapi-spec/bundled.yaml | 1295 +++++++++++++++++ .../rfc001/authorisationCodeGrant.yaml | 19 + .../rfc001/authorisationCodeTokenRequest.yaml | 23 + .../rfc001/authorisationDetails.yaml | 25 + .../rfc001/authorisationResponse.yaml | 27 + .../rfc001/authorisationServerMetadata.yaml | 48 + .../definitions/rfc001/clientMetadata.yaml | 37 + .../rfc001/credentialIssuerMetadata.yaml | 102 ++ .../definitions/rfc001/credentialOffer.yaml | 24 + .../definitions/rfc001/credentialRequest.yaml | 41 + .../deferredCredentialErrorResponse.yaml | 32 + .../rfc001/deferredCredentialRequest.yaml | 11 + .../rfc001/deferredCredentialResponse.yaml | 22 + .../ietfSdJwtVcCredentialConfiguration.yaml | 107 ++ .../rfc001/ietfSdJwtVcCredentialRequest.yaml | 51 + .../rfc001/inTimeCredentialErrorResponse.yaml | 19 + .../rfc001/inTimeCredentialResponse.yaml | 20 + .../jwtVcJsonCredentialConfiguration.yaml | 113 ++ .../rfc001/jwtVcJsonCredentialRequest.yaml | 56 + .../msoMdocCredentialConfiguration.yaml | 107 ++ .../rfc001/msoMdocCredentialRequest.yaml | 51 + .../rfc001/preAuthorisedCodeGrant.yaml | 40 + .../rfc001/preAuthorisedCodeTokenRequest.yaml | 20 + .../rfc001/presentationSubmission.yaml | 39 + .../rfc001/tokenErrorResponse.yaml | 39 + .../definitions/rfc001/tokenResponse.yaml | 56 + openapi-spec/ewc.yaml | 1061 -------------- openapi-spec/index.html | 115 +- openapi-spec/index.yaml | 86 ++ openapi-spec/paths/rfc001/authorisation.yaml | 72 + .../rfc001/authorisationServerMetadata.yaml | 13 + openapi-spec/paths/rfc001/credential.yaml | 27 + .../rfc001/credentialIssuerMetadata.yaml | 13 + .../paths/rfc001/credentialOffer.yaml | 24 + .../paths/rfc001/deferredCredential.yaml | 31 + openapi-spec/paths/rfc001/directPost.yaml | 21 + .../rfc001/pushedAuthorisationRequest.yaml | 67 + openapi-spec/paths/rfc001/token.yaml | 24 + 42 files changed, 3186 insertions(+), 1470 deletions(-) create mode 100644 openapi-spec/bundled.yaml create mode 100644 openapi-spec/definitions/rfc001/authorisationCodeGrant.yaml create mode 100644 openapi-spec/definitions/rfc001/authorisationCodeTokenRequest.yaml create mode 100644 openapi-spec/definitions/rfc001/authorisationDetails.yaml create mode 100644 openapi-spec/definitions/rfc001/authorisationResponse.yaml create mode 100644 openapi-spec/definitions/rfc001/authorisationServerMetadata.yaml create mode 100644 openapi-spec/definitions/rfc001/clientMetadata.yaml create mode 100644 openapi-spec/definitions/rfc001/credentialIssuerMetadata.yaml create mode 100644 openapi-spec/definitions/rfc001/credentialOffer.yaml create mode 100644 openapi-spec/definitions/rfc001/credentialRequest.yaml create mode 100644 openapi-spec/definitions/rfc001/deferredCredentialErrorResponse.yaml create mode 100644 openapi-spec/definitions/rfc001/deferredCredentialRequest.yaml create mode 100644 openapi-spec/definitions/rfc001/deferredCredentialResponse.yaml create mode 100644 openapi-spec/definitions/rfc001/ietfSdJwtVcCredentialConfiguration.yaml create mode 100644 openapi-spec/definitions/rfc001/ietfSdJwtVcCredentialRequest.yaml create mode 100644 openapi-spec/definitions/rfc001/inTimeCredentialErrorResponse.yaml create mode 100644 openapi-spec/definitions/rfc001/inTimeCredentialResponse.yaml create mode 100644 openapi-spec/definitions/rfc001/jwtVcJsonCredentialConfiguration.yaml create mode 100644 openapi-spec/definitions/rfc001/jwtVcJsonCredentialRequest.yaml create mode 100644 openapi-spec/definitions/rfc001/msoMdocCredentialConfiguration.yaml create mode 100644 openapi-spec/definitions/rfc001/msoMdocCredentialRequest.yaml create mode 100644 openapi-spec/definitions/rfc001/preAuthorisedCodeGrant.yaml create mode 100644 openapi-spec/definitions/rfc001/preAuthorisedCodeTokenRequest.yaml create mode 100644 openapi-spec/definitions/rfc001/presentationSubmission.yaml create mode 100644 openapi-spec/definitions/rfc001/tokenErrorResponse.yaml create mode 100644 openapi-spec/definitions/rfc001/tokenResponse.yaml delete mode 100644 openapi-spec/ewc.yaml create mode 100644 openapi-spec/index.yaml create mode 100644 openapi-spec/paths/rfc001/authorisation.yaml create mode 100644 openapi-spec/paths/rfc001/authorisationServerMetadata.yaml create mode 100644 openapi-spec/paths/rfc001/credential.yaml create mode 100644 openapi-spec/paths/rfc001/credentialIssuerMetadata.yaml create mode 100644 openapi-spec/paths/rfc001/credentialOffer.yaml create mode 100644 openapi-spec/paths/rfc001/deferredCredential.yaml create mode 100644 openapi-spec/paths/rfc001/directPost.yaml create mode 100644 openapi-spec/paths/rfc001/pushedAuthorisationRequest.yaml create mode 100644 openapi-spec/paths/rfc001/token.yaml diff --git a/README.md b/README.md index 6fc242c..252a6ae 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,3 @@ -# eudi-wallet-rfcs -

EWC - EUDI Wallet Request for Comments (RFCs)

@@ -42,9 +40,9 @@ These are the approved RFCs identified to be specified towards wallet providers, | **RFC #** | **RFC Title** | | --------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| RFC-001 | [Issue Verifiable Credentials Workflow](https://github.com/EWC-consortium/eudi-wallet-rfcs/blob/main/ewc-rfc001-issue-verifiable-credential.md) | -| RFC-002 | [Present Verifiable Credentials Workflow](https://github.com/EWC-consortium/eudi-wallet-rfcs/blob/main/ewc-rfc002-present-verifiable-credentials.md) | -| RFC-100 | [EWC Interoperability Profile Towards ITB - v1.0](https://github.com/EWC-consortium/eudi-wallet-rfcs/blob/main/ewc-rfc100-interoperability-profile-towards-itb-v1.0.md) | +| RFC-001 | [Issue Verifiable Credentials Workflow](ewc-rfc001-issue-verifiable-credential.md) | +| RFC-002 | [Present Verifiable Credentials Workflow](ewc-rfc002-present-verifiable-credentials.md) | +| RFC-100 | [EWC Interoperability Profile Towards ITB - v1.0](ewc-rfc100-interoperability-profile-towards-itb-v1.0.md) | ### Candidate RFCs (Work in progress) diff --git a/ewc-rfc001-issue-verifiable-credential.md b/ewc-rfc001-issue-verifiable-credential.md index 52bf59f..639c49e 100644 --- a/ewc-rfc001-issue-verifiable-credential.md +++ b/ewc-rfc001-issue-verifiable-credential.md @@ -1,24 +1,29 @@ -# EWC RFC001: Issue Verifiable Credential - v1.0 +# EWC RFC001: Issue Verifiable Credential - v2.0 **Authors:** * Mr George Padaytti (iGrant.io, Sweden) * Mr Lal Chandran (iGrant.io, Sweden) * Dr Andreas Abraham (ValidatedID, Spain) -**Reviewers:** - +**Reviewers:** * Dr Nikos Triantafyllou (University of the Aegean, Greece) * Mr Florin Coptil (Bosch, Germany) * Mr Matteo Mirabelli (Infocert, Italy) * Dr Mikael Linden (Vero, Finland) * Mr Renaud Murat (Archipels, France) * Mr. Sebastian Bickerle (Lissi ID, Germany) +* Mr. Quentin Drouot (Archipels, France) +* Mr. Edward Curran (Lissi ID, Germany) +* Mr. Björn Astrom (BankID, Sweden) +* Mr. Björn Molin (DIGG, Sweden) -**Status:** Approved for v1.0 release +**Status:** +Current: Draft 13 alignment +02-Sep-2024: Approved for v2.0 release **Table of Contents** -- [EWC RFC001: Issue Verifiable Credential - v1.0](#ewc-rfc001-issue-verifiable-credential---v10) +- [EWC RFC001: Issue Verifiable Credential - v2.0](#ewc-rfc001-issue-verifiable-credential---v20) - [1.0 Summary](#10summary) - [2.0 Motivation](#20motivation) - [3.0 Messages](#30messages) @@ -27,11 +32,15 @@ - [3.3 Discover request](#33-discover-request) - [3.4 Discover response](#34-discover-response) - [3.5 Authorisation request](#35-authorisation-request) + - [3.5.1 Using `authorization_details`](#351-using-authorization_details) + - [3.5.2 Using `scope`](#352-using-scope) - [3.6 Authorisation response](#36-authorisation-response) - [3.7 Token request](#37-token-request) - [3.7.1 Authorisation code flow](#371-authorisation-code-flow) - [3.7.2 Pre-authorised code flow](#372-pre-authorised-code-flow) - [3.8 Token response](#38-token-response) + - [3.8.1 With `authorization_details`](#381-with-authorization_details) + - [3.8.1 With `scope`](#381-with-scope) - [3.9 Credential request](#39-credential-request) - [3.10 Credential response](#310-credential-response) - [3.10.1 In-time](#3101--in-time) @@ -55,10 +64,38 @@ The EWC LSP must align with the standard protocol for issuing credentials. This The credential issuance can be an authorisation flow or a pre-authorised one. These are depicted in the following diagrams, the assumption is that credential offer is obtained by holder wallet prior to discovery using same device (i.e. clicking on a link) or cross device (i.e scanning a QR code) flows. ```mermaid - sequenceDiagram +sequenceDiagram + autonumber + participant I as Individual using EUDI Wallet + participant O as Organisational Wallet (Issuer) + + O->>I: GET: Credential Offer + Note over I,O: Discovery issuer capabilities + I->>O: GET: /.well-known/openid-credential-issuer + O-->>I: OpenID credential issuer configuration + I->>O: GET: /.well-known/oauth-authorization-server + O-->>I: OAuth authorisation server metadata + + Note over I,O: Authenticate and Authorise + I->>O: Authorisation request + O-->>I: Authorisation response + I->>O: Token request + O-->>I: Token response + + Note over I,O: Issue credential + I->>O: POST: Credential request with token + O-->>I: Credential response with acceptance token +``` +Figure 1: Issuance using Authorisation Code Flow based on [1] + +```mermaid +sequenceDiagram + autonumber participant I as Individual using EUDI Wallet participant O as Organisational Wallet (Issuer) + O->>I: GET: Credential Offer + Note over I,O: Discovery issuer capabilities I->>O: GET: /.well-known/openid-credential-issuer O-->>I: OpenID credential issuer configuration @@ -66,36 +103,13 @@ The credential issuance can be an authorisation flow or a pre-authorised one. Th O-->>I: OAuth authorisation server metadata Note over I,O: Authenticate and Authorise - I->>O: Authorisation request - O-->>I: Authorisation response - I->>O: Token request + I->>O: POST: Pre-authorised token request with transaction code O-->>I: Token response Note over I,O: Issue credential I->>O: POST: Credential request with token O-->>I: Credential response with acceptance token ``` -Figure 1: Issuance using Authorisation Code Flow based on [1] - -```mermaid - sequenceDiagram - participant I as Individual using EUDI Wallet - participant O as Organisational Wallet (Issuer) - - Note over I,O: Discovery issuer capabilities - I->>O: GET: /.well-known/openid-credential-issuer - O-->>I: OpenID credential issuer configuration - I->>O: GET: /.well-known/oauth-authorization-server - O-->>I: OAuth authorisation server metadata - - Note over I,O: Authenticate and Authorise - I->>O: POST: Pre-authorised token request with PIN - O-->>I: Token response - - Note over I,O: Issue credential - I->>O: POST: Credential request with token - O-->>I: Credential response with acceptance token -``` Figure 2: Issuance using Pre-Authorisation Code Flow based on [1] ## 3.1 Credential offer @@ -112,42 +126,15 @@ Here, the `credential_offer_uri` query param contains the URL in which the crede Once the `credential_offer_uri` query param is resolved, the response can be either of the following formats. -```json -{ - "credential_issuer": "https://server.example.com", - "credentials": [ - "VerifiablePortableDocumentA1" - ], - "grants": { - "authorization_code": { - "issuer_state": "eyJhbGciOiJSU0Et...FYUaBy" - } - } -} -``` - -> [!NOTE] -> In order to support all EBSI conformant wallets, the following format for the response is also valid, but not **mandatory** to be supported: +For authorised code flow, the credential offer response is as given: ```json { - "credential_issuer": "https://server.example.com", - "credentials": [ - { - "format": "jwt_vc_json", - "types": [ - "VerifiableCredential", - "VerifiableAttestation", + "credential_issuer": "https://server.example.com", + "credential_configuration_ids": [ "VerifiablePortableDocumentA1" - ], - "trust_framework": { - "name": "ewc-issuer-trust-list", - "type": "Accreditation", - "uri": "TIR link towards accreditation" - } - } - ], - "grants": { + ], + "grants": { "authorization_code": { "issuer_state": "eyJhbGciOiJSU0Et...FYUaBy" } @@ -155,38 +142,64 @@ Once the `credential_offer_uri` query param is resolved, the response can be eit } ``` -The holder wallet obtains the JSON and can process it. The format is the credential format. In the context of EWC LSPs, it can be `jwt_vc` or `sd-jwt_vc`. +For pre-authorised flow with a transaction code, the credential offer response is as given: -For pre-authorised flow, the credential response is as given: +```json +{ + "credential_issuer": "https://server.example.com", + "credential_configuration_ids": [ + "VerifiablePortableDocumentA1", + ], + "grants": { + "urn:ietf:params:oauth:grant-type:pre-authorized_code": { + "pre-authorized_code": "oaKazRN8I0IbtZ0C7JuMn5", + "tx_code": { + "length": 4, + "input_mode": "numeric", + "description": "Please provide the one-time code that was sent via e-mail or offline" + } + } + } +} +``` +For pre-authorised flow without a transaction code, the credential response is as given: ```json { - "credential_issuer": "https://server.example.com", - "credentials": [ - { - "format": "jwt_vc_json", - "types": [ - "VerifiableCredential", - "VerifiableAttestation", - "VerifiablePortableDocumentA1" - ], - "trust_framework": { - "name": "ebsi", - "type": "Accreditation", - "uri": "TIR link towards accreditation" + "credential_issuer": "https://server.example.com", + "credential_configuration_ids": [ + "VerifiablePortableDocumentA1", + ], + "grants": { + "urn:ietf:params:oauth:grant-type:pre-authorized_code": { + "pre-authorized_code": "oaKazRN8I0IbtZ0C7JuMn5", } - } - ], - "grants": { - "urn:ietf:params:oauth:grant-type:pre-authorized_code": { - "pre-authorized_code": "eyJhbGciOiJSU0Et...FYUaBy", - "user_pin_required": true - } - } + } } ``` +The following options are available for different grant types: + +**For `authorization_code`** + +| Field | Description | +| ------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| **issuer_state** | OPTIONAL. String value created by the Credential Issuer and opaque to the Wallet. Used to bind the subsequent Authorization Request with the Credential Issuer to a context set up during previous steps. If received, it MUST be included in the subsequent Authorization Request as the issuer_state parameter value. | +| **authorization_server** | OPTIONAL string that the Wallet can use to identify the Authorization Server when the authorization_servers parameter in the Credential Issuer metadata has multiple entries. It MUST match one of the values in the authorization_servers array. | + +For `urn:ietf:params:oauth:grant-type:pre-authorized_code`: + +| Field | Description | +| ----------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| **pre-authorized_code** | REQUIRED. The code representing the Credential Issuer's authorisation for the Wallet to obtain Credentials of a certain type. This code MUST be short-lived and single-use. It MUST be included in the subsequent Token Request. | +| **tx_code** | OPTIONAL. Object specifying whether the Authorization Server expects presentation of a Transaction Code by the End-User along with the Token Request. Intended to bind the Pre-Authorized Code to a certain transaction to prevent replay. If required, it MUST be sent in the tx_code parameter. Read more [here](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#section-4.1.1). | +|     input_mode | OPTIONAL. String specifying the input character set. Possible values are numeric (only digits) and text (any characters). The default is numeric. | +|     length | OPTIONAL. Integer specifying the length of the Transaction Code. This helps the Wallet render the input screen and improve the user experience. | +|     description | OPTIONAL. String containing guidance for the Holder of the Wallet on how to obtain the Transaction Code. It is RECOMMENDED to display this description next to the Transaction Code input screen. The length MUST NOT exceed 300 characters. | +| **interval** | OPTIONAL. The minimum amount of time in seconds that the Wallet SHOULD wait between polling requests to the token endpoint. If no value is provided, Wallets MUST use 5 as the default. | +| **authorization_server** | OPTIONAL string that the Wallet can use to identify the Authorization Server when the authorization_servers parameter in the Credential Issuer metadata has multiple entries. It MUST match one of the values in the authorization_servers array. | + ## 3.3 Discover request Here, the holder wallet requests the issuer’s authorisation server configurations. @@ -218,17 +231,17 @@ Once the well-known endpoint for **issuer server** configuration is resolved, th "name": "Issuer", "location": "Belgium", "locale": "en-GB", - "description": "For queries about how we are managing your data please contact the Data Protection Officer." + "description": "For queries about how we manage your data please contact the Data Protection Officer." } ], - "credentials_supported": { - "VerifiablePortableDocumentA1SdJwt": { + "credential_configurations_supported": { + "VerifiablePortableDocumentA1": { "format": "vc+sd-jwt", "scope": "VerifiablePortableDocumentA1", "cryptographic_binding_methods_supported": [ "jwk" ], - "cryptographic_suites_supported": [ + "credential_signing_alg_values_supported": [ "ES256" ], "display": [ @@ -239,33 +252,30 @@ Once the well-known endpoint for **issuer server** configuration is resolved, th "text_color": "#FFFFFF" } ], - "credential_definition": { - "type": "VerifiablePortableDocumentA1", - "claims": { - "given_name": { - "display": [ - { - "name": "Given Name", - "locale": "en-GB" - }, - { - "name": "Vorname", - "locale": "de-DE" - } - ] - }, - "last_name": { - "display": [ - { - "name": "Surname", - "locale": "en-GB" - }, - { - "name": "Nachname", - "locale": "de-DE" - } - ] - } + "claims": { + "given_name": { + "display": [ + { + "name": "Given Name", + "locale": "en-GB" + }, + { + "name": "Vorname", + "locale": "de-DE" + } + ] + }, + "last_name": { + "display": [ + { + "name": "Surname", + "locale": "en-GB" + }, + { + "name": "Nachname", + "locale": "de-DE" + } + ] } } } @@ -274,241 +284,207 @@ Once the well-known endpoint for **issuer server** configuration is resolved, th ``` > [!NOTE] -> In order to support all EBSI conformant wallets, the following format for the response is also valid, but not **mandatory** to be supported: - -```json -{ - "credential_issuer": "https://server.example.com", - "authorization_server": "https://server.example.com", - "credential_endpoint": "https://server.example.com/credential", - "deferred_credential_endpoint": "https://server.example.com/credential_deferred", - "display": { - "name": "Issuer", - "location": "Belgium", - "locale": "en-GB", - "description": "For queries about how we are managing your data please contact the Data Protection Officer." - }, - "credentials_supported": [ - { - "format": "jwt_vc", - "types": [ - "VerifiableCredential", - "VerifiableAttestation", - "VerifiablePortableDocumentA1" - ], - "trust_framework": { - "name": "ebsi", - "type": "Accreditation", - "uri": "TIR link towards accreditation" - }, - "display": [ - { - "name": "Portable Document A1", - "locale": "en-GB" - } - ] - } - ] -} -``` +> The `credential_configurations_supported` field and it's values change based on the supported credential formats 1) `mso_mdoc` 2) `jwt_vc_json` 3) `vc+sd-jwt` +> It is important to consult the relevant documentation for each format to ensure that all required fields and values are correctly configured. +> The supported credential format identifiers in the context of EWC LSPs, can be found [here](https://github.com/EWC-consortium/eudi-wallet-rfcs/blob/main/ewc-supported-formats.csv). -Once the well-known endpoint for **authorisation server** configuration is resolved, the response is as given below: +Once the well-known endpoint for authorisation server configuration is resolved, the response is as given below: ```json { "issuer": "https://server.example.com", "authorization_endpoint": "https://server.example.com/authorize", + "pushed_authorization_request_endpoint": "https://server.example.com/par", + "require_pushed_authorization_requests": true, "token_endpoint": "https://server.example.com/token", - "jwks_uri": "https://server.example.com/jwks", - "scopes_supported": [ - "openid" - ], + "jwks_uri": "https://server.example.com/.well-known/jwks.json", "response_types_supported": [ + "code", "vp_token", "id_token" ], - "response_modes_supported": [ - "query" - ], - "grant_types_supported": [ - "authorization_code" - ], "subject_types_supported": [ - "public" + "public", + "pairwise" ], "id_token_signing_alg_values_supported": [ "ES256" ], - "request_object_signing_alg_values_supported": [ - "ES256" - ], - "request_parameter_supported": true, - "request_uri_parameter_supported": true, + "pre-authorized_grant_anonymous_access_supported": true, "token_endpoint_auth_methods_supported": [ - "private_key_jwt" - ], - "request_authentication_methods_supported": { - "authorization_endpoint": [ - "request_object" - ] - }, - "vp_formats_supported": { - "jwt_vp": { - "alg_values_supported": [ - "ES256" - ] - }, - "jwt_vc": { - "alg_values_supported": [ - "ES256" - ] - } - }, - "subject_syntax_types_supported": [ - "did:key:jwk_jcs-pub", - "did:ebsi:v1", - "did:ebsi:v2" - ], - "subject_trust_frameworks_supported": [ - "ebsi", - "ewc-issuer-trust-list" - ], - "id_token_types_supported": [ - "subject_signed_id_token", - "attester_signed_id_token" + "none" ] } + ``` -Currently, we retain the trust framework specified by EBSI. Subsequently, we will specify an additional RFC defining the EWC trusted issuer list. ## 3.5 Authorisation request +There are two possible ways to request the issuance of a specific Credential type in an Authorization Request. One way is to use the `authorization_details` request parameter with one or more authorization details objects of type `openid_credential`. The other method is through the use of `scope`. + +> [!NOTE] +> HAIP[6] chapter 4.2 mandatorily requires Pushed Authorisation Request as per [7] + +### 3.5.1 Using `authorization_details` + The authorisation request is to grant access to the credential endpoint. Below is an example of such a request: ```http -GET https://my-issuer.rocks/auth/authorize? - -&response_type=code -&scope=openid -&issuer_state=tracker%3Dvcfghhj -&state=client-state -&client_id=did%3Akey%3Az2dmzD81cgPx8Vki7JbuuMmFYrWPgYoytykUZ3eyqht1j9KbsEYvdrjxMjQ4tpnje9BDBTzuNDP3knn6qLZErzd4bJ5go2CChoPjd5GAH3zpFJP5fuwSk66U5Pq6EhF4nKnHzDnznEP8fX99nZGgwbAh1o7Gj1X52Tdhf7U4KTk66xsA5r -&authorization_details=%5B%7B%22format%22%3A%22jwt_vc%22%2C%22locations%22%3A%5B%22https%3A%2F%2Fissuer.example.com%22%5D%2C%22type%22%3A%22openid_credential%22%2C%22types%22%3A%5B%22VerifiableCredential%22%2C%22VerifiableAttestation%22%2C%22VerifiablePortableDocumentA1%22%5D%7D%5D -&redirect_uri=openid%3A -&nonce=glkFFoisdfEui43 -&code_challenge=YjI0ZTQ4NTBhMzJmMmZhNjZkZDFkYzVhNzlhNGMyZDdjZDlkMTM4YTY4NjcyMTA5M2Q2OWQ3YjNjOGJlZDBlMSAgLQo%3D -&code_challenge_method=S256 -&client_metadata=%7B%22vp_formats_supported%22%3A%7B%22jwt_vp%22%3A%7B%22alg%22%3A%5B%22ES256%22%5D%7D%2C%22jwt_vc%22%3A%7B%22alg%22%3A%5B%22ES256%22%5D%7D%7D%2C%22response_types_supported%22%3A%5B%22vp_token%22%2C%22id_token%22%5D%2C%22authorization_endpoint%22%3A%22openid%3A%2F%2F%22%7D - -Host: https://server.example.com +GET /authorize? + response_type=code + &client_id=s6BhdRkqt3 + &code_challenge=E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM + &code_challenge_method=S256 + &authorization_details=[{"type": "openid_credential", " + credential_configuration_id": "VerifiablePortableDocumentA1"}] + &redirect_uri=https://client.example.org/cb +Host: server.example.com ``` -Query params for the authorisation request are given below: +The query params for the authorisation request with `authorization_details` are as described below: - - + + - - + + - - + + - - + + - - + - - + + - - + + + +
response_type - The value must be ‘code’ - + response_type + REQUIRED. The value must be "code" to request an authorization code.
scope - The value must be ‘openid’ - + client_id + REQUIRED. The identifier for the client making the request.
state - The client uses an opaque value to maintain the state between the request and callback. - + code_challenge + REQUIRED. The code challenge used for Proof Key for Code Exchange (PKCE) as specified in OAuth 2.0 for Public Clients [5]
client_id - Decentralised identifier - + code_challenge_method + OPTIONAL. The method used to transform the code verifier. Defaults to "plain" if not present. Possible values are "S256" or "plain", as defined in PKCE for OAuth 2.0.
authorization_details - As specified in OAuth 2.0 Rich Authorization Requests specification to specify fine-grained access [4]. An example is as given below: + + authorization_details + OPTIONAL. Provides fine-grained access details as specified in the OAuth 2.0 Rich Authorization Requests specification. The `authorization_details` parameter, as defined in Section 2 of [RFC9396], should be used to convey the specifics of the Credentials the Wallet intends to obtain. This specification introduces a new authorization details type, `openid_credential`. [4]. + + An example of W3C VC credential format is as given below: ```json - { - "type": "openid_credential", - "locations": [ - "https://credential-issuer.example.com" - ], - "format": "jwt_vc_json", - "credential_definition": { - "type": [ - "VerifiableCredential", - "UniversityDegreeCredential" - ] - } - } + [ + { + "type": "openid_credential", + "credential_configuration_id": "VerifiablePortableDocumentA1", + "credential_definition": { + "credentialSubject": {} + } + } + ] ``` - > [!NOTE] - > You may also use the earlier version as supported by EBSI. + + The IETF SD-JWT VC is as given: ```json - { - "format": "jwt_vc", - "locations": [ - "https://issuer.example.com" - ], - "type": "openid_credential", - "types": [ - "VerifiableCredential", - "VerifiableAttestation", - "VerifiablePortableDocumentA1" - ] - } + [ + { + "type": "openid_credential", + "format": "vc+sd-jwt", + "vct": "VerifiablePortableDocumentA1" + } + ] ```
redirect_uri - For redirection of the response - + redirect_uri + OPTIONAL. The redirection endpoint where the authorization server will send the user-agent after authorization is complete.
code_challenge - As specified in PKCE for OAuth Public Client specification [5] - + issuer_state + OPTIONAL. A string value representing a specific processing context at the Credential Issuer. This value is usually provided in a Credential Offer from the Credential Issuer to the Wallet and is used to pass the issuer_state value back to the Credential Issuer.
+ +### 3.5.2 Using `scope` + +Below is an example of such a request using `scope` parameter. Here, the wallet gets the `scope` during discovery: + +```http +GET https://my-issuer.rocks/auth/authorize? + response_type=code + &scope=VerifiablePortableDocumentA1 + &resource=https%3A%2F%2Fcredential-issuer.example.com + &client_id=s6BhdRkqt3 + &code_challenge=E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM + &code_challenge_method=S256 + &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb +Host: server.example.com +``` + +The query params for the authorisation request with `scope` are as described below: + + + + + - - + + - - + + - - + + + + + + + + + + + + + +
+ response_type + REQUIRED. The value must be "code" to request an authorization code.
code_challenge_method - As specified in PKCE for OAuth Public Client specification - + scope + A JSON string that identifies the scope value supported by the Credential Issuer for a particular Credential. The value can be consistent across multiple credential configuration objects. The Authorization Server must uniquely identify the Credential Issuer based on the scope value. The Wallet can use this value in the Authorization Request. Scope values in this Credential Issuer metadata may overlap with those in the scopes_supported parameter of the Authorization Server.
client_metadata - Holder wallets are non-reachable and can utilise this field in the Authorisation Request to deliver configuration - + client_id + REQUIRED. The identifier for the client making the request.
issuer_state - If present in the credential offer - + redirect_uri + OPTIONAL. The redirection endpoint where the authorization server will send the user-agent after authorization is complete.
+ code_challenge + REQUIRED. The code challenge used for Proof Key for Code Exchange (PKCE) as specified in OAuth 2.0 for Public Clients [5]
+ code_challenge_method + OPTIONAL. The method used to transform the code verifier. Defaults to "plain" if not present. Possible values are "S256" or "plain", as defined in PKCE for OAuth 2.0.
+ issuer_state + OPTIONAL. A string value representing a specific processing context at the Credential Issuer. This value is usually provided in a Credential Offer from the Credential Issuer to the Wallet and is used to pass the issuer_state value back to the Credential Issuer.
- ## 3.6 Authorisation response The credential issuer can **optionally** request additional details to authenticate the client e.g. DID authentication. In this case, the authorisation response will contain a `response_type` parameter with the value `direct_post`. A sample response is as given: ```http HTTP/1.1 302 Found -Location: http://localhost:8080?state=22857405-1a41-4db9-a638-a980484ecae1&client_id=https%3A%2F%2Fapi-conformance.ebsi.eu%2Fconformance%2Fv3%2Fauth-mock&redirect_uri=https%3A%2F%2Fapi-conformance.ebsi.eu%2Fconformance%2Fv3%2Fauth-mock%2Fdirect_post&response_type=id_token&response_mode=direct_post&scope=openid&nonce=a6f24536-b109-4623-a41a-7a9be932bdf6&request_uri=https%3A%2F%2Fapi-conformance.ebsi.eu%2Fconformance%2Fv3%2Fauth-mock%2Frequest_uri%2F111d2819-9ab7-4959-83e5-f414c57fdc27 +Location: http://localhost:8080?state=22857405-1a41-4db9-a638-a980484ecae1&client_id=https://example.server.com&redirect_uri=https://example.server.com/direct_post&response_type=id_token&response_mode=direct_post&scope=openid&nonce=a6f24536-b109-4623-a41a-7a9be932bdf6&request_uri=https://example.server.com/request_uri ``` Query params for the authorisation response are given below: @@ -625,6 +601,12 @@ This request is made with the following query params: Wallet-generated secure random token used to validate the original code_challenge provided in the initial Authorization Request + + redirect_uri + + For redirection of the response as per IETF RFC6749 Section 3.1.2 + + ### 3.7.2 Pre-authorised code flow @@ -638,7 +620,7 @@ Content-Type: application/x-www-form-urlencoded &grant_type=urn:ietf:params:oauth:grant-type:pre-authorized_code &pre-authorized_code=SplxlOBeZQQYbYS6WxSbIA -&user_pin=493536 +&tx_code=493536 ``` This request is made with the following query params: @@ -651,21 +633,50 @@ This request is made with the following query params: - pre-authorized_code + pre-authorized_code Code representing the Credential Issuer's authorisation for the Wallet to obtain Credentials of a certain type. This code must be short-lived and single-use. - user_pin + tx_code - The end user pin is decided by the issuer and sent to the holder through an out-of-band process. E.g. Email, SMS + Specifies if the Authorization Server expects the End-User to present a Transaction Code with the Token Request in a Pre-Authorized Code Flow. If not required, this object is absent by default. The Transaction Code binds the Pre-Authorized Code to a specific transaction, preventing replay attacks. The End-User PIN is set by the issuer and sent to the holder via email, SMS, or another out-of-band method. ## 3.8 Token response +### 3.8.1 With `authorization_details` + +If `authorization_details` is used in authorisation request ([refer chapter 3.5.1](#351-using-authorization_details)), the token response will be as given: + +```http +HTTP/1.1 200 OK +Content-Type: application/json +Cache-Control: no-store + +{ + "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6Ikp..sHQ", + "token_type": "bearer", + "expires_in": 86400, + "c_nonce": "tZignsnFbp", + "c_nonce_expires_in": 86400, + "authorization_details": [ + { + "type": "openid_credential", + "credential_configuration_id": "VerifiablePortableDocumentA1", + "credential_identifiers": [ "VerifiablePortableDocumentA1-Spain", "VerifiablePortableDocumentA1-Sweden", "VerifiablePortableDocumentA1-Germany" ] + } + ] +} +``` + +### 3.8.1 With `scope` + +If `scope` is used in authorisation request ([refer chapter 3.5.2](#352-using-scope)), the token response will be as given: + ```json { "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6Ikp..sHQ", @@ -682,27 +693,32 @@ This request is made with the following query params: The Holder wallet makes a Credential Request to the Credential Endpoint as below: +**For W3C VC with credential format identifier** `jwt_vc_json`: + ```http POST /credential Content-Type: application/json Authorization: Bearer eyJ0eXAi...KTjcrDMg { - "format": "vc+sd-jwt", + "format": "jwt_vc_json", "credential_definition": { - "type": "VerifiablePortableDocumentA1" + "type": [ + "VerifiableCredential", + "VerifiablePortableDocumentA1" + ] }, "proof": { "proof_type": "jwt", - "jwt":"eyJraW...KWjceMcr" + "jwt":"eyJraWQiOiJkaWQ6ZX..zM" } } ``` +> [!NOTE] +> In the above, the credentialSubject is optional and is not considered within the scope of EWC LSP. -If specified, you can request specific fields to be included in the issued credential. If its not specified, all fields in the credential is included. +**For IETF SD-JWT VC with credential format identifier** `vc+sd-jwt`: -> [!NOTE] -> In order to support all EBSI conformant wallets, the following format for the request is also valid, but not **mandatory** to be supported: ```http POST /credential @@ -710,22 +726,20 @@ Content-Type: application/json Authorization: Bearer eyJ0eXAi...KTjcrDMg { - "format": "jwt_vc_json", - "proof": { - "jwt": "eyJraWQiOiJkaWQ6a2...su7UFClz9NQnw", - "proof_type": "jwt" - }, - "types": [ - "VerifiableCredential", - "VerifiableAttestation", - "VerifiablePortableDocumentA1" - ] + "format": "vc+sd-jwt", + "vct": "SD_JWT_VC_example_in_OpenID4VCI", + "proof": { + "proof_type": "jwt", + "jwt":"eyJ0eXAiOiJvc..1WlA" + } } ``` +If specified, you can request specific fields to be included in the issued credential. If its not specified, all fields in the credential is included. + ## 3.10 Credential response -The credential response can happen in-time or can be deferred as described below. +The credential response can happen in-time or can be deferred as described below. ### 3.10.1 In-time @@ -733,7 +747,6 @@ The In-time flow indicates that the credential is available immediately and the ```json { - "format": "vc+sd-jwt", "credential": "eyJ0eXAiOi...F0YluuK2Cog", "c_nonce": "fGFF7UkhLa", "c_nonce_expires_in": 86400 @@ -742,21 +755,35 @@ The In-time flow indicates that the credential is available immediately and the ### 3.10.2 Deferred -If the credential is unavailable, the issuer responds with an acceptance token, indicating credential issuance is deferred. +If the credential is unavailable, the issuer responds with an acceptance token, indicating credential issuance is deferred. The response is as below: ```json { - "acceptance_token": "eyJ0eXAiOiJKV1QiLCJhbGci..zaEhOOXcifQ", + "transaction_id": "8xLOxBtZp8", "c_nonce": "wlbQc6pCJp", "c_nonce_expires_in": 86400 } ``` -If the response contains `acceptance_token` field, then it can be understood the credential is not available now and should be later available through the deferred credential endpoint. +The `transaction_id` is used to identity the deferred transaction when the credential is issued at a later time with the following deferred credential endpoint: ```http POST /deferred-credential Authorization: BEARER eyJ0eXAiOiJKV1QiLCJhbGci..zaEhOOXcifQ +{ + "transaction_id": "8xLOxBtZp8" +} +``` + +> [!NOTE] +> If the response contains `transaction_id` field, then it can be understood the credential is not available now and should be later available through the deferred credential endpoint. An example response is as given below: + +```json +{ + "transaction_id": "eyJ0eXAiOiJKV1QiLCJhbGci..zaEhOOXcifQ", + "c_nonce": "wlbQc6pCJp", + "c_nonce_expires_in": 86400 +} ``` # 4.0 Alternate response format @@ -811,12 +838,13 @@ Please refer to the [implementers table](https://github.com/EWC-consortium/eudi- # 6.0 Reference -1. OpenID Foundation (2023), 'OpenID for Verifiable Credential Issuance (OID4VCI)', Available at: [https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-12.html](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-12.html) (Accessed: January 10, 2024). +1. OpenID Foundation (2023), 'OpenID for Verifiable Credential Issuance', Available at: [https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-ID1.html](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-ID1.html) (Accessed: July 11, 2024). 2. European Commission (2023) The European Digital Identity Wallet Architecture and Reference Framework (2023-04, v1.1.0) [Online]. Available at: [https://github.com/eu-digital-identity-wallet/eudi-doc-architecture-and-reference-framework/releases](https://github.com/eu-digital-identity-wallet/eudi-doc-architecture-and-reference-framework/releases) (Accessed: October 16, 2023). 3. OpenID Foundation (2023), 'Self-Issued OpenID Provider v2 (SIOP v2)', Available at: [https://openid.net/specs/openid-connect-self-issued-v2-1_0.html](https://openid.net/specs/openid-connect-self-issued-v2-1_0.html) (Accessed: October 01, 2023) 4. OAuth 2.0 Rich Authorization Requests, Available at: [https://datatracker.ietf.org/doc/html/draft-ietf-oauth-rar-11](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-rar-11) (Accessed: February 01, 2024) 5. Proof Key for Code Exchange by OAuth Public Clients, Available at: [https://datatracker.ietf.org/doc/html/rfc7636](https://datatracker.ietf.org/doc/html/rfc7636) (Accessed: February 01, 2024) 6. OpenID4VC High Assurance Interoperability Profile with SD-JWT VC - draft 00, Available at [https://openid.net/specs/openid4vc-high-assurance-interoperability-profile-sd-jwt-vc-1_0.html](https://openid.net/specs/openid4vc-high-assurance-interoperability-profile-sd-jwt-vc-1_0.html) (Accessed: February 16, 2024) +7. Lodderstedt, T., Campbell, B., Sakimura, N., Tonge, D., and F. Skokan, "OAuth 2.0 Pushed Authorization Requests", RFC 9126, DOI 10.17487/RFC9126, September 2021, . # Appendix A: Public key resolution @@ -825,4 +853,4 @@ For a JWT there are multiple ways for resolving the public key using the `kid` h * If the key identifier is a DID then use a DID resolver to obtain the public key * If the key identifier is not a DID, then resolve the JWKs endpoint in the AS configuration and match the public key from the JWK set using the key identifier. -Additionally, it is possible to specify JWK directly in the header using `jwk` header claim. \ No newline at end of file +Additionally, it is possible to specify JWK directly in the header using `jwk` header claim. diff --git a/ewc-supported-formats.csv b/ewc-supported-formats.csv index d603610..d0dd3f7 100644 --- a/ewc-supported-formats.csv +++ b/ewc-supported-formats.csv @@ -1,8 +1,5 @@ -Name,Type -JSON Web Token - Verifiable Credential,jwt_vc -JSON Web Token - Verifiable Presentation,jwt_vp +Name,Format Identifier W3C JWT - Verifiable Credential,jwt_vc_json W3C JWT - Verifiable Presentation,jwt_vp_json -Selective Disclosure - JSON Web Token,sd-jwt Selective Disclosure - JSON Web Token Verifiable Credential,vc+sd-jwt Selective Disclosure - JSON Web Token Verifiable Presentation,vp+sd-jwt diff --git a/openapi-spec/Makefile b/openapi-spec/Makefile index 26d63d0..cf17544 100644 --- a/openapi-spec/Makefile +++ b/openapi-spec/Makefile @@ -9,12 +9,11 @@ CONTAINER_DEFAULT_RUN_FLAGS := \ $(EXTRA_RUN_ARGS) \ -v $(CURDIR):/usr/share/nginx/html:ro - .DEFAULT_GOAL := help .PHONY: help help: @echo "------------------------------------------------------------------------" - @echo "EWC Wallet API documentation" + @echo "EWC RFC OpenAPI specification" @echo "------------------------------------------------------------------------" @grep -E '^[0-9a-zA-Z_/%\-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' @@ -23,4 +22,10 @@ run: ## Run dashboard locally for development purposes $(CONTAINER_DEFAULT_RUN_FLAGS) \ -p 5000:80 \ --name "${CONTAINER_SWAGGER}" \ - nginx:alpine \ No newline at end of file + nginx:alpine + +check-swagger-cli: + @which swagger-cli > /dev/null || (echo "\033[31mPlease install swagger-cli before proceeding.\033[0m" && exit 1) + +bundle: check-swagger-cli ## Bundles swagger files + swagger-cli bundle index.yaml -o ./bundled.yaml -t yaml diff --git a/openapi-spec/bundled.yaml b/openapi-spec/bundled.yaml new file mode 100644 index 0000000..eec6006 --- /dev/null +++ b/openapi-spec/bundled.yaml @@ -0,0 +1,1295 @@ +components: + schemas: + CredentialOffer: + title: Credential Offer + type: object + properties: + credential_issuer: + type: string + description: | + "REQUIRED. The URL of the Credential Issuer, from which the Wallet is requested to obtain one or more Credentials. The Wallet can also use it to obtain the Credential Issuer's Metadata." + credential_configuration_ids: + type: array + item: + type: string + description: | + "REQUIRED. Array of unique strings that each identify one of the keys in the name/value pairs stored in the `credential_configurations_supported` Credential Issuer metadata. The Wallet uses these string values to obtain the respective object that contains information about the Credential being offered. For example, these string values can be used to obtain scope values to be used in the Authorization Request." + grants: + oneOf: + - $ref: '#/components/schemas/AuthorisationCodeGrant' + - $ref: '#/components/schemas/PreAuthorisedCodeGrant' + required: + - credential_issuer + - credential_configuration_ids + - grants + AuthorisationCodeGrant: + type: object + title: Authorisation code grant + properties: + authorization_code: + type: object + description: Authorisation code grant + properties: + issuer_state: + type: string + description: | + "OPTIONAL. String value created by the Credential Issuer and opaque to the Wallet that is used to bind the subsequent Authorization Request with the Credential Issuer to a context set up during previous steps. If the Wallet decides to use the Authorization Code Flow and received a value for this parameter, it MUST include it in the subsequent Authorization Request to the Credential Issuer as the `issuer_state` parameter value" + authorization_server: + type: string + description: | + "OPTIONAL. String that the Wallet can use to identify the Authorization Server to use with this grant type when `authorization_servers` parameter in the Credential Issuer metadata has multiple entries. It MUST NOT be used otherwise. The value of this parameter MUST match with one of the values in the `authorization_servers` array obtained from the Credential Issuer metadata." + required: + - authorization_code + PreAuthorisedCodeGrant: + type: object + title: Pre-authorised code grant + properties: + 'urn:ietf:params:oauth:grant-type:pre-authorized_code': + description: Pre-authorised code grant + type: object + properties: + pre-authorized_code: + type: string + description: | + "REQUIRED. The code representing the Credential Issuer's authorization for the Wallet to obtain Credentials of a certain type. This code MUST be short lived and single use. If the Wallet decides to use the Pre-Authorized Code Flow, this parameter value MUST be included in the subsequent Token Request with the Pre-Authorized Code Flow." + tx_code: + type: object + description: | + "OPTIONAL. Object specifying whether the Authorization Server expects presentation of a Transaction Code by the End-User along with the Token Request in a Pre-Authorized Code Flow. If the Authorization Server does not expect a Transaction Code, this object is absent; this is the default. The Transaction Code is intended to bind the Pre-Authorized Code to a certain transaction to prevent replay of this code by an attacker that, for example, scanned the QR code while standing behind the legitimate End-User. It is RECOMMENDED to send the Transaction Code via a separate channel. If the Wallet decides to use the Pre-Authorized Code Flow, the Transaction Code value MUST be sent in the tx_code parameter with the respective Token Request. If no length or description is given, this object may be empty, indicating that a Transaction Code is required." + properties: + input_mode: + type: string + description: | + "OPTIONAL. String specifying the input character set. Possible values are numeric (only digits) and text (any characters). The default is numeric." + length: + type: integer + description: | + "OPTIONAL. Integer specifying the length of the Transaction Code. This helps the Wallet to render the input screen and improve the user experience." + description: + type: string + description: | + "OPTIONAL. String containing guidance for the Holder of the Wallet on how to obtain the Transaction Code, e.g., describing over which communication channel it is delivered. The Wallet is RECOMMENDED to display this description next to the Transaction Code input screen to improve the user experience. The length of the string MUST NOT exceed 300 characters. The description does not support internationalization, however the Issuer MAY detect the Holder's language by previous communication or an HTTP Accept-Language header within an HTTP GET request for a Credential Offer URI." + required: + - 'urn:ietf:params:oauth:grant-type:pre-authorized_code' + CredentialIssuerMetadata: + title: Credential Issuer Metadata + type: object + properties: + credential_issuer: + type: string + description: 'REQUIRED. The Credential Issuer''s identifier, as defined in Section 11.2.1.' + authorization_servers: + type: string + description: | + OPTIONAL. Array of strings, where each string is an identifier of the OAuth 2.0 Authorization Server (as defined in [RFC8414]) the Credential Issuer relies on for authorization. If this parameter is omitted, the entity providing the Credential Issuer is also acting as the Authorization Server, i.e., the Credential Issuer's identifier is used to obtain the Authorization Server metadata. The actual OAuth 2.0 Authorization Server metadata is obtained from the oauth-authorization-server well-known location as defined in Section 3 of [RFC8414]. When there are multiple entries in the array, the Wallet may be able to determine which Authorization Server to use by querying the metadata; for example, by examining the grant_types_supported values, the Wallet can filter the server to use based on the grant type it plans to use. When the Wallet is using authorization_server parameter in the Credential Offer as a hint to determine which Authorization Server to use out of multiple, the Wallet MUST NOT proceed with the flow if the authorization_server Credential Offer parameter value does not match any of the entries in the authorization_servers array. + credential_endpoint: + type: string + description: 'REQUIRED. URL of the Credential Issuer''s Credential Endpoint. This URL MUST use the https scheme and MAY contain port, path, and query parameter components.' + deferred_credential_endpoint: + type: string + description: 'OPTIONAL. URL of the Credential Issuer''s Deferred Credential Endpoint. This URL MUST use the https scheme and MAY contain port, path, and query parameter components. If omitted, the Credential Issuer does not support the Deferred Credential Endpoint.' + batch_credential_endpoint: + type: string + description: 'OPTIONAL. URL of the Credential Issuer''s Batch Credential Endpoint. This URL MUST use the https scheme and MAY contain port, path, and query parameter components. If omitted, the Credential Issuer does not support the Batch Credential Endpoint.' + notification_endpoint: + type: string + description: 'OPTIONAL. URL of the Credential Issuer''s Notification Endpoint. This URL MUST use the https scheme and MAY contain port, path, and query parameter components. If omitted, the Credential Issuer does not support the Notification Endpoint.' + credential_response_encryption: + type: object + description: OPTIONAL. Object containing information about whether the Credential Issuer supports encryption of the Credential and Batch Credential Response on top of TLS. + properties: + alg_values_supported: + type: array + description: | + REQUIRED. Array containing a list of the JWE [RFC7516] encryption algorithms (alg values) [RFC7518] supported by the Credential and Batch Credential Endpoint to encode the Credential or Batch Credential Response in a JWT [RFC7519]. + items: + type: string + enc_values_supported: + description: | + REQUIRED. Array containing a list of the JWE [RFC7516] encryption algorithms (enc values) [RFC7518] supported by the Credential and Batch Credential Endpoint to encode the Credential or Batch Credential Response in a JWT [RFC7519]. + type: array + items: + type: string + encryption_required: + description: | + REQUIRED. Boolean value specifying whether the Credential Issuer requires the additional encryption on top of TLS for the Credential Response. If the value is true, the Credential Issuer requires encryption for every Credential Response and therefore the Wallet MUST provide encryption keys in the Credential Request. If the value is false, the Wallet MAY chose whether it provides encryption keys or not. + type: boolean + display: + type: array + description: 'OPTIONAL. Array of objects, where each object contains display properties of a Credential Issuer for a certain language.' + items: + type: object + properties: + name: + type: string + description: OPTIONAL. String value of a display name for the Credential Issuer. + locale: + type: string + description: 'String value that identifies the language of this object represented as a language tag taken from values defined in BCP47 [RFC5646]. There MUST be only one object for each language identifier.' + logo: + type: object + description: OPTIONAL. Object with information about the logo of the Credential Issuer. + properties: + uri: + type: string + description: | + REQUIRED. String value that contains a URI where the Wallet can obtain the logo of the Credential Issuer. The Wallet needs to determine the scheme, since the URI value could use the https: scheme, the data: scheme, etc. + alt_text: + type: string + description: | + OPTIONAL. String value of the alternative text for the logo image. + required: + - uri + - alt_text + credential_identifiers_supported: + type: boolean + description: | + OPTIONAL. Boolean value specifying whether the Credential Issuer supports returning credential_identifiers parameter in the authorization_details Token Response parameter, with true indicating support. If omitted, the default value is false. + signed_metadata: + type: string + description: | + OPTIONAL. String that is a signed JWT. This JWT contains Credential Issuer metadata parameters as claims. The signed metadata MUST be secured using JSON Web Signature (JWS) [RFC7515] and MUST contain an iat (Issued At) claim, an iss (Issuer) claim denoting the party attesting to the claims in the signed metadata, and sub (Subject) claim matching the Credential Issuer identifier. If the Wallet supports signed metadata, metadata values conveyed in the signed JWT MUST take precedence over the corresponding values conveyed using plain JSON elements. If the Credential Issuer wants to enforce use of signed metadata, it omits the respective metadata parameters from the unsigned part of the Credential Issuer metadata. A signed_metadata metadata value MUST NOT appear as a claim in the JWT. The Wallet MUST establish trust in the signer of the metadata, and obtain the keys to validate the signature before processing the metadata. The concrete mechanism how to do that is out of scope of this specification and MAY be defined in the profiles of this specification. + credential_configurations_supported: + oneOf: + - $ref: '#/components/schemas/JwtVcJsonCredentialConfiguration' + - $ref: '#/components/schemas/IetfSdJwtVcCredentialConfiguration' + - $ref: '#/components/schemas/MsoMdocCredentialConfiguration' + required: + - credential_issuer + - authorization_servers + - credential_endpoint + - credential_configurations_supported + JwtVcJsonCredentialConfiguration: + title: VC Signed as a JWT + required: + - credential_definition + - format + type: object + properties: + order: + type: array + description: OPTIONAL. Array of the claim name values that lists them in the order they should be displayed by the Wallet. + items: + type: string + credential_definition: + description: REQUIRED. Object containing the detailed description of the Credential type. + type: object + properties: + type: + type: array + items: + type: string + description: 'REQUIRED. Array designating the types a certain Credential type supports, according to [VC_DATA], Section 4.3.' + credentialSubject: + type: object + description: | + OPTIONAL. Object containing a list of name/value pairs, where each name identifies a claim offered in the Credential. The value can be another such object (nested data structures), or an array of such objects. + additionalProperties: true + format: + type: string + description: | + REQUIRED. A JSON string identifying the format of this Credential, i.e., `jwt_vc_json` or `mso_mdoc` or `vc+sd-jwt`. Depending on the format value, the object contains further elements defining the type and (optionally) particular claims the Credential MAY contain and information about how to display the Credential. + scope: + type: string + description: | + OPTIONAL. A JSON string identifying the scope value that this Credential Issuer supports for this particular Credential. The value can be the same across multiple credential_configurations_supported objects. The Authorization Server MUST be able to uniquely identify the Credential Issuer based on the scope value. The Wallet can use this value in the Authorization Request. Scope values in this Credential Issuer metadata MAY duplicate those in the `scopes_supported parameter` of the Authorization Server. + cryptographic_binding_methods_supported: + type: array + items: + type: string + description: | + OPTIONAL. Array of case sensitive strings that identify the representation of the cryptographic key material that the issued Credential is bound to. Support for keys in JWK format [RFC7517] is indicated by the value jwk. Support for keys expressed as a COSE Key object [RFC8152] (for example, used in [ISO.18013-5]) is indicated by the value cose_key. When the Cryptographic Binding Method is a DID, valid values are a did: prefix followed by a method-name using a syntax as defined in Section 3.1 of [DID-Core], but without a :and method-specific-id. For example, support for the DID method with a method-name "example" would be represented by did:example. + credential_signing_alg_values_supported: + description: | + OPTIONAL. Array of case sensitive strings that identify the algorithms that the Issuer uses to sign the issued Credential. + type: array + items: + type: string + proof_types_supported: + description: | + Object that describes specifics of the key proof(s) that the Credential Issuer supports. This object contains a list of name/value pairs, where each name is a unique identifier of the supported proof type(s). This identifier is also used by the Wallet in the Credential Request. + type: object + properties: + proof_signing_alg_values_supported: + description: | + REQUIRED. Array of case sensitive strings that identify the algorithms that the Issuer supports for this proof type. The Wallet uses one of them to sign the proof. + type: array + items: + type: string + display: + type: object + description: 'Array of objects, where each object contains the display properties of the supported Credential for a certain language.' + properties: + name: + description: REQUIRED. String value of a display name for the Credential. + type: string + locale: + type: string + description: | + OPTIONAL. String value that identifies the language of this object represented as a language tag taken from values defined in BCP47 [RFC5646]. Multiple display objects MAY be included for separate languages. There MUST be only one object for each language identifier. + logo: + type: object + description: | + OPTIONAL. Object with information about the logo of the Credential. + properties: + uri: + type: string + description: | + REQUIRED. String value that contains a URI where the Wallet can obtain the logo of the Credential from the Credential Issuer. The Wallet needs to determine the scheme, since the URI value could use the https: scheme, the data: scheme, etc + alt_text: + type: string + description: | + OPTIONAL. String value of the alternative text for the logo image. + description: + type: string + description: | + OPTIONAL. String value of a description of the Credential. + background_color: + type: string + description: | + OPTIONAL. String value of a background color of the Credential represented as numerical color values defined in CSS Color Module Level 37 [CSS-Color]. + background_image: + type: object + description: | + OPTIONAL. Object with information about the background image of the Credential. + properties: + uri: + description: | + REQUIRED. String value that contains a URI where the Wallet can obtain the background image of the Credential from the Credential Issuer. The Wallet needs to determine the scheme, since the URI value could use the https: scheme, the data: scheme, etc. + type: string + text_color: + type: string + description: | + OPTIONAL. String value of a text color of the Credential represented as numerical color values defined in CSS Color Module Level 37 [CSS-Color]. + IetfSdJwtVcCredentialConfiguration: + title: IETF SD-JWT VC + required: + - vct + - format + type: object + properties: + vct: + type: string + description: 'REQUIRED. String designating the type of a Credential, as defined in [I-D.ietf-oauth-sd-jwt-vc].' + claims: + description: | + OPTIONAL. Object containing a list of name/value pairs, where each name identifies a claim about the subject offered in the Credential. The value can be another such object (nested data structures), or an array of such objects. + type: object + additionalProperties: true + order: + type: array + items: + type: string + description: OPTIONAL. An array of the claim name values that lists them in the order they should be displayed by the Wallet. + format: + type: string + description: | + REQUIRED. A JSON string identifying the format of this Credential, i.e., `jwt_vc_json` or `mso_mdoc` or `vc+sd-jwt`. Depending on the format value, the object contains further elements defining the type and (optionally) particular claims the Credential MAY contain and information about how to display the Credential. + scope: + type: string + description: | + OPTIONAL. A JSON string identifying the scope value that this Credential Issuer supports for this particular Credential. The value can be the same across multiple credential_configurations_supported objects. The Authorization Server MUST be able to uniquely identify the Credential Issuer based on the scope value. The Wallet can use this value in the Authorization Request. Scope values in this Credential Issuer metadata MAY duplicate those in the `scopes_supported parameter` of the Authorization Server. + cryptographic_binding_methods_supported: + type: array + items: + type: string + description: | + OPTIONAL. Array of case sensitive strings that identify the representation of the cryptographic key material that the issued Credential is bound to. Support for keys in JWK format [RFC7517] is indicated by the value jwk. Support for keys expressed as a COSE Key object [RFC8152] (for example, used in [ISO.18013-5]) is indicated by the value cose_key. When the Cryptographic Binding Method is a DID, valid values are a did: prefix followed by a method-name using a syntax as defined in Section 3.1 of [DID-Core], but without a :and method-specific-id. For example, support for the DID method with a method-name "example" would be represented by did:example. + credential_signing_alg_values_supported: + description: | + OPTIONAL. Array of case sensitive strings that identify the algorithms that the Issuer uses to sign the issued Credential. + type: array + items: + type: string + proof_types_supported: + description: | + Object that describes specifics of the key proof(s) that the Credential Issuer supports. This object contains a list of name/value pairs, where each name is a unique identifier of the supported proof type(s). This identifier is also used by the Wallet in the Credential Request. + type: object + properties: + proof_signing_alg_values_supported: + description: | + REQUIRED. Array of case sensitive strings that identify the algorithms that the Issuer supports for this proof type. The Wallet uses one of them to sign the proof. + type: array + items: + type: string + display: + type: object + description: 'Array of objects, where each object contains the display properties of the supported Credential for a certain language.' + properties: + name: + description: REQUIRED. String value of a display name for the Credential. + type: string + locale: + type: string + description: | + OPTIONAL. String value that identifies the language of this object represented as a language tag taken from values defined in BCP47 [RFC5646]. Multiple display objects MAY be included for separate languages. There MUST be only one object for each language identifier. + logo: + type: object + description: | + OPTIONAL. Object with information about the logo of the Credential. + properties: + uri: + type: string + description: | + REQUIRED. String value that contains a URI where the Wallet can obtain the logo of the Credential from the Credential Issuer. The Wallet needs to determine the scheme, since the URI value could use the https: scheme, the data: scheme, etc + alt_text: + type: string + description: | + OPTIONAL. String value of the alternative text for the logo image. + description: + type: string + description: | + OPTIONAL. String value of a description of the Credential. + background_color: + type: string + description: | + OPTIONAL. String value of a background color of the Credential represented as numerical color values defined in CSS Color Module Level 37 [CSS-Color]. + background_image: + type: object + description: | + OPTIONAL. Object with information about the background image of the Credential. + properties: + uri: + description: | + REQUIRED. String value that contains a URI where the Wallet can obtain the background image of the Credential from the Credential Issuer. The Wallet needs to determine the scheme, since the URI value could use the https: scheme, the data: scheme, etc. + type: string + text_color: + type: string + description: | + OPTIONAL. String value of a text color of the Credential represented as numerical color values defined in CSS Color Module Level 37 [CSS-Color]. + MsoMdocCredentialConfiguration: + title: ISO mDL + required: + - doctype + - format + type: object + properties: + doctype: + type: string + description: 'REQUIRED. String identifying the Credential type, as defined in [ISO.18013-5].' + order: + type: array + items: + type: string + description: 'OPTIONAL. Array of namespaced claim name values that lists them in the order they should be displayed by the Wallet. The values MUST be two strings separated by a tilde (''~'') character, where the first string is a namespace value and a second is a claim name value. For example, `org.iso.18013.5.1~given_name".' + claims: + type: object + additionalProperties: true + description: | + OPTIONAL. Object containing a list of name/value pairs, where the name is a certain namespace as defined in [ISO.18013-5] (or any profile of it), and the value is an object. This object also contains a list of name/value pairs, where the name is a claim name value that is defined in the respective namespace and is offered in the Credential. + format: + type: string + description: | + REQUIRED. A JSON string identifying the format of this Credential, i.e., `jwt_vc_json` or `mso_mdoc` or `vc+sd-jwt`. Depending on the format value, the object contains further elements defining the type and (optionally) particular claims the Credential MAY contain and information about how to display the Credential. + scope: + type: string + description: | + OPTIONAL. A JSON string identifying the scope value that this Credential Issuer supports for this particular Credential. The value can be the same across multiple credential_configurations_supported objects. The Authorization Server MUST be able to uniquely identify the Credential Issuer based on the scope value. The Wallet can use this value in the Authorization Request. Scope values in this Credential Issuer metadata MAY duplicate those in the `scopes_supported parameter` of the Authorization Server. + cryptographic_binding_methods_supported: + type: array + items: + type: string + description: | + OPTIONAL. Array of case sensitive strings that identify the representation of the cryptographic key material that the issued Credential is bound to. Support for keys in JWK format [RFC7517] is indicated by the value jwk. Support for keys expressed as a COSE Key object [RFC8152] (for example, used in [ISO.18013-5]) is indicated by the value cose_key. When the Cryptographic Binding Method is a DID, valid values are a did: prefix followed by a method-name using a syntax as defined in Section 3.1 of [DID-Core], but without a :and method-specific-id. For example, support for the DID method with a method-name "example" would be represented by did:example. + credential_signing_alg_values_supported: + description: | + OPTIONAL. Array of case sensitive strings that identify the algorithms that the Issuer uses to sign the issued Credential. + type: array + items: + type: string + proof_types_supported: + description: | + Object that describes specifics of the key proof(s) that the Credential Issuer supports. This object contains a list of name/value pairs, where each name is a unique identifier of the supported proof type(s). This identifier is also used by the Wallet in the Credential Request. + type: object + properties: + proof_signing_alg_values_supported: + description: | + REQUIRED. Array of case sensitive strings that identify the algorithms that the Issuer supports for this proof type. The Wallet uses one of them to sign the proof. + type: array + items: + type: string + display: + type: object + description: 'Array of objects, where each object contains the display properties of the supported Credential for a certain language.' + properties: + name: + description: REQUIRED. String value of a display name for the Credential. + type: string + locale: + type: string + description: | + OPTIONAL. String value that identifies the language of this object represented as a language tag taken from values defined in BCP47 [RFC5646]. Multiple display objects MAY be included for separate languages. There MUST be only one object for each language identifier. + logo: + type: object + description: | + OPTIONAL. Object with information about the logo of the Credential. + properties: + uri: + type: string + description: | + REQUIRED. String value that contains a URI where the Wallet can obtain the logo of the Credential from the Credential Issuer. The Wallet needs to determine the scheme, since the URI value could use the https: scheme, the data: scheme, etc + alt_text: + type: string + description: | + OPTIONAL. String value of the alternative text for the logo image. + description: + type: string + description: | + OPTIONAL. String value of a description of the Credential. + background_color: + type: string + description: | + OPTIONAL. String value of a background color of the Credential represented as numerical color values defined in CSS Color Module Level 37 [CSS-Color]. + background_image: + type: object + description: | + OPTIONAL. Object with information about the background image of the Credential. + properties: + uri: + description: | + REQUIRED. String value that contains a URI where the Wallet can obtain the background image of the Credential from the Credential Issuer. The Wallet needs to determine the scheme, since the URI value could use the https: scheme, the data: scheme, etc. + type: string + text_color: + type: string + description: | + OPTIONAL. String value of a text color of the Credential represented as numerical color values defined in CSS Color Module Level 37 [CSS-Color]. + AuthorisationServerMetadata: + title: Authorisation Server Metadata + type: object + description: 'As described in Chapter 3 of [OpenID Connect Discovery 1.0 specification](https://openid.net/specs/openid-connect-discovery-1_0.html).' + properties: + issuer: + type: string + description: REQUIRED. URL using the https scheme with no query or fragment components that the OP asserts as its Issuer Identifier. + authorization_endpoint: + type: string + description: 'REQUIRED. URL of the OP''s OAuth 2.0 Authorization Endpoint [OpenID.Core]. This URL MUST use the https scheme and MAY contain port, path, and query parameter components.' + pushed_authorization_request_endpoint: + type: string + description: The URL of the pushed authorization request endpoint at which a client can post an authorization request to exchange for a request_uri value usable at the authorization server. + require_pushed_authorization_requests: + type: boolean + description: 'Boolean parameter indicating whether the authorization server accepts authorization request data only via PAR. If omitted, the default value is false.' + token_endpoint: + type: string + description: 'URL of the OP''s OAuth 2.0 Token Endpoint [OpenID.Core]. This URL MUST use the https scheme and MAY contain port, path, and query parameter components.' + jwks_uri: + type: string + description: 'REQUIRED. URL of the OP''s JWK Set [JWK] document, which MUST use the https scheme. This contains the signing key(s) the RP uses to validate signatures from the OP. The JWK Set MAY also contain the Server''s encryption key(s), which are used by RPs to encrypt requests to the Server. When both signing and encryption keys are made available, a use (public key use) parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key''s intended usage. Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate. The JWK Set MUST NOT contain private or symmetric key values.' + response_types_supported: + type: array + items: + type: string + description: REQUIRED. JSON array containing a list of the OAuth 2.0 response_type values that this OP supports. + subject_types_supported: + type: array + items: + type: string + description: REQUIRED. JSON array containing a list of the Subject Identifier types that this OP supports. Valid types include pairwise and public. + id_token_signing_alg_values_supported: + type: array + items: + type: string + description: 'REQUIRED. JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token to encode the Claims in a JWT [JWT]. The algorithm RS256 MUST be included. The value none MAY be supported but MUST NOT be used unless the Response Type used returns no ID Token from the Authorization Endpoint (such as when using the Authorization Code Flow).' + pre-authorized_grant_anonymous_access_supported: + type: boolean + description: OPTIONAL. A boolean indicating whether the Credential Issuer accepts a Token Request with a Pre-Authorized Code but without a client_id. The default is false. + required: + - issuer + - authorization_endpoint + - token_endpoint + - jwks_uri + - response_types_supported + - subject_types_supported + - id_token_signing_alg_values_supported + AuthorisationResponse: + title: Authorisation response + type: object + properties: + state: + type: string + description: The client uses an opaque value to maintain the state between the request and callback. + client_id: + type: string + description: Decentralised identifier + redirect_uri: + type: string + description: For redirection of the response + response_type: + type: string + description: The value must be 'id_token' if the issuer requests DID authentication. + response_mode: + type: string + description: The value must be 'direct_post' + scope: + type: string + description: The value must be 'openid' + nonce: + type: string + description: A value used to associate a client session with an ID token and to mitigate replay attacks. + request_uri: + type: string + description: The authorisation server's private key signed the request. + AuthorisationDetails: + title: Authorisation Details + type: object + properties: + type: + type: string + locations: + type: array + items: + type: string + format: + type: string + credential_definition: + type: object + properties: + type: + type: array + items: + type: string + required: + - type + required: + - type + - locations + - format + - credential_definition + AuthorisationCodeTokenRequest: + $ref: '#/components/schemas/AuthorisationCodeGrant' + PreAuthorisedCodeTokenRequest: + type: object + title: Token Request (for pre-authorised code grant) + properties: + grant_type: + type: string + description: | + The type of grant being used. For pre-authorized code flow, this must be set to 'urn:ietf:params:oauth:grant-type:pre-authorized_code'. + example: 'urn:ietf:params:oauth:grant-type:pre-authorized_code' + pre-authorized_code: + type: string + description: | + The pre-authorized code issued by the authorization server. This code is used to request an access token. + tx_code: + type: string + description: | + A transaction code that helps identify and correlate the request with the original authorization transaction. + required: + - grant_type + - pre-authorized_code + - tx_code + TokenResponse: + type: object + title: Token Response + properties: + access_token: + type: string + description: | + The access token issued by the authorization server. This token is used to access protected resources. + example: eyJhbGciOiJSUzI1NiIsInR5cCI6Ikp..sHQ + token_type: + type: string + description: | + The type of the token issued. Typically this is "bearer". + example: bearer + expires_in: + type: integer + description: | + The lifetime in seconds of the access token. After this time, the token will expire and a new one must be requested. + example: 86400 + c_nonce: + type: string + description: | + OPTIONAL. A nonce used when creating proof of possession of the key proof. This nonce must be used for subsequent requests until a fresh nonce is provided by the Credential Issuer. + example: tZignsnFbp + c_nonce_expires_in: + type: integer + description: | + OPTIONAL. The lifetime in seconds of the `c_nonce`. After this time, the `c_nonce` will expire. + example: 86400 + authorization_details: + type: array + items: + type: object + properties: + type: + type: string + description: | + REQUIRED. The type of authorization details. Must be "openid_credential" when used to request issuance of a specific Credential type. + example: openid_credential + credential_configuration_id: + type: string + description: | + REQUIRED when `authorization_details` is used. The identifier for the Credential configuration. + example: UniversityDegreeCredential + credential_identifiers: + type: array + items: + type: string + description: | + OPTIONAL. An array of strings, each uniquely identifying a Credential that can be issued using the Access Token. These Credentials correspond to the same entry in the `credential_configurations_supported` Credential Issuer metadata but may contain different claims or subsets of claims. + example: + - CivilEngineeringDegree-2023 + - ElectricalEngineeringDegree-2023 + required: + - access_token + - token_type + - expires_in + TokenErrorResponse: + title: Token Error Response + type: object + properties: + error: + type: string + description: | + REQUIRED. Error code indicating the type of error that occurred. + enum: + - invalid_request + - invalid_grant + - invalid_client + - authorization_pending + - slow_down + error_description: + type: string + description: | + OPTIONAL. Human-readable ASCII text providing additional information about the error. + authorization_pending: + type: object + description: | + OPTIONAL. Detailed description for authorization_pending errors. + properties: + interval: + type: integer + description: | + OPTIONAL. The minimum amount of time in seconds that the Wallet needs to wait before sending a new request. Default value is 5 if not provided. + slow_down: + type: object + description: | + OPTIONAL. Detailed description for slow_down errors. + properties: + interval_increase: + type: integer + description: | + OPTIONAL. The amount of time in seconds by which to increase the polling interval. + required: + - error + CredentialRequest: + type: object + properties: + format: + type: string + description: | + REQUIRED when the credential_identifiers parameter was not returned from the Token Response. MUST NOT be used otherwise. + proof: + type: object + description: | + OPTIONAL. Contains the proof of possession of the cryptographic key material the issued Credential would be bound to. + properties: + proof_type: + type: string + description: | + REQUIRED. Denotes the key proof type. + credential_identifier: + type: string + description: | + REQUIRED when credential_identifiers parameter was returned from the Token Response. MUST NOT be used otherwise. + credential_response_encryption: + type: object + description: | + OPTIONAL. Contains information for encrypting the Credential Response. + properties: + jwk: + type: object + description: | + REQUIRED. Contains a single public key as a JWK used for encrypting the Credential Response. + alg: + type: string + description: | + REQUIRED. JWE alg algorithm for encrypting Credential Responses. + enc: + type: string + description: | + REQUIRED. JWE enc algorithm for encrypting Credential Responses. + required: + - proof_type + - jwk + - alg + - enc + InTimeCredentialResponse: + title: InTime Credential Response + type: object + properties: + credential: + type: + - string + - object + description: | + OPTIONAL. Contains issued Credential. It MUST be present when transaction_id is not returned. It MAY be a string or an object, depending on the Credential format. + c_nonce: + type: string + description: | + OPTIONAL. String containing a nonce to be used to create a proof of possession of key material when requesting a Credential. The Wallet MUST use this nonce value for its subsequent Credential Requests until the Credential Issuer provides a fresh nonce. + c_nonce_expires_in: + type: number + description: | + OPTIONAL. Number denoting the lifetime in seconds of the c_nonce. + required: + - credential + InTimeCredentialErrorResponse: + title: InTime Credential Error Response + type: object + properties: + error: + type: string + description: | + REQUIRED. The error parameter SHOULD be a single ASCII error code from the following: + enum: + - invalid_credential_request + - unsupported_credential_type + - unsupported_credential_format + - invalid_proof + - invalid_encryption_parameters + error_description: + type: string + description: | + OPTIONAL. The error_description parameter MUST be a human-readable ASCII text, providing any additional information used to assist the Client implementers in understanding the occurred error. The values for the error_description parameter MUST NOT include characters outside the set %x20-21 / %x23-5B / %x5D-7E. + DeferredCredentialRequest: + title: Deferred Credential Request + type: object + properties: + transaction_id: + type: string + description: | + REQUIRED. String identifying a Deferred Issuance transaction. The Credential Issuer MUST invalidate the transaction_id after the Credential for which it was meant has been obtained by the Wallet. + required: + - transaction_id + DeferredCredentialResponse: + title: Deferred Credential Response + type: object + properties: + transaction_id: + type: string + description: | + OPTIONAL. String identifying a Deferred Issuance transaction. This claim is contained in the response if the Credential Issuer was unable to immediately issue the Credential. It MUST be present when the credential parameter is not returned. It MUST be invalidated after the Credential for which it was meant has been obtained by the Wallet. + c_nonce: + type: string + description: | + OPTIONAL. String containing a nonce to be used to create a proof of possession of key material when requesting a Credential. The Wallet MUST use this nonce value for its subsequent Credential Requests until the Credential Issuer provides a fresh nonce. + c_nonce_expires_in: + type: number + description: | + OPTIONAL. Number denoting the lifetime in seconds of the c_nonce. + required: + - transaction_id + DeferredCredentialErrorResponse: + title: Deferred Credential Error Response + type: object + properties: + error: + type: string + description: | + REQUIRED. Error code indicating the type of error that occurred. + enum: + - issuance_pending + - invalid_transaction_id + error_description: + type: string + description: | + OPTIONAL. Human-readable ASCII text providing additional information about the error. + issuance_pending: + type: object + description: | + Error response when the Credential issuance is still pending. + properties: + interval: + type: integer + description: | + OPTIONAL. The minimum amount of time in seconds that the Wallet needs to wait before sending a new request to the Deferred Credential Endpoint. Default value is 5 if not provided. + invalid_transaction_id: + type: string + description: | + Error response when the Deferred Credential Request contains an invalid transaction_id. + required: + - error +info: + contact: + name: EWC + url: 'https://eudiwalletconsortium.org/' + description: 'The EWC APIs are defined to be used across all wallet providers within EWC according the [EWC RFCs](https://github.com/EWC-consortium/eudi-wallet-rfcs).' + license: + name: Apache 2.0 + url: 'https://www.apache.org/licenses/LICENSE-2.0' + title: EWC APIs + version: 2024.3.1 +openapi: 3.1.0 +servers: + - description: Example server + url: 'https://example.com' +tags: + - description: 'This consists of endpoints for EWC RFC001: Issue Verifiable Credential' + name: 'EWC RFC001: Issue Verifiable Credential' + - description: 'This consists of endpoints for EWC RFC002: Present Verifiable Credential' + name: 'EWC RFC002: Present Verifiable Credential' +paths: + /rfc001/credential_offer: + get: + summary: Credential Offer Endpoint + description: The Credential Issuer sends Credential Offer using an HTTP GET request or an HTTP redirect to the Wallet's Credential Offer Endpoint + operationId: credentialOfferEndpoint + parameters: + - description: Object with the Credential Offer parameters. This MUST NOT be present when the `credential_offer_uri` parameter is present. + in: query + name: credential_offer + schema: + type: string + - description: String that is a URL using the https scheme referencing a resource containing a JSON object with the Credential Offer parameters. This MUST NOT be present when the `credential_offer` parameter is present. + in: query + name: credential_offer_uri + schema: + type: string + responses: + '200': + description: '' + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/CredentialOffer' + tags: + - 'EWC RFC001: Issue Verifiable Credential' + /rfc001/.well-known/openid-credential-issuer: + get: + summary: Credential Issuer Metadata + description: 'The credential issuer metdata contains information on the Credential Issuer''s technical capabilities, supported Credentials, and (internationalized) display information.' + operationId: credentialIssuerMetadata + responses: + '200': + description: '' + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/CredentialIssuerMetadata' + tags: + - 'EWC RFC001: Issue Verifiable Credential' + /rfc001/.well-known/oauth-authorization-server: + get: + summary: Authorisation Server Metadata + description: The Authorization server metadata contain metadata describing authorisation server configuration. + operationId: authorisationServerMetadata + responses: + '200': + description: '' + content: + application/json: + schema: + $ref: '#/components/schemas/AuthorisationServerMetadata' + tags: + - 'EWC RFC001: Issue Verifiable Credential' + /rfc001/authorize: + get: + tags: + - 'EWC RFC001: Issue Verifiable Credential' + summary: Authorization Request + description: | + An Authorization Request is an OAuth 2.0 Authorization Request as defined in Section 4.1.1 of [RFC6749]. This request seeks to obtain authorization to access the Credential Endpoint. + operationId: authorizationRequest + parameters: + - name: response_type + in: query + required: true + schema: + type: string + description: | + REQUIRED. The value must be "code" to request an authorization code. + - name: client_id + in: query + required: true + schema: + type: string + description: | + REQUIRED. The identifier for the client making the request. + - name: code_challenge + in: query + required: true + schema: + type: string + description: | + REQUIRED. The code challenge used for Proof Key for Code Exchange (PKCE) as specified in OAuth 2.0 for Public Clients. + - name: code_challenge_method + in: query + required: true + schema: + type: string + description: | + OPTIONAL. The method used to transform the code verifier. Defaults to "plain" if not present. Possible values are "S256" or "plain", as defined in PKCE for OAuth 2.0. + - name: authorization_details + in: query + required: false + schema: + type: string + description: | + OPTIONAL. Provides fine-grained access details as specified in the OAuth 2.0 Rich Authorization Requests specification. The `authorization_details` parameter, as defined in Section 2 of [RFC9396], should be used to convey the specifics of the Credentials the Wallet intends to obtain. This specification introduces a new authorization details type, `openid_credential`. + - name: redirect_uri + in: query + required: false + schema: + type: string + description: | + OPTIONAL. The redirection endpoint where the authorization server will send the user-agent after authorization is complete. + - name: scope + in: query + required: false + schema: + type: string + description: | + OPTIONAL. Defines the scope of the Credential request. If the Wallet is unsure of the scope value, it can discover it using the 'scope' parameter from the Credential Issuer's metadata. This parameter assists in identifying the appropriate Credential configuration based on the Credential Offer or other parameters from the Credential Issuer. + - name: issuer_state + in: query + required: false + schema: + type: string + description: | + OPTIONAL. A string value representing a specific processing context at the Credential Issuer. This value is usually provided in a Credential Offer from the Credential Issuer to the Wallet and is used to pass the issuer_state value back to the Credential Issuer. + responses: + '302': + description: Authorization Response + headers: + Location: + schema: + type: string + description: | + The URL to which the user-agent will be redirected after successful authorization. This URL contains the authorization code and any additional parameters as specified in the OAuth 2.0 Authorization framework. + /rfc001/par: + post: + tags: + - 'EWC RFC001: Issue Verifiable Credential' + summary: Pushed Authorization Request + description: | + A Pushed Authorization Request (PAR) allows a client to submit its authorization request parameters to the authorization server in advance, providing a PAR endpoint that stores these parameters and returns a request URI. The client then uses this URI in its authorization request to the authorization endpoint. This method enhances security by avoiding the exposure of sensitive parameters in the URL. + operationId: pushedAuthorizationRequest + requestBody: + content: + application/x-www-form-urlencoded: + schema: + type: object + properties: + response_type: + type: string + description: | + REQUIRED. The value must be "code" to request an authorization code. + client_id: + type: string + description: | + REQUIRED. The identifier for the client making the request. + code_challenge: + type: string + description: | + REQUIRED. The code challenge used for Proof Key for Code Exchange (PKCE) as specified in OAuth 2.0 for Public Clients. + code_challenge_method: + type: string + description: | + OPTIONAL. The method used to transform the code verifier. Defaults to "plain" if not present. Possible values are "S256" or "plain", as defined in PKCE for OAuth 2.0. + authorization_details: + type: string + description: | + OPTIONAL. Provides fine-grained access details as specified in the OAuth 2.0 Rich Authorization Requests specification. The `authorization_details` parameter, as defined in Section 2 of [RFC9396], should be used to convey the specifics of the Credentials the Wallet intends to obtain. This specification introduces a new authorization details type, `openid_credential`. + redirect_uri: + type: string + description: | + OPTIONAL. The redirection endpoint where the authorization server will send the user-agent after authorization is complete. + scope: + type: string + description: | + OPTIONAL. Defines the scope of the Credential request. If the Wallet is unsure of the scope value, it can discover it using the 'scope' parameter from the Credential Issuer's metadata. This parameter assists in identifying the appropriate Credential configuration based on the Credential Offer or other parameters from the Credential Issuer. + issuer_state: + type: string + description: | + OPTIONAL. A string value representing a specific processing context at the Credential Issuer. This value is usually provided in a Credential Offer from the Credential Issuer to the Wallet and is used to pass the issuer_state value back to the Credential Issuer. + required: + - response_type + - client_id + - code_challenge + - code_challenge_method + required: true + responses: + '201': + description: Pushed Authorization Request Created + content: + application/json: + schema: + type: object + properties: + request_uri: + type: string + description: | + The URI that can be used in an authorization request to reference the parameters submitted in the PAR request. + expires_in: + type: integer + description: | + The lifetime in seconds of the request_uri. After this time, the request_uri will no longer be valid. + /rfc001/token: + post: + tags: + - 'EWC RFC001: Issue Verifiable Credential' + summary: Token request + requestBody: + required: true + content: + application/x-www-form-urlencoded: + schema: + oneOf: + - type: object + title: Token Request (for authorisation code grant) + properties: + grant_type: + type: string + description: | + The type of the grant being used. For example, 'authorization_code' indicates that the authorization code grant type is being used. + example: authorization_code + code: + type: string + description: | + The authorization code received from the authorization server in response to the authorization request. This code is used to obtain an access token from the token endpoint. + code_verifier: + type: string + description: | + The code verifier used in Proof Key for Code Exchange (PKCE). This is included in the token request to validate the code challenge that was used in the initial authorization request. + redirect_uri: + type: string + description: | + The redirect URI used in the authorization request. It must match the redirect URI used during the authorization request to ensure consistency and prevent attacks. + required: + - grant_type + - code + - $ref: '#/components/schemas/PreAuthorisedCodeTokenRequest' + responses: + '200': + description: Token response + content: + application/json: + schema: + $ref: '#/components/schemas/TokenResponse' + '400': + description: Error Response + content: + application/json: + schema: + $ref: '#/components/schemas/TokenErrorResponse' + /rfc001/credential: + post: + tags: + - 'EWC RFC001: Issue Verifiable Credential' + summary: Credential Request + requestBody: + required: true + content: + application/json: + schema: + oneOf: + - type: object + title: Credential Request (VC Signed as a JWT) + properties: + format: + type: string + description: | + REQUIRED when the credential_identifiers parameter was not returned from the Token Response. MUST NOT be used otherwise. + proof: + type: object + description: | + OPTIONAL. Contains the proof of possession of the cryptographic key material the issued Credential would be bound to. + properties: + proof_type: + type: string + description: | + REQUIRED. Denotes the key proof type. + credential_identifier: + type: string + description: | + REQUIRED when credential_identifiers parameter was returned from the Token Response. MUST NOT be used otherwise. + credential_response_encryption: + type: object + description: | + OPTIONAL. Contains information for encrypting the Credential Response. + properties: + jwk: + type: object + description: | + REQUIRED. Contains a single public key as a JWK used for encrypting the Credential Response. + alg: + type: string + description: | + REQUIRED. JWE alg algorithm for encrypting Credential Responses. + enc: + type: string + description: | + REQUIRED. JWE enc algorithm for encrypting Credential Responses. + credential_definition: + type: object + description: | + REQUIRED when the format parameter is present in the Credential Request. MUST NOT be used otherwise. Contains the detailed description of the Credential type. + properties: + type: + type: array + description: | + REQUIRED. The credential issued by the Credential Issuer MUST contain at least the values listed in this claim. + credentialSubject: + type: object + description: | + OPTIONAL. + required: + - proof_type + - jwk + - alg + - enc + - credential_definition + - type: object + title: Credential Request (ISO mDL) + properties: + format: + type: string + description: | + REQUIRED when the credential_identifiers parameter was not returned from the Token Response. MUST NOT be used otherwise. + proof: + type: object + description: | + OPTIONAL. Contains the proof of possession of the cryptographic key material the issued Credential would be bound to. + properties: + proof_type: + type: string + description: | + REQUIRED. Denotes the key proof type. + credential_identifier: + type: string + description: | + REQUIRED when credential_identifiers parameter was returned from the Token Response. MUST NOT be used otherwise. + credential_response_encryption: + type: object + description: | + OPTIONAL. Contains information for encrypting the Credential Response. + properties: + jwk: + type: object + description: | + REQUIRED. Contains a single public key as a JWK used for encrypting the Credential Response. + alg: + type: string + description: | + REQUIRED. JWE alg algorithm for encrypting Credential Responses. + enc: + type: string + description: | + REQUIRED. JWE enc algorithm for encrypting Credential Responses. + doctype: + type: string + description: | + REQUIRED when the format parameter is present in the Credential Request. MUST NOT be used otherwise. The Credential issued by the Credential Issuer MUST contain at least the values listed in this claim. + claims: + type: object + description: | + OPTIONAL. + required: + - proof_type + - jwk + - alg + - enc + - doctype + - type: object + title: Credential Request (IETF SD-JWT VC) + properties: + format: + type: string + description: | + REQUIRED when the credential_identifiers parameter was not returned from the Token Response. MUST NOT be used otherwise. + proof: + type: object + description: | + OPTIONAL. Contains the proof of possession of the cryptographic key material the issued Credential would be bound to. + properties: + proof_type: + type: string + description: | + REQUIRED. Denotes the key proof type. + credential_identifier: + type: string + description: | + REQUIRED when credential_identifiers parameter was returned from the Token Response. MUST NOT be used otherwise. + credential_response_encryption: + type: object + description: | + OPTIONAL. Contains information for encrypting the Credential Response. + properties: + jwk: + type: object + description: | + REQUIRED. Contains a single public key as a JWK used for encrypting the Credential Response. + alg: + type: string + description: | + REQUIRED. JWE alg algorithm for encrypting Credential Responses. + enc: + type: string + description: | + REQUIRED. JWE enc algorithm for encrypting Credential Responses. + vct: + type: string + description: | + REQUIRED when the format parameter is present in the Credential Request. MUST NOT be used otherwise. This claim contains the type value of the Credential that the Wallet requests the Credential Issuer to issue. + claims: + type: object + description: | + OPTIONAL. + required: + - proof_type + - jwk + - alg + - enc + - vct + responses: + '200': + description: Credential response + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/InTimeCredentialResponse' + - $ref: '#/components/schemas/DeferredCredentialResponse' + '400': + description: Error Response + content: + application/json: + schema: + $ref: '#/components/schemas/InTimeCredentialErrorResponse' + /rfc001/deferred_credential: + post: + tags: + - 'EWC RFC001: Issue Verifiable Credential' + summary: Deferred Credential Request + parameters: + - in: header + name: Authorization + schema: + type: string + example: Bearer eyJ0eXAi...KTjcrDMg + description: Acceptance token from the credential response + requestBody: + required: true + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/DeferredCredentialRequest' + responses: + '200': + description: Credential response + content: + application/json: + schema: + $ref: '#/components/schemas/InTimeCredentialResponse' + '400': + description: Error Response + content: + application/json: + schema: + $ref: '#/components/schemas/DeferredCredentialErrorResponse' diff --git a/openapi-spec/definitions/rfc001/authorisationCodeGrant.yaml b/openapi-spec/definitions/rfc001/authorisationCodeGrant.yaml new file mode 100644 index 0000000..7734f8c --- /dev/null +++ b/openapi-spec/definitions/rfc001/authorisationCodeGrant.yaml @@ -0,0 +1,19 @@ +type: object +title: "Authorisation code grant" +properties: + authorization_code: + type: object + description: "Authorisation code grant" + properties: + issuer_state: + type: string + description: > + "OPTIONAL. String value created by the Credential Issuer and opaque to the Wallet that is used to bind the subsequent Authorization Request with the Credential Issuer to a context set up during previous steps. + If the Wallet decides to use the Authorization Code Flow and received a value for this parameter, it MUST include it in the subsequent Authorization Request to the Credential Issuer as the `issuer_state` parameter value" + authorization_server: + type: string + description: > + "OPTIONAL. String that the Wallet can use to identify the Authorization Server to use with this grant type when `authorization_servers` parameter in the Credential Issuer metadata has multiple entries. + It MUST NOT be used otherwise. The value of this parameter MUST match with one of the values in the `authorization_servers` array obtained from the Credential Issuer metadata." +required: + - authorization_code diff --git a/openapi-spec/definitions/rfc001/authorisationCodeTokenRequest.yaml b/openapi-spec/definitions/rfc001/authorisationCodeTokenRequest.yaml new file mode 100644 index 0000000..0e74e75 --- /dev/null +++ b/openapi-spec/definitions/rfc001/authorisationCodeTokenRequest.yaml @@ -0,0 +1,23 @@ +type: object +title: Token Request (for authorisation code grant) +properties: + grant_type: + type: string + description: | + The type of the grant being used. For example, 'authorization_code' indicates that the authorization code grant type is being used. + example: "authorization_code" + code: + type: string + description: | + The authorization code received from the authorization server in response to the authorization request. This code is used to obtain an access token from the token endpoint. + code_verifier: + type: string + description: | + The code verifier used in Proof Key for Code Exchange (PKCE). This is included in the token request to validate the code challenge that was used in the initial authorization request. + redirect_uri: + type: string + description: | + The redirect URI used in the authorization request. It must match the redirect URI used during the authorization request to ensure consistency and prevent attacks. +required: + - grant_type + - code diff --git a/openapi-spec/definitions/rfc001/authorisationDetails.yaml b/openapi-spec/definitions/rfc001/authorisationDetails.yaml new file mode 100644 index 0000000..a74bd37 --- /dev/null +++ b/openapi-spec/definitions/rfc001/authorisationDetails.yaml @@ -0,0 +1,25 @@ +title: Authorisation Details +type: object +properties: + type: + type: string + locations: + type: array + items: + type: string + format: + type: string + credential_definition: + type: object + properties: + type: + type: array + items: + type: string + required: + - type +required: + - type + - locations + - format + - credential_definition diff --git a/openapi-spec/definitions/rfc001/authorisationResponse.yaml b/openapi-spec/definitions/rfc001/authorisationResponse.yaml new file mode 100644 index 0000000..9077051 --- /dev/null +++ b/openapi-spec/definitions/rfc001/authorisationResponse.yaml @@ -0,0 +1,27 @@ +title: Authorisation response +type: object +properties: + state: + type: string + description: The client uses an opaque value to maintain the state between the request and callback. + client_id: + type: string + description: Decentralised identifier + redirect_uri: + type: string + description: For redirection of the response + response_type: + type: string + description: The value must be 'id_token' if the issuer requests DID authentication. + response_mode: + type: string + description: The value must be 'direct_post' + scope: + type: string + description: The value must be 'openid' + nonce: + type: string + description: A value used to associate a client session with an ID token and to mitigate replay attacks. + request_uri: + type: string + description: The authorisation server's private key signed the request. diff --git a/openapi-spec/definitions/rfc001/authorisationServerMetadata.yaml b/openapi-spec/definitions/rfc001/authorisationServerMetadata.yaml new file mode 100644 index 0000000..e819da0 --- /dev/null +++ b/openapi-spec/definitions/rfc001/authorisationServerMetadata.yaml @@ -0,0 +1,48 @@ +title: Authorisation Server Metadata +type: object +description: "As described in Chapter 3 of [OpenID Connect Discovery 1.0 specification](https://openid.net/specs/openid-connect-discovery-1_0.html)." +properties: + issuer: + type: string + description: REQUIRED. URL using the https scheme with no query or fragment components that the OP asserts as its Issuer Identifier. + authorization_endpoint: + type: string + description: REQUIRED. URL of the OP's OAuth 2.0 Authorization Endpoint [OpenID.Core]. This URL MUST use the https scheme and MAY contain port, path, and query parameter components. + pushed_authorization_request_endpoint: + type: string + description: The URL of the pushed authorization request endpoint at which a client can post an authorization request to exchange for a request_uri value usable at the authorization server. + require_pushed_authorization_requests: + type: boolean + description: Boolean parameter indicating whether the authorization server accepts authorization request data only via PAR. If omitted, the default value is false. + token_endpoint: + type: string + description: URL of the OP's OAuth 2.0 Token Endpoint [OpenID.Core]. This URL MUST use the https scheme and MAY contain port, path, and query parameter components. + jwks_uri: + type: string + description: REQUIRED. URL of the OP's JWK Set [JWK] document, which MUST use the https scheme. This contains the signing key(s) the RP uses to validate signatures from the OP. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs to encrypt requests to the Server. When both signing and encryption keys are made available, a use (public key use) parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage. Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate. The JWK Set MUST NOT contain private or symmetric key values. + response_types_supported: + type: array + items: + type: string + description: REQUIRED. JSON array containing a list of the OAuth 2.0 response_type values that this OP supports. + subject_types_supported: + type: array + items: + type: string + description: REQUIRED. JSON array containing a list of the Subject Identifier types that this OP supports. Valid types include pairwise and public. + id_token_signing_alg_values_supported: + type: array + items: + type: string + description: REQUIRED. JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token to encode the Claims in a JWT [JWT]. The algorithm RS256 MUST be included. The value none MAY be supported but MUST NOT be used unless the Response Type used returns no ID Token from the Authorization Endpoint (such as when using the Authorization Code Flow). + pre-authorized_grant_anonymous_access_supported: + type: boolean + description: OPTIONAL. A boolean indicating whether the Credential Issuer accepts a Token Request with a Pre-Authorized Code but without a client_id. The default is false. +required: + - issuer + - authorization_endpoint + - token_endpoint + - jwks_uri + - response_types_supported + - subject_types_supported + - id_token_signing_alg_values_supported diff --git a/openapi-spec/definitions/rfc001/clientMetadata.yaml b/openapi-spec/definitions/rfc001/clientMetadata.yaml new file mode 100644 index 0000000..e25ff6e --- /dev/null +++ b/openapi-spec/definitions/rfc001/clientMetadata.yaml @@ -0,0 +1,37 @@ +title: Client Meta Data +type: object +properties: + vp_formats_supported: + type: object + properties: + jwt_vp: + type: object + properties: + alg: + type: array + items: + type: string + required: + - alg + jwt_vc: + type: object + properties: + alg: + type: array + items: + type: string + required: + - alg + required: + - jwt_vp + - jwt_vc + response_types_supported: + type: array + items: + type: string + authorization_endpoint: + type: string +required: + - vp_formats_supported + - response_types_supported + - authorization_endpoint diff --git a/openapi-spec/definitions/rfc001/credentialIssuerMetadata.yaml b/openapi-spec/definitions/rfc001/credentialIssuerMetadata.yaml new file mode 100644 index 0000000..ba27b4b --- /dev/null +++ b/openapi-spec/definitions/rfc001/credentialIssuerMetadata.yaml @@ -0,0 +1,102 @@ +title: Credential Issuer Metadata +type: object +properties: + credential_issuer: + type: string + description: REQUIRED. The Credential Issuer's identifier, as defined in Section 11.2.1. + authorization_servers: + type: string + description: > + OPTIONAL. Array of strings, where each string is an identifier of the OAuth 2.0 Authorization Server (as defined in [RFC8414]) the Credential Issuer relies on for authorization. + If this parameter is omitted, the entity providing the Credential Issuer is also acting as the Authorization Server, i.e., the Credential Issuer's identifier is used to obtain the Authorization Server metadata. + The actual OAuth 2.0 Authorization Server metadata is obtained from the oauth-authorization-server well-known location as defined in Section 3 of [RFC8414]. + When there are multiple entries in the array, the Wallet may be able to determine which Authorization Server to use by querying the metadata; for example, by examining the grant_types_supported values, the Wallet can filter the server to use based on the grant type it plans to use. + When the Wallet is using authorization_server parameter in the Credential Offer as a hint to determine which Authorization Server to use out of multiple, the Wallet MUST NOT proceed with the flow if the authorization_server Credential Offer parameter value does not match any of the entries in the authorization_servers array. + credential_endpoint: + type: string + description: REQUIRED. URL of the Credential Issuer's Credential Endpoint. This URL MUST use the https scheme and MAY contain port, path, and query parameter components. + deferred_credential_endpoint: + type: string + description: OPTIONAL. URL of the Credential Issuer's Deferred Credential Endpoint. This URL MUST use the https scheme and MAY contain port, path, and query parameter components. If omitted, the Credential Issuer does not support the Deferred Credential Endpoint. + batch_credential_endpoint: + type: string + description: OPTIONAL. URL of the Credential Issuer's Batch Credential Endpoint. This URL MUST use the https scheme and MAY contain port, path, and query parameter components. If omitted, the Credential Issuer does not support the Batch Credential Endpoint. + notification_endpoint: + type: string + description: OPTIONAL. URL of the Credential Issuer's Notification Endpoint. This URL MUST use the https scheme and MAY contain port, path, and query parameter components. If omitted, the Credential Issuer does not support the Notification Endpoint. + credential_response_encryption: + type: object + description: OPTIONAL. Object containing information about whether the Credential Issuer supports encryption of the Credential and Batch Credential Response on top of TLS. + properties: + alg_values_supported: + type: array + description: > + REQUIRED. Array containing a list of the JWE [RFC7516] encryption algorithms (alg values) [RFC7518] supported by the Credential and Batch Credential Endpoint to encode the Credential or Batch Credential Response in a JWT [RFC7519]. + items: + type: string + enc_values_supported: + description: > + REQUIRED. Array containing a list of the JWE [RFC7516] encryption algorithms (enc values) [RFC7518] supported by the Credential and Batch Credential Endpoint to encode the Credential or Batch Credential Response in a JWT [RFC7519]. + type: array + items: + type: string + encryption_required: + description: > + REQUIRED. Boolean value specifying whether the Credential Issuer requires the additional encryption on top of TLS for the Credential Response. + If the value is true, the Credential Issuer requires encryption for every Credential Response and therefore the Wallet MUST provide encryption keys in the Credential Request. + If the value is false, the Wallet MAY chose whether it provides encryption keys or not. + type: boolean + + display: + type: array + description: OPTIONAL. Array of objects, where each object contains display properties of a Credential Issuer for a certain language. + items: + type: object + properties: + name: + type: string + description: OPTIONAL. String value of a display name for the Credential Issuer. + locale: + type: string + description: String value that identifies the language of this object represented as a language tag taken from values defined in BCP47 [RFC5646]. There MUST be only one object for each language identifier. + logo: + type: object + description: OPTIONAL. Object with information about the logo of the Credential Issuer. + properties: + uri: + type: string + description: > + REQUIRED. String value that contains a URI where the Wallet can obtain the logo of the Credential Issuer. The Wallet needs to determine the scheme, since the URI value could use the https: scheme, the data: scheme, etc. + alt_text: + type: string + description: > + OPTIONAL. String value of the alternative text for the logo image. + required: + - uri + - alt_text + credential_identifiers_supported: + type: boolean + description: > + OPTIONAL. Boolean value specifying whether the Credential Issuer supports returning credential_identifiers parameter in the authorization_details Token Response parameter, with true indicating support. + If omitted, the default value is false. + signed_metadata: + type: string + description: > + OPTIONAL. String that is a signed JWT. + This JWT contains Credential Issuer metadata parameters as claims. + The signed metadata MUST be secured using JSON Web Signature (JWS) [RFC7515] and MUST contain an iat (Issued At) claim, an iss (Issuer) claim denoting the party attesting to the claims in the signed metadata, and sub (Subject) claim matching the Credential Issuer identifier. + If the Wallet supports signed metadata, metadata values conveyed in the signed JWT MUST take precedence over the corresponding values conveyed using plain JSON elements. + If the Credential Issuer wants to enforce use of signed metadata, it omits the respective metadata parameters from the unsigned part of the Credential Issuer metadata. + A signed_metadata metadata value MUST NOT appear as a claim in the JWT. + The Wallet MUST establish trust in the signer of the metadata, and obtain the keys to validate the signature before processing the metadata. + The concrete mechanism how to do that is out of scope of this specification and MAY be defined in the profiles of this specification. + credential_configurations_supported: + oneOf: + - $ref: "../../definitions/rfc001/jwtVcJsonCredentialConfiguration.yaml" + - $ref: "../../definitions/rfc001/ietfSdJwtVcCredentialConfiguration.yaml" + - $ref: "../../definitions/rfc001/msoMdocCredentialConfiguration.yaml" +required: + - credential_issuer + - authorization_servers + - credential_endpoint + - credential_configurations_supported diff --git a/openapi-spec/definitions/rfc001/credentialOffer.yaml b/openapi-spec/definitions/rfc001/credentialOffer.yaml new file mode 100644 index 0000000..ee9f93b --- /dev/null +++ b/openapi-spec/definitions/rfc001/credentialOffer.yaml @@ -0,0 +1,24 @@ +title: Credential Offer +type: object +properties: + credential_issuer: + type: string + description: > + "REQUIRED. The URL of the Credential Issuer, from which the Wallet is requested to obtain one or more Credentials. + The Wallet can also use it to obtain the Credential Issuer's Metadata." + credential_configuration_ids: + type: array + item: + type: string + description: > + "REQUIRED. Array of unique strings that each identify one of the keys in the name/value pairs stored in the `credential_configurations_supported` Credential Issuer metadata. + The Wallet uses these string values to obtain the respective object that contains information about the Credential being offered. + For example, these string values can be used to obtain scope values to be used in the Authorization Request." + grants: + oneOf: + - $ref: "./../../definitions/rfc001/authorisationCodeGrant.yaml" + - $ref: "./../../definitions/rfc001/preAuthorisedCodeGrant.yaml" +required: + - credential_issuer + - credential_configuration_ids + - grants diff --git a/openapi-spec/definitions/rfc001/credentialRequest.yaml b/openapi-spec/definitions/rfc001/credentialRequest.yaml new file mode 100644 index 0000000..cabbb8d --- /dev/null +++ b/openapi-spec/definitions/rfc001/credentialRequest.yaml @@ -0,0 +1,41 @@ +type: object +properties: + format: + type: string + description: > + REQUIRED when the credential_identifiers parameter was not returned from the Token Response. MUST NOT be used otherwise. + proof: + type: object + description: > + OPTIONAL. Contains the proof of possession of the cryptographic key material the issued Credential would be bound to. + properties: + proof_type: + type: string + description: > + REQUIRED. Denotes the key proof type. + credential_identifier: + type: string + description: > + REQUIRED when credential_identifiers parameter was returned from the Token Response. MUST NOT be used otherwise. + credential_response_encryption: + type: object + description: > + OPTIONAL. Contains information for encrypting the Credential Response. + properties: + jwk: + type: object + description: > + REQUIRED. Contains a single public key as a JWK used for encrypting the Credential Response. + alg: + type: string + description: > + REQUIRED. JWE alg algorithm for encrypting Credential Responses. + enc: + type: string + description: > + REQUIRED. JWE enc algorithm for encrypting Credential Responses. +required: + - proof_type + - jwk + - alg + - enc diff --git a/openapi-spec/definitions/rfc001/deferredCredentialErrorResponse.yaml b/openapi-spec/definitions/rfc001/deferredCredentialErrorResponse.yaml new file mode 100644 index 0000000..baf5bb4 --- /dev/null +++ b/openapi-spec/definitions/rfc001/deferredCredentialErrorResponse.yaml @@ -0,0 +1,32 @@ +title: Deferred Credential Error Response +type: object +properties: + error: + type: string + description: > + REQUIRED. Error code indicating the type of error that occurred. + enum: + - issuance_pending + - invalid_transaction_id + error_description: + type: string + description: > + OPTIONAL. Human-readable ASCII text providing additional information + about the error. + issuance_pending: + type: object + description: > + Error response when the Credential issuance is still pending. + properties: + interval: + type: integer + description: > + OPTIONAL. The minimum amount of time in seconds that the Wallet + needs to wait before sending a new request to the Deferred Credential Endpoint. + Default value is 5 if not provided. + invalid_transaction_id: + type: string + description: > + Error response when the Deferred Credential Request contains an invalid transaction_id. +required: + - error diff --git a/openapi-spec/definitions/rfc001/deferredCredentialRequest.yaml b/openapi-spec/definitions/rfc001/deferredCredentialRequest.yaml new file mode 100644 index 0000000..d63ec92 --- /dev/null +++ b/openapi-spec/definitions/rfc001/deferredCredentialRequest.yaml @@ -0,0 +1,11 @@ +title: Deferred Credential Request +type: object +properties: + transaction_id: + type: string + description: > + REQUIRED. String identifying a Deferred Issuance transaction. + The Credential Issuer MUST invalidate the transaction_id after the Credential for which + it was meant has been obtained by the Wallet. +required: + - transaction_id diff --git a/openapi-spec/definitions/rfc001/deferredCredentialResponse.yaml b/openapi-spec/definitions/rfc001/deferredCredentialResponse.yaml new file mode 100644 index 0000000..4622129 --- /dev/null +++ b/openapi-spec/definitions/rfc001/deferredCredentialResponse.yaml @@ -0,0 +1,22 @@ +title: Deferred Credential Response +type: object +properties: + transaction_id: + type: string + description: > + OPTIONAL. String identifying a Deferred Issuance transaction. This claim is contained in the response + if the Credential Issuer was unable to immediately issue the Credential. + It MUST be present when the credential parameter is not returned. + It MUST be invalidated after the Credential for which it was meant has been obtained by the Wallet. + c_nonce: + type: string + description: > + OPTIONAL. String containing a nonce to be used to create a proof of possession of key material when + requesting a Credential. The Wallet MUST use this nonce value for its subsequent Credential Requests + until the Credential Issuer provides a fresh nonce. + c_nonce_expires_in: + type: number + description: > + OPTIONAL. Number denoting the lifetime in seconds of the c_nonce. +required: + - transaction_id diff --git a/openapi-spec/definitions/rfc001/ietfSdJwtVcCredentialConfiguration.yaml b/openapi-spec/definitions/rfc001/ietfSdJwtVcCredentialConfiguration.yaml new file mode 100644 index 0000000..4ba2ca8 --- /dev/null +++ b/openapi-spec/definitions/rfc001/ietfSdJwtVcCredentialConfiguration.yaml @@ -0,0 +1,107 @@ +title: IETF SD-JWT VC +required: + - vct + - format +type: object +properties: + vct: + type: string + description: REQUIRED. String designating the type of a Credential, as defined in [I-D.ietf-oauth-sd-jwt-vc]. + claims: + description: > + OPTIONAL. Object containing a list of name/value pairs, where each name identifies a claim about the subject offered in the Credential. + The value can be another such object (nested data structures), or an array of such objects. + type: object + additionalProperties: true + order: + type: array + items: + type: string + description: OPTIONAL. An array of the claim name values that lists them in the order they should be displayed by the Wallet. + format: + type: string + description: > + REQUIRED. A JSON string identifying the format of this Credential, i.e., `jwt_vc_json` or `mso_mdoc` or `vc+sd-jwt`. + Depending on the format value, the object contains further elements defining the type and (optionally) particular claims the Credential MAY contain and information about how to display the Credential. + scope: + type: string + description: > + OPTIONAL. A JSON string identifying the scope value that this Credential Issuer supports for this particular Credential. + The value can be the same across multiple credential_configurations_supported objects. + The Authorization Server MUST be able to uniquely identify the Credential Issuer based on the scope value. + The Wallet can use this value in the Authorization Request. + Scope values in this Credential Issuer metadata MAY duplicate those in the `scopes_supported parameter` of the Authorization Server. + cryptographic_binding_methods_supported: + type: array + items: + type: string + description: > + OPTIONAL. Array of case sensitive strings that identify the representation of the cryptographic key material that the issued Credential is bound to. Support for keys in JWK format [RFC7517] is indicated by the value jwk. + Support for keys expressed as a COSE Key object [RFC8152] (for example, used in [ISO.18013-5]) is indicated by the value cose_key. When the Cryptographic Binding Method is a DID, valid values are a did: prefix followed by a method-name using a syntax as defined in Section 3.1 of [DID-Core], but without a :and method-specific-id. For example, support for the DID method with a method-name "example" would be represented by did:example. + credential_signing_alg_values_supported: + description: > + OPTIONAL. Array of case sensitive strings that identify the algorithms that the Issuer uses to sign the issued Credential. + type: array + items: + type: string + proof_types_supported: + description: > + Object that describes specifics of the key proof(s) that the Credential Issuer supports. + This object contains a list of name/value pairs, where each name is a unique identifier of the supported proof type(s). + This identifier is also used by the Wallet in the Credential Request. + type: object + properties: + proof_signing_alg_values_supported: + description: > + REQUIRED. Array of case sensitive strings that identify the algorithms that the Issuer supports for this proof type. + The Wallet uses one of them to sign the proof. + type: array + items: + type: string + display: + type: object + description: Array of objects, where each object contains the display properties of the supported Credential for a certain language. + properties: + name: + description: REQUIRED. String value of a display name for the Credential. + type: string + locale: + type: string + description: > + OPTIONAL. String value that identifies the language of this object represented as a language tag taken from values defined in BCP47 [RFC5646]. + Multiple display objects MAY be included for separate languages. + There MUST be only one object for each language identifier. + logo: + type: object + description: > + OPTIONAL. Object with information about the logo of the Credential. + properties: + uri: + type: string + description: > + REQUIRED. String value that contains a URI where the Wallet can obtain the logo of the Credential from the Credential Issuer. The Wallet needs to determine the scheme, since the URI value could use the https: scheme, the data: scheme, etc + alt_text: + type: string + description: > + OPTIONAL. String value of the alternative text for the logo image. + description: + type: string + description: > + OPTIONAL. String value of a description of the Credential. + background_color: + type: string + description: > + OPTIONAL. String value of a background color of the Credential represented as numerical color values defined in CSS Color Module Level 37 [CSS-Color]. + background_image: + type: object + description: > + OPTIONAL. Object with information about the background image of the Credential. + properties: + uri: + description: > + REQUIRED. String value that contains a URI where the Wallet can obtain the background image of the Credential from the Credential Issuer. The Wallet needs to determine the scheme, since the URI value could use the https: scheme, the data: scheme, etc. + type: string + text_color: + type: string + description: > + OPTIONAL. String value of a text color of the Credential represented as numerical color values defined in CSS Color Module Level 37 [CSS-Color]. \ No newline at end of file diff --git a/openapi-spec/definitions/rfc001/ietfSdJwtVcCredentialRequest.yaml b/openapi-spec/definitions/rfc001/ietfSdJwtVcCredentialRequest.yaml new file mode 100644 index 0000000..a93b9d5 --- /dev/null +++ b/openapi-spec/definitions/rfc001/ietfSdJwtVcCredentialRequest.yaml @@ -0,0 +1,51 @@ +type: object +title: Credential Request (IETF SD-JWT VC) +properties: + format: + type: string + description: > + REQUIRED when the credential_identifiers parameter was not returned from the Token Response. MUST NOT be used otherwise. + proof: + type: object + description: > + OPTIONAL. Contains the proof of possession of the cryptographic key material the issued Credential would be bound to. + properties: + proof_type: + type: string + description: > + REQUIRED. Denotes the key proof type. + credential_identifier: + type: string + description: > + REQUIRED when credential_identifiers parameter was returned from the Token Response. MUST NOT be used otherwise. + credential_response_encryption: + type: object + description: > + OPTIONAL. Contains information for encrypting the Credential Response. + properties: + jwk: + type: object + description: > + REQUIRED. Contains a single public key as a JWK used for encrypting the Credential Response. + alg: + type: string + description: > + REQUIRED. JWE alg algorithm for encrypting Credential Responses. + enc: + type: string + description: > + REQUIRED. JWE enc algorithm for encrypting Credential Responses. + vct: + type: string + description: > + REQUIRED when the format parameter is present in the Credential Request. MUST NOT be used otherwise. This claim contains the type value of the Credential that the Wallet requests the Credential Issuer to issue. + claims: + type: object + description: > + OPTIONAL. +required: + - proof_type + - jwk + - alg + - enc + - vct diff --git a/openapi-spec/definitions/rfc001/inTimeCredentialErrorResponse.yaml b/openapi-spec/definitions/rfc001/inTimeCredentialErrorResponse.yaml new file mode 100644 index 0000000..34871b8 --- /dev/null +++ b/openapi-spec/definitions/rfc001/inTimeCredentialErrorResponse.yaml @@ -0,0 +1,19 @@ +title: InTime Credential Error Response +type: object +properties: + error: + type: string + description: > + REQUIRED. The error parameter SHOULD be a single ASCII error code from the following: + enum: + - invalid_credential_request + - unsupported_credential_type + - unsupported_credential_format + - invalid_proof + - invalid_encryption_parameters + error_description: + type: string + description: > + OPTIONAL. The error_description parameter MUST be a human-readable ASCII text, providing any additional information + used to assist the Client implementers in understanding the occurred error. + The values for the error_description parameter MUST NOT include characters outside the set %x20-21 / %x23-5B / %x5D-7E. diff --git a/openapi-spec/definitions/rfc001/inTimeCredentialResponse.yaml b/openapi-spec/definitions/rfc001/inTimeCredentialResponse.yaml new file mode 100644 index 0000000..67a59ff --- /dev/null +++ b/openapi-spec/definitions/rfc001/inTimeCredentialResponse.yaml @@ -0,0 +1,20 @@ +title: InTime Credential Response +type: object +properties: + credential: + type: [string, object] + description: > + OPTIONAL. Contains issued Credential. It MUST be present when transaction_id is not returned. + It MAY be a string or an object, depending on the Credential format. + c_nonce: + type: string + description: > + OPTIONAL. String containing a nonce to be used to create a proof of possession of key material when + requesting a Credential. The Wallet MUST use this nonce value for its subsequent Credential Requests + until the Credential Issuer provides a fresh nonce. + c_nonce_expires_in: + type: number + description: > + OPTIONAL. Number denoting the lifetime in seconds of the c_nonce. +required: + - credential diff --git a/openapi-spec/definitions/rfc001/jwtVcJsonCredentialConfiguration.yaml b/openapi-spec/definitions/rfc001/jwtVcJsonCredentialConfiguration.yaml new file mode 100644 index 0000000..e96f5ca --- /dev/null +++ b/openapi-spec/definitions/rfc001/jwtVcJsonCredentialConfiguration.yaml @@ -0,0 +1,113 @@ +title: VC Signed as a JWT +required: + - credential_definition + - format +type: object +properties: + order: + type: array + description: OPTIONAL. Array of the claim name values that lists them in the order they should be displayed by the Wallet. + items: + type: string + credential_definition: + description: REQUIRED. Object containing the detailed description of the Credential type. + type: object + properties: + type: + type: array + items: + type: string + description: REQUIRED. Array designating the types a certain Credential type supports, according to [VC_DATA], Section 4.3. + credentialSubject: + type: object + description: > + OPTIONAL. Object containing a list of name/value pairs, where each name identifies a claim offered in the Credential. + The value can be another such object (nested data structures), or an array of such objects. + additionalProperties: true + format: + type: string + description: > + REQUIRED. A JSON string identifying the format of this Credential, i.e., `jwt_vc_json` or `mso_mdoc` or `vc+sd-jwt`. + Depending on the format value, the object contains further elements defining the type and (optionally) particular claims the Credential MAY contain and information about how to display the Credential. + scope: + type: string + description: > + OPTIONAL. A JSON string identifying the scope value that this Credential Issuer supports for this particular Credential. + The value can be the same across multiple credential_configurations_supported objects. + The Authorization Server MUST be able to uniquely identify the Credential Issuer based on the scope value. + The Wallet can use this value in the Authorization Request. + Scope values in this Credential Issuer metadata MAY duplicate those in the `scopes_supported parameter` of the Authorization Server. + cryptographic_binding_methods_supported: + type: array + items: + type: string + description: > + OPTIONAL. Array of case sensitive strings that identify the representation of the cryptographic key material that the issued Credential is bound to. Support for keys in JWK format [RFC7517] is indicated by the value jwk. + Support for keys expressed as a COSE Key object [RFC8152] (for example, used in [ISO.18013-5]) is indicated by the value cose_key. When the Cryptographic Binding Method is a DID, valid values are a did: prefix followed by a method-name using a syntax as defined in Section 3.1 of [DID-Core], but without a :and method-specific-id. For example, support for the DID method with a method-name "example" would be represented by did:example. + credential_signing_alg_values_supported: + description: > + OPTIONAL. Array of case sensitive strings that identify the algorithms that the Issuer uses to sign the issued Credential. + type: array + items: + type: string + proof_types_supported: + description: > + Object that describes specifics of the key proof(s) that the Credential Issuer supports. + This object contains a list of name/value pairs, where each name is a unique identifier of the supported proof type(s). + This identifier is also used by the Wallet in the Credential Request. + type: object + properties: + proof_signing_alg_values_supported: + description: > + REQUIRED. Array of case sensitive strings that identify the algorithms that the Issuer supports for this proof type. + The Wallet uses one of them to sign the proof. + type: array + items: + type: string + display: + type: object + description: Array of objects, where each object contains the display properties of the supported Credential for a certain language. + properties: + name: + description: REQUIRED. String value of a display name for the Credential. + type: string + locale: + type: string + description: > + OPTIONAL. String value that identifies the language of this object represented as a language tag taken from values defined in BCP47 [RFC5646]. + Multiple display objects MAY be included for separate languages. + There MUST be only one object for each language identifier. + logo: + type: object + description: > + OPTIONAL. Object with information about the logo of the Credential. + properties: + uri: + type: string + description: > + REQUIRED. String value that contains a URI where the Wallet can obtain the logo of the Credential from the Credential Issuer. The Wallet needs to determine the scheme, since the URI value could use the https: scheme, the data: scheme, etc + alt_text: + type: string + description: > + OPTIONAL. String value of the alternative text for the logo image. + description: + type: string + description: > + OPTIONAL. String value of a description of the Credential. + background_color: + type: string + description: > + OPTIONAL. String value of a background color of the Credential represented as numerical color values defined in CSS Color Module Level 37 [CSS-Color]. + background_image: + type: object + description: > + OPTIONAL. Object with information about the background image of the Credential. + properties: + uri: + description: > + REQUIRED. String value that contains a URI where the Wallet can obtain the background image of the Credential from the Credential Issuer. The Wallet needs to determine the scheme, since the URI value could use the https: scheme, the data: scheme, etc. + type: string + text_color: + type: string + description: > + OPTIONAL. String value of a text color of the Credential represented as numerical color values defined in CSS Color Module Level 37 [CSS-Color]. diff --git a/openapi-spec/definitions/rfc001/jwtVcJsonCredentialRequest.yaml b/openapi-spec/definitions/rfc001/jwtVcJsonCredentialRequest.yaml new file mode 100644 index 0000000..efabbee --- /dev/null +++ b/openapi-spec/definitions/rfc001/jwtVcJsonCredentialRequest.yaml @@ -0,0 +1,56 @@ +type: object +title: Credential Request (VC Signed as a JWT) +properties: + format: + type: string + description: > + REQUIRED when the credential_identifiers parameter was not returned from the Token Response. MUST NOT be used otherwise. + proof: + type: object + description: > + OPTIONAL. Contains the proof of possession of the cryptographic key material the issued Credential would be bound to. + properties: + proof_type: + type: string + description: > + REQUIRED. Denotes the key proof type. + credential_identifier: + type: string + description: > + REQUIRED when credential_identifiers parameter was returned from the Token Response. MUST NOT be used otherwise. + credential_response_encryption: + type: object + description: > + OPTIONAL. Contains information for encrypting the Credential Response. + properties: + jwk: + type: object + description: > + REQUIRED. Contains a single public key as a JWK used for encrypting the Credential Response. + alg: + type: string + description: > + REQUIRED. JWE alg algorithm for encrypting Credential Responses. + enc: + type: string + description: > + REQUIRED. JWE enc algorithm for encrypting Credential Responses. + credential_definition: + type: object + description: > + REQUIRED when the format parameter is present in the Credential Request. MUST NOT be used otherwise. Contains the detailed description of the Credential type. + properties: + type: + type: array + description: > + REQUIRED. The credential issued by the Credential Issuer MUST contain at least the values listed in this claim. + credentialSubject: + type: object + description: > + OPTIONAL. +required: + - proof_type + - jwk + - alg + - enc + - credential_definition diff --git a/openapi-spec/definitions/rfc001/msoMdocCredentialConfiguration.yaml b/openapi-spec/definitions/rfc001/msoMdocCredentialConfiguration.yaml new file mode 100644 index 0000000..7a3ac47 --- /dev/null +++ b/openapi-spec/definitions/rfc001/msoMdocCredentialConfiguration.yaml @@ -0,0 +1,107 @@ +title: ISO mDL +required: + - doctype + - format +type: object +properties: + doctype: + type: string + description: REQUIRED. String identifying the Credential type, as defined in [ISO.18013-5]. + order: + type: array + items: + type: string + description: OPTIONAL. Array of namespaced claim name values that lists them in the order they should be displayed by the Wallet. The values MUST be two strings separated by a tilde ('~') character, where the first string is a namespace value and a second is a claim name value. For example, `org.iso.18013.5.1~given_name". + claims: + type: object + additionalProperties: true + description: > + OPTIONAL. Object containing a list of name/value pairs, where the name is a certain namespace as defined in [ISO.18013-5] (or any profile of it), and the value is an object. + This object also contains a list of name/value pairs, where the name is a claim name value that is defined in the respective namespace and is offered in the Credential. + format: + type: string + description: > + REQUIRED. A JSON string identifying the format of this Credential, i.e., `jwt_vc_json` or `mso_mdoc` or `vc+sd-jwt`. + Depending on the format value, the object contains further elements defining the type and (optionally) particular claims the Credential MAY contain and information about how to display the Credential. + scope: + type: string + description: > + OPTIONAL. A JSON string identifying the scope value that this Credential Issuer supports for this particular Credential. + The value can be the same across multiple credential_configurations_supported objects. + The Authorization Server MUST be able to uniquely identify the Credential Issuer based on the scope value. + The Wallet can use this value in the Authorization Request. + Scope values in this Credential Issuer metadata MAY duplicate those in the `scopes_supported parameter` of the Authorization Server. + cryptographic_binding_methods_supported: + type: array + items: + type: string + description: > + OPTIONAL. Array of case sensitive strings that identify the representation of the cryptographic key material that the issued Credential is bound to. Support for keys in JWK format [RFC7517] is indicated by the value jwk. + Support for keys expressed as a COSE Key object [RFC8152] (for example, used in [ISO.18013-5]) is indicated by the value cose_key. When the Cryptographic Binding Method is a DID, valid values are a did: prefix followed by a method-name using a syntax as defined in Section 3.1 of [DID-Core], but without a :and method-specific-id. For example, support for the DID method with a method-name "example" would be represented by did:example. + credential_signing_alg_values_supported: + description: > + OPTIONAL. Array of case sensitive strings that identify the algorithms that the Issuer uses to sign the issued Credential. + type: array + items: + type: string + proof_types_supported: + description: > + Object that describes specifics of the key proof(s) that the Credential Issuer supports. + This object contains a list of name/value pairs, where each name is a unique identifier of the supported proof type(s). + This identifier is also used by the Wallet in the Credential Request. + type: object + properties: + proof_signing_alg_values_supported: + description: > + REQUIRED. Array of case sensitive strings that identify the algorithms that the Issuer supports for this proof type. + The Wallet uses one of them to sign the proof. + type: array + items: + type: string + display: + type: object + description: Array of objects, where each object contains the display properties of the supported Credential for a certain language. + properties: + name: + description: REQUIRED. String value of a display name for the Credential. + type: string + locale: + type: string + description: > + OPTIONAL. String value that identifies the language of this object represented as a language tag taken from values defined in BCP47 [RFC5646]. + Multiple display objects MAY be included for separate languages. + There MUST be only one object for each language identifier. + logo: + type: object + description: > + OPTIONAL. Object with information about the logo of the Credential. + properties: + uri: + type: string + description: > + REQUIRED. String value that contains a URI where the Wallet can obtain the logo of the Credential from the Credential Issuer. The Wallet needs to determine the scheme, since the URI value could use the https: scheme, the data: scheme, etc + alt_text: + type: string + description: > + OPTIONAL. String value of the alternative text for the logo image. + description: + type: string + description: > + OPTIONAL. String value of a description of the Credential. + background_color: + type: string + description: > + OPTIONAL. String value of a background color of the Credential represented as numerical color values defined in CSS Color Module Level 37 [CSS-Color]. + background_image: + type: object + description: > + OPTIONAL. Object with information about the background image of the Credential. + properties: + uri: + description: > + REQUIRED. String value that contains a URI where the Wallet can obtain the background image of the Credential from the Credential Issuer. The Wallet needs to determine the scheme, since the URI value could use the https: scheme, the data: scheme, etc. + type: string + text_color: + type: string + description: > + OPTIONAL. String value of a text color of the Credential represented as numerical color values defined in CSS Color Module Level 37 [CSS-Color]. diff --git a/openapi-spec/definitions/rfc001/msoMdocCredentialRequest.yaml b/openapi-spec/definitions/rfc001/msoMdocCredentialRequest.yaml new file mode 100644 index 0000000..b189575 --- /dev/null +++ b/openapi-spec/definitions/rfc001/msoMdocCredentialRequest.yaml @@ -0,0 +1,51 @@ +type: object +title: Credential Request (ISO mDL) +properties: + format: + type: string + description: > + REQUIRED when the credential_identifiers parameter was not returned from the Token Response. MUST NOT be used otherwise. + proof: + type: object + description: > + OPTIONAL. Contains the proof of possession of the cryptographic key material the issued Credential would be bound to. + properties: + proof_type: + type: string + description: > + REQUIRED. Denotes the key proof type. + credential_identifier: + type: string + description: > + REQUIRED when credential_identifiers parameter was returned from the Token Response. MUST NOT be used otherwise. + credential_response_encryption: + type: object + description: > + OPTIONAL. Contains information for encrypting the Credential Response. + properties: + jwk: + type: object + description: > + REQUIRED. Contains a single public key as a JWK used for encrypting the Credential Response. + alg: + type: string + description: > + REQUIRED. JWE alg algorithm for encrypting Credential Responses. + enc: + type: string + description: > + REQUIRED. JWE enc algorithm for encrypting Credential Responses. + doctype: + type: string + description: > + REQUIRED when the format parameter is present in the Credential Request. MUST NOT be used otherwise. The Credential issued by the Credential Issuer MUST contain at least the values listed in this claim. + claims: + type: object + description: > + OPTIONAL. +required: + - proof_type + - jwk + - alg + - enc + - doctype \ No newline at end of file diff --git a/openapi-spec/definitions/rfc001/preAuthorisedCodeGrant.yaml b/openapi-spec/definitions/rfc001/preAuthorisedCodeGrant.yaml new file mode 100644 index 0000000..4d003dc --- /dev/null +++ b/openapi-spec/definitions/rfc001/preAuthorisedCodeGrant.yaml @@ -0,0 +1,40 @@ +type: object +title: "Pre-authorised code grant" +properties: + urn:ietf:params:oauth:grant-type:pre-authorized_code: + description: "Pre-authorised code grant" + type: object + properties: + pre-authorized_code: + type: string + description: > + "REQUIRED. The code representing the Credential Issuer's authorization for the Wallet to obtain Credentials of a certain type. + This code MUST be short lived and single use. If the Wallet decides to use the Pre-Authorized Code Flow, this parameter value MUST be included in the subsequent Token Request with the Pre-Authorized Code Flow." + tx_code: + type: object + description: > + "OPTIONAL. Object specifying whether the Authorization Server expects presentation of a Transaction Code by the End-User along with the Token Request in a Pre-Authorized Code Flow. + If the Authorization Server does not expect a Transaction Code, this object is absent; this is the default. + The Transaction Code is intended to bind the Pre-Authorized Code to a certain transaction to prevent replay of this code by an attacker that, for example, scanned the QR code while standing behind the legitimate End-User. + It is RECOMMENDED to send the Transaction Code via a separate channel. If the Wallet decides to use the Pre-Authorized Code Flow, the Transaction Code value MUST be sent in the tx_code parameter with the respective Token Request. + If no length or description is given, this object may be empty, indicating that a Transaction Code is required." + properties: + input_mode: + type: string + description: > + "OPTIONAL. String specifying the input character set. + Possible values are numeric (only digits) and text (any characters). + The default is numeric." + length: + type: integer + description: > + "OPTIONAL. Integer specifying the length of the Transaction Code. + This helps the Wallet to render the input screen and improve the user experience." + description: + type: string + description: > + "OPTIONAL. String containing guidance for the Holder of the Wallet on how to obtain the Transaction Code, e.g., describing over which communication channel it is delivered. + The Wallet is RECOMMENDED to display this description next to the Transaction Code input screen to improve the user experience. + The length of the string MUST NOT exceed 300 characters. The description does not support internationalization, however the Issuer MAY detect the Holder's language by previous communication or an HTTP Accept-Language header within an HTTP GET request for a Credential Offer URI." +required: + - urn:ietf:params:oauth:grant-type:pre-authorized_code \ No newline at end of file diff --git a/openapi-spec/definitions/rfc001/preAuthorisedCodeTokenRequest.yaml b/openapi-spec/definitions/rfc001/preAuthorisedCodeTokenRequest.yaml new file mode 100644 index 0000000..c2af67d --- /dev/null +++ b/openapi-spec/definitions/rfc001/preAuthorisedCodeTokenRequest.yaml @@ -0,0 +1,20 @@ +type: object +title: Token Request (for pre-authorised code grant) +properties: + grant_type: + type: string + description: | + The type of grant being used. For pre-authorized code flow, this must be set to 'urn:ietf:params:oauth:grant-type:pre-authorized_code'. + example: "urn:ietf:params:oauth:grant-type:pre-authorized_code" + pre-authorized_code: + type: string + description: | + The pre-authorized code issued by the authorization server. This code is used to request an access token. + tx_code: + type: string + description: | + A transaction code that helps identify and correlate the request with the original authorization transaction. +required: + - grant_type + - pre-authorized_code + - tx_code \ No newline at end of file diff --git a/openapi-spec/definitions/rfc001/presentationSubmission.yaml b/openapi-spec/definitions/rfc001/presentationSubmission.yaml new file mode 100644 index 0000000..a76618f --- /dev/null +++ b/openapi-spec/definitions/rfc001/presentationSubmission.yaml @@ -0,0 +1,39 @@ +type: object +properties: + definition_id: + type: string + descriptor_map: + type: array + items: + type: object + properties: + format: + type: string + id: + type: string + path: + type: string + path_nested: + type: object + properties: + format: + type: string + id: + type: string + path: + type: string + required: + - format + - id + - path + required: + - format + - id + - path + - path_nested + id: + type: string +required: + - definition_id + - descriptor_map + - id diff --git a/openapi-spec/definitions/rfc001/tokenErrorResponse.yaml b/openapi-spec/definitions/rfc001/tokenErrorResponse.yaml new file mode 100644 index 0000000..55ff305 --- /dev/null +++ b/openapi-spec/definitions/rfc001/tokenErrorResponse.yaml @@ -0,0 +1,39 @@ +title: Token Error Response +type: object +properties: + error: + type: string + description: > + REQUIRED. Error code indicating the type of error that occurred. + enum: + - invalid_request + - invalid_grant + - invalid_client + - authorization_pending + - slow_down + error_description: + type: string + description: > + OPTIONAL. Human-readable ASCII text providing additional information + about the error. + authorization_pending: + type: object + description: > + OPTIONAL. Detailed description for authorization_pending errors. + properties: + interval: + type: integer + description: > + OPTIONAL. The minimum amount of time in seconds that the Wallet + needs to wait before sending a new request. Default value is 5 if not provided. + slow_down: + type: object + description: > + OPTIONAL. Detailed description for slow_down errors. + properties: + interval_increase: + type: integer + description: > + OPTIONAL. The amount of time in seconds by which to increase the polling interval. +required: + - error diff --git a/openapi-spec/definitions/rfc001/tokenResponse.yaml b/openapi-spec/definitions/rfc001/tokenResponse.yaml new file mode 100644 index 0000000..8c604b3 --- /dev/null +++ b/openapi-spec/definitions/rfc001/tokenResponse.yaml @@ -0,0 +1,56 @@ +type: object +title: "Token Response" +properties: + access_token: + type: string + description: | + The access token issued by the authorization server. This token is used to access protected resources. + example: "eyJhbGciOiJSUzI1NiIsInR5cCI6Ikp..sHQ" + token_type: + type: string + description: | + The type of the token issued. Typically this is "bearer". + example: "bearer" + expires_in: + type: integer + description: | + The lifetime in seconds of the access token. After this time, the token will expire and a new one must be requested. + example: 86400 + c_nonce: + type: string + description: | + OPTIONAL. A nonce used when creating proof of possession of the key proof. This nonce must be used for subsequent requests until a fresh nonce is provided by the Credential Issuer. + example: "tZignsnFbp" + c_nonce_expires_in: + type: integer + description: | + OPTIONAL. The lifetime in seconds of the `c_nonce`. After this time, the `c_nonce` will expire. + example: 86400 + authorization_details: + type: array + items: + type: object + properties: + type: + type: string + description: | + REQUIRED. The type of authorization details. Must be "openid_credential" when used to request issuance of a specific Credential type. + example: "openid_credential" + credential_configuration_id: + type: string + description: | + REQUIRED when `authorization_details` is used. The identifier for the Credential configuration. + example: "UniversityDegreeCredential" + credential_identifiers: + type: array + items: + type: string + description: | + OPTIONAL. An array of strings, each uniquely identifying a Credential that can be issued using the Access Token. These Credentials correspond to the same entry in the `credential_configurations_supported` Credential Issuer metadata but may contain different claims or subsets of claims. + example: + - "CivilEngineeringDegree-2023" + - "ElectricalEngineeringDegree-2023" +required: + - access_token + - token_type + - expires_in diff --git a/openapi-spec/ewc.yaml b/openapi-spec/ewc.yaml deleted file mode 100644 index 26fd2b4..0000000 --- a/openapi-spec/ewc.yaml +++ /dev/null @@ -1,1061 +0,0 @@ -info: - contact: - name: EWC - url: https://eudiwalletconsortium.org/ - description: The EWC APIs are defined to be used across all wallet providers within EWC according the [EWC RFCs](https://github.com/EWC-consortium/eudi-wallet-rfcs). - license: - name: Apache 2.0 - url: https://www.apache.org/licenses/LICENSE-2.0 - title: EWC APIs - version: 2024.3.1 -openapi: 3.0.3 -servers: - - description: Wallet server - url: https://wallet.example.com -tags: - - description: This consists of endpoints for an issuer - name: issuer - - description: This consists of endpoints for a verifier - name: verifier -paths: - /credential-offer/{credentialOfferId}: - get: - summary: Credential offer - description: Credential offer - operationId: credentialOffer - parameters: - - description: Unique ID for the credential offer - in: path - name: credentialOfferId - required: true - schema: - type: string - responses: - "200": - description: "" - content: - application/json: - schema: - oneOf: - - $ref: "#/components/schemas/OpenIdCredentialOffer" - - $ref: "#/components/schemas/EbsiCredentialOffer" - - tags: - - issuer - /.well-known/openid-credential-issuer: - get: - summary: Discover well-known OpenID credential issuer configuration endpoint - description: Discover well-known OpenID credential issuer configuration endpoint - operationId: discoverWellKnownOpenIdCredentialIssuerConfiguration - responses: - "200": - description: "" - content: - application/json: - schema: - oneOf: - - $ref: "#/components/schemas/WellKnownOpenIdIssuerConfiguration" - - $ref: "#/components/schemas/WellKnownEBSIIssuerConfiguration" - - tags: - - issuer - /.well-known/oauth-authorization-server: - get: - summary: Discover well-known OpenID authorisation server configuration endpoint - description: Discover well-known OpenID authorisation server configuration endpoint - operationId: discoverWellKnownOpenIdAuthorisationIssuerConfiguration - responses: - "200": - description: "" - content: - application/json: - schema: - $ref: "#/components/schemas/WellKnownOpenIdAuthorisationServerConfiguration" - - tags: - - issuer - /auth/authorize: - get: - tags: - - issuer - summary: Authorisation request - description: Authorisation request - operationId: authorisationRequest - parameters: - - name: response_type - in: query - required: true - schema: - type: string - example: code - description: The value must be 'code' - - name: scope - in: query - required: true - schema: - type: string - example: openid - description: The value must be 'openid' - - name: state - in: query - required: true - schema: - type: string - example: client-state - description: The client uses an opaque value to maintain the state between the request and callback. - - name: client_id - in: query - required: true - schema: - type: string - example: did:key:z2dmzD81cgPx8Vki7JbuuMmFYrWPgYoytykUZ3eyqht1j9KbsEYvdrjxMjQ4tpnje9BDBTzuNDP3knn6qLZErzd4bJ5go2CChoPjd5GAH3zpFJP5fuwSk66U5Pq6EhF4nKnHzDnznEP8fX99nZGgwbAh1o7Gj1X52Tdhf7U4KTk66xsA5r - description: Decentralised identifier - - name: authorization_details - in: query - required: true - schema: - type: string - example: | - [ - { - "format": "jwt_vc", - "locations": [ - "https://issuer.example.com" - ], - "type": "openid_credential", - "types": [ - "VerifiableCredential", - "VerifiableAttestation", - "VerifiablePortableDocumentA1" - ] - } - ] - description: | - As specified in OAuth 2.0 Rich Authorization Requests specification to specify fine-grained access. - - name: redirect_uri - in: query - required: true - schema: - type: string - example: "openid:" - description: For redirection of the response. - - name: nonce - in: query - required: true - schema: - type: string - example: glkFFoisdfEui43 - description: A value used to associate a client session with an ID token and to mitigate replay attacks. - - name: code_challenge - in: query - required: true - schema: - type: string - example: YjI0ZTQ4NTBhMzJmMmZhNjZkZDFkYzVhNzlhNGMyZDdjZDlkMTM4YTY4NjcyMTA5M2Q2OWQ3YjNjOGJlZDBlMSAgLQo= - description: As specified in PKCE for OAuth Public Client specification. - - name: code_challenge_method - in: query - required: true - schema: - type: string - example: S256 - description: As specified in PKCE for OAuth Public Client specification. - - name: client_metadata - in: query - required: true - schema: - type: string - example: | - { - "vp_formats_supported": { - "jwt_vp": { - "alg": [ - "ES256" - ] - }, - "jwt_vc": { - "alg": [ - "ES256" - ] - } - }, - "response_types_supported": [ - "vp_token", - "id_token" - ], - "authorization_endpoint": "openid://" - } - description: Holder wallets are non-reachable and can utilise this field in the Authorisation Request to deliver configuration. - - name: issuer_state - in: query - required: false - schema: - type: string - example: tracker%3Dvcfghhj - description: If present in the credential offer. - responses: - "302": - description: Authorisation response - headers: - Location: - schema: - type: string - example: http://localhost:8080?state=22857405-1a41-4db9-a638-a980484ecae1&client_id=https%3A%2F%2Fapi-conformance.ebsi.eu%2Fconformance%2Fv3%2Fauth-mock&redirect_uri=https%3A%2F%2Fapi-conformance.ebsi.eu%2Fconformance%2Fv3%2Fauth-mock%2Fdirect_post&response_type=id_token&response_mode=direct_post&scope=openid&nonce=a6f24536-b109-4623-a41a-7a9be932bdf6&request_uri=https%3A%2F%2Fapi-conformance.ebsi.eu%2Fconformance%2Fv3%2Fauth-mock%2Frequest_uri%2F111d2819-9ab7-4959-83e5-f414c57fdc27 - /direct_post: - post: - tags: - - "issuer" - summary: Direct post - requestBody: - required: true - content: - application/x-www-form-urlencoded: - schema: - type: object - properties: - id_token: - type: string - description: The id_token signed by the DID - responses: - "302": - description: Direct Post response - headers: - Location: - schema: - type: string - description: The URL to redirect to after processing the request - /token: - post: - tags: - - "issuer" - summary: Token request - requestBody: - required: true - content: - application/x-www-form-urlencoded: - schema: - $ref: "#/components/schemas/AuthorisationCodeTokenRequest" - responses: - "200": - description: Token response - content: - application/json: - schema: - $ref: "#/components/schemas/TokenResponse" - /credential: - post: - tags: - - "issuer" - summary: Credential Request - requestBody: - required: true - content: - application/json: - schema: - oneOf: - - $ref: "#/components/schemas/OpenIdCredentialRequest" - - $ref: "#/components/schemas/EbsiCredentialRequest" - responses: - "200": - description: Credential response - content: - application/json: - schema: - oneOf: - - $ref: "#/components/schemas/InTimeCredentialResponse" - - $ref: "#/components/schemas/DeferredCredentialResponse" - /deferred-credential: - post: - tags: - - "issuer" - summary: Deferred Credential Request - parameters: - - in: header - name: Authorization - schema: - type: string - example: Bearer eyJ0eXAi...KTjcrDMg - description: Acceptance token from the credential response - responses: - "200": - description: Credential response - content: - application/json: - schema: - $ref: "#/components/schemas/InTimeCredentialResponse" -components: - schemas: - OpenIdCredentialOffer: - title: OpenID Credential Offer - type: object - properties: - credential_issuer: - type: string - description: "Credential issuer endpoint" - example: https://server.example.com - credentials: - type: array - description: "Credential types available for issuance" - items: - type: string - example: "PortableDocumentA1" - grants: - oneOf: - - $ref: "#/components/schemas/AuthorisationCodeGrant" - - $ref: "#/components/schemas/PreAuthorisedCodeGrant" - required: - - credential_issuer - - credentials - - grants - EbsiCredentialOffer: - title: EBSI Credential Offer - type: object - properties: - credential_issuer: - type: string - description: "Credential issuer endpoint" - example: https://server.example.com - credentials: - type: array - description: "Credential types available for issuance" - items: - type: object - properties: - format: - type: string - description: "Credential format" - enum: - - "jwt_vc" - - "ldp_vc" - - "vc+sd-jwt" - types: - type: array - description: "Credential type" - items: - type: string - example: "PortableDocumentA1" - trust_framework: - type: object - description: "Trust framework" - properties: - name: - type: string - description: "Name of the trust framework" - example: "ebsi" - type: - type: string - description: "Type of the trust framework" - example: "Accreditation" - uri: - type: string - description: "URI of the trust framework" - example: "TIR link towards accreditation" - required: - - name - - type - - uri - required: - - format - - types - - trust_framework - grants: - oneOf: - - $ref: "#/components/schemas/AuthorisationCodeGrant" - - $ref: "#/components/schemas/PreAuthorisedCodeGrant" - required: - - credential_issuer - - credentials - - grants - AuthorisationCodeGrant: - type: object - title: "Authorisation code grant" - properties: - authorization_code: - type: object - description: "Authorisation code grant" - properties: - issuer_state: - type: string - description: "Issuer state" - example: "eyJhbGciOiJSU0Et...FYUaBy" - required: - - issuer_state - required: - - authorization_code - PreAuthorisedCodeGrant: - type: object - title: "Pre-authorised code grant" - properties: - urn:ietf:params:oauth:grant-type:pre-authorized_code: - description: "Pre-authorised code grant" - type: object - properties: - pre-authorized_code: - type: string - description: "Pre-authorised code" - example: "eyJhbGciOiJSU0Et...FYUaBy" - user_pin_required: - type: boolean - description: "User pin required or not" - example: true - required: - - pre-authorized_code - - user_pin_required - required: - - urn:ietf:params:oauth:grant-type:pre-authorized_code - WellKnownOpenIdIssuerConfiguration: - title: Well-known OpenID credential issuer configuration - type: object - properties: - credential_issuer: - type: string - authorization_server: - type: string - credential_endpoint: - type: string - deferred_credential_endpoint: - type: string - display: - type: array - items: - type: object - properties: - name: - type: string - location: - type: string - locale: - type: string - cover: - type: object - properties: - url: - type: string - alt_text: - type: string - required: - - url - - alt_text - logo: - type: object - properties: - url: - type: string - alt_text: - type: string - required: - - url - - alt_text - description: - type: string - required: - - name - - location - - locale - - cover - - logo - - description - credentials_supported: - type: object - properties: - VerifiablePortableDocumentA1SdJwt: - type: object - properties: - format: - type: string - scope: - type: string - cryptographic_binding_methods_supported: - type: array - items: - type: string - cryptographic_suites_supported: - type: array - items: - type: string - display: - type: array - items: - type: object - properties: - name: - type: string - locale: - type: string - background_color: - type: string - text_color: - type: string - required: - - name - - locale - - background_color - - text_color - credential_definition: - type: object - properties: - vct: - type: string - claims: - type: object - properties: - given_name: - type: object - properties: - display: - type: array - items: - type: object - properties: - name: - type: string - locale: - type: string - required: - - name - - locale - required: - - display - last_name: - type: object - properties: - display: - type: array - items: - type: object - properties: - name: - type: string - locale: - type: string - required: - - name - - locale - required: - - display - required: - - given_name - - last_name - required: - - vct - - claims - required: - - format - - scope - - cryptographic_binding_methods_supported - - cryptographic_suites_supported - - display - - credential_definition - required: - - VerifiablePortableDocumentA1SdJwt - required: - - credential_issuer - - authorization_server - - credential_endpoint - - deferred_credential_endpoint - - display - - credentials_supported - WellKnownEBSIIssuerConfiguration: - title: Well-known EBSI credential issuer configuration - type: object - properties: - credential_issuer: - type: string - authorization_server: - type: string - credential_endpoint: - type: string - deferred_credential_endpoint: - type: string - display: - type: object - properties: - name: - type: string - location: - type: string - locale: - type: string - cover: - type: object - properties: - url: - type: string - alt_text: - type: string - required: - - url - - alt_text - logo: - type: object - properties: - url: - type: string - alt_text: - type: string - required: - - url - - alt_text - description: - type: string - required: - - name - - location - - locale - - cover - - logo - - description - credentials_supported: - type: array - items: - type: object - properties: - format: - type: string - types: - type: array - items: - type: string - trust_framework: - type: object - properties: - name: - type: string - type: - type: string - uri: - type: string - required: - - name - - type - - uri - display: - type: array - items: - type: object - properties: - name: - type: string - locale: - type: string - required: - - name - - locale - required: - - format - - types - - trust_framework - - display - required: - - credential_issuer - - authorization_server - - credential_endpoint - - deferred_credential_endpoint - - display - - credentials_supported - WellKnownOpenIdAuthorisationServerConfiguration: - title: Well-known OpenID authorisation server configuration - type: object - properties: - issuer: - type: string - authorization_endpoint: - type: string - token_endpoint: - type: string - jwks_uri: - type: string - scopes_supported: - type: array - items: - type: string - response_types_supported: - type: array - items: - type: string - response_modes_supported: - type: array - items: - type: string - grant_types_supported: - type: array - items: - type: string - subject_types_supported: - type: array - items: - type: string - id_token_signing_alg_values_supported: - type: array - items: - type: string - request_object_signing_alg_values_supported: - type: array - items: - type: string - request_parameter_supported: - type: boolean - request_uri_parameter_supported: - type: boolean - token_endpoint_auth_methods_supported: - type: array - items: - type: string - request_authentication_methods_supported: - type: object - properties: - authorization_endpoint: - type: array - items: - type: string - required: - - authorization_endpoint - vp_formats_supported: - type: object - properties: - jwt_vp: - type: object - properties: - alg_values_supported: - type: array - items: - type: string - required: - - alg_values_supported - jwt_vc: - type: object - properties: - alg_values_supported: - type: array - items: - type: string - required: - - alg_values_supported - required: - - jwt_vp - - jwt_vc - subject_syntax_types_supported: - type: array - items: - type: string - subject_trust_frameworks_supported: - type: array - items: - type: string - id_token_types_supported: - type: array - items: - type: string - required: - - issuer - - authorization_endpoint - - token_endpoint - - jwks_uri - - scopes_supported - - response_types_supported - - response_modes_supported - - grant_types_supported - - subject_types_supported - - id_token_signing_alg_values_supported - - request_object_signing_alg_values_supported - - request_parameter_supported - - request_uri_parameter_supported - - token_endpoint_auth_methods_supported - - request_authentication_methods_supported - - vp_formats_supported - - subject_syntax_types_supported - - subject_trust_frameworks_supported - - id_token_types_supported - AuthorisationResponse: - title: Authorisation response - type: object - properties: - state: - type: string - description: The client uses an opaque value to maintain the state between the request and callback. - client_id: - type: string - description: Decentralised identifier - redirect_uri: - type: string - description: For redirection of the response - response_type: - type: string - description: The value must be 'id_token' if the issuer requests DID authentication. - response_mode: - type: string - description: The value must be 'direct_post' - scope: - type: string - description: The value must be 'openid' - nonce: - type: string - description: A value used to associate a client session with an ID token and to mitigate replay attacks. - request_uri: - type: string - description: The authorisation server's private key signed the request. - AuthorisationDetails: - title: Authorisation Details - type: object - properties: - type: - type: string - locations: - type: array - items: - type: string - format: - type: string - credential_definition: - type: object - properties: - type: - type: array - items: - type: string - required: - - type - required: - - type - - locations - - format - - credential_definition - EBSIAuthorisationDetails: - title: EBSI Authorisation Details - type: object - properties: - format: - type: string - locations: - type: array - items: - type: string - type: - type: string - types: - type: array - items: - type: string - required: - - format - - locations - - type - - types - ClientMetaData: - title: Client Meta Data - type: object - properties: - vp_formats_supported: - type: object - properties: - jwt_vp: - type: object - properties: - alg: - type: array - items: - type: string - required: - - alg - jwt_vc: - type: object - properties: - alg: - type: array - items: - type: string - required: - - alg - required: - - jwt_vp - - jwt_vc - response_types_supported: - type: array - items: - type: string - authorization_endpoint: - type: string - required: - - vp_formats_supported - - response_types_supported - - authorization_endpoint - AuthorisationCodeTokenRequest: - type: object - properties: - grant_type: - type: string - example: authorization_code - description: Grant type for authorization - code: - type: string - example: SplxlOBeZQQYbYS6WxSbIA - description: Authorization code - code_verifier: - type: string - example: dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk - description: Wallet-generated secure random token used to validate the original code_challenge - redirect_uri: - type: string - example: https://Wallet.example.org/cb - description: Redirect URI - PreAuthorisedCodeTokenRequest: - type: object - properties: - grant_type: - type: string - example: urn:ietf:params:oauth:grant-type:pre-authorized_code - description: Grant type for authorization - pre-authorized_code: - type: string - example: SplxlOBeZQQYbYS6WxSbIA - description: Code representing the Credential Issuer's authorisation for the Wallet to obtain Credentials of a certain type. This code must be short-lived and single-use. - user_pin: - type: string - example: 493536 - description: The end user pin is decided by the issuer and sent to the holder through an out-of-band process. E.g. Email, SMS - TokenResponse: - type: object - properties: - access_token: - type: string - refresh_token: - type: string - token_type: - type: string - expires_in: - type: number - id_token: - type: string - c_nonce: - type: string - c_nonce_expires_in: - type: number - required: - - access_token - - refresh_token - - token_type - - expires_in - - id_token - - c_nonce - - c_nonce_expires_in - OpenIdCredentialRequest: - type: object - properties: - format: - type: string - example: vc+sd-jwt - description: Format of the credential - credential_definition: - type: object - properties: - vct: - type: string - example: VerifiablePortableDocumentA1 - description: Verifiable credential type - proof: - type: object - properties: - proof_type: - type: string - example: jwt - description: Proof type of the credential - jwt: - type: string - example: eyJraW...KWjceMcr - description: JWT for the proof - EbsiCredentialRequest: - title: EBSI Credential Request - type: object - properties: - format: - type: string - proof: - type: object - properties: - jwt: - type: string - proof_type: - type: string - required: - - jwt - - proof_type - types: - type: array - items: - type: string - required: - - format - - proof - - types - InTimeCredentialResponse: - title: In-time Credential Response - type: object - properties: - format: - type: string - credential: - type: string - c_nonce: - type: string - c_nonce_expires_in: - type: number - required: - - format - - credential - - c_nonce - - c_nonce_expires_in - DeferredCredentialResponse: - title: Deferred Credential Response - type: object - properties: - acceptance_token: - type: string - c_nonce: - type: string - c_nonce_expires_in: - type: number - required: - - acceptance_token - - c_nonce - - c_nonce_expires_in - - PresentationSubmission: - type: object - properties: - definition_id: - type: string - descriptor_map: - type: array - items: - type: object - properties: - format: - type: string - id: - type: string - path: - type: string - path_nested: - type: object - properties: - format: - type: string - id: - type: string - path: - type: string - required: - - format - - id - - path - required: - - format - - id - - path - - path_nested - id: - type: string - required: - - definition_id - - descriptor_map - - id \ No newline at end of file diff --git a/openapi-spec/index.html b/openapi-spec/index.html index 1dad863..6c2b46a 100644 --- a/openapi-spec/index.html +++ b/openapi-spec/index.html @@ -1,93 +1,40 @@ - + - - EWC API documentation - - - + + + + - - - - - \ No newline at end of file diff --git a/openapi-spec/index.yaml b/openapi-spec/index.yaml new file mode 100644 index 0000000..446060b --- /dev/null +++ b/openapi-spec/index.yaml @@ -0,0 +1,86 @@ +components: + schemas: + CredentialOffer: + $ref: "./definitions/rfc001/credentialOffer.yaml" + AuthorisationCodeGrant: + $ref: "./definitions/rfc001/authorisationCodeGrant.yaml" + PreAuthorisedCodeGrant: + $ref: "./definitions/rfc001/preAuthorisedCodeGrant.yaml" + CredentialIssuerMetadata: + $ref: "./definitions/rfc001/credentialIssuerMetadata.yaml" + JwtVcJsonCredentialConfiguration: + $ref: "./definitions/rfc001/jwtVcJsonCredentialConfiguration.yaml" + IetfSdJwtVcCredentialConfiguration: + $ref: "./definitions/rfc001/ietfSdJwtVcCredentialConfiguration.yaml" + MsoMdocCredentialConfiguration: + $ref: "./definitions/rfc001/msoMdocCredentialConfiguration.yaml" + AuthorisationServerMetadata: + $ref: "./definitions/rfc001/authorisationServerMetadata.yaml" + AuthorisationResponse: + $ref: "./definitions/rfc001/authorisationResponse.yaml" + AuthorisationDetails: + $ref: "./definitions/rfc001/authorisationDetails.yaml" + AuthorisationCodeTokenRequest: + $ref: "./definitions/rfc001/authorisationCodeGrant.yaml" + PreAuthorisedCodeTokenRequest: + $ref: "./definitions/rfc001/preAuthorisedCodeTokenRequest.yaml" + TokenResponse: + $ref: "./definitions/rfc001/tokenResponse.yaml" + TokenErrorResponse: + $ref: "./definitions/rfc001/tokenErrorResponse.yaml" + CredentialRequest: + $ref: "./definitions/rfc001/credentialRequest.yaml" + InTimeCredentialResponse: + $ref: "./definitions/rfc001/inTimeCredentialResponse.yaml" + InTimeCredentialErrorResponse: + $ref: "./definitions/rfc001/inTimeCredentialErrorResponse.yaml" + DeferredCredentialRequest: + $ref: "./definitions/rfc001/deferredCredentialRequest.yaml" + DeferredCredentialResponse: + $ref: "./definitions/rfc001/deferredCredentialResponse.yaml" + DeferredCredentialErrorResponse: + $ref: "./definitions/rfc001/deferredCredentialErrorResponse.yaml" +info: + contact: + name: EWC + url: https://eudiwalletconsortium.org/ + description: The EWC APIs are defined to be used across all wallet providers within EWC according the [EWC RFCs](https://github.com/EWC-consortium/eudi-wallet-rfcs). + license: + name: Apache 2.0 + url: https://www.apache.org/licenses/LICENSE-2.0 + title: EWC APIs + version: 2024.3.1 +openapi: 3.1.0 +servers: + - description: Example server + url: https://example.com +tags: + - description: "This consists of endpoints for EWC RFC001: Issue Verifiable Credential" + name: "EWC RFC001: Issue Verifiable Credential" + - description: "This consists of endpoints for EWC RFC002: Present Verifiable Credential" + name: "EWC RFC002: Present Verifiable Credential" +paths: + /rfc001/credential_offer: + get: + $ref: ./paths/rfc001/credentialOffer.yaml + /rfc001/.well-known/openid-credential-issuer: + get: + $ref: ./paths/rfc001/credentialIssuerMetadata.yaml + /rfc001/.well-known/oauth-authorization-server: + get: + $ref: ./paths/rfc001/authorisationServerMetadata.yaml + /rfc001/authorize: + get: + $ref: ./paths/rfc001/authorisation.yaml + /rfc001/par: + post: + $ref: ./paths/rfc001/pushedAuthorisationRequest.yaml + /rfc001/token: + post: + $ref: ./paths/rfc001/token.yaml + /rfc001/credential: + post: + $ref: ./paths/rfc001/credential.yaml + /rfc001/deferred_credential: + post: + $ref: ./paths/rfc001/deferredCredential.yaml diff --git a/openapi-spec/paths/rfc001/authorisation.yaml b/openapi-spec/paths/rfc001/authorisation.yaml new file mode 100644 index 0000000..ba95beb --- /dev/null +++ b/openapi-spec/paths/rfc001/authorisation.yaml @@ -0,0 +1,72 @@ +tags: + - "EWC RFC001: Issue Verifiable Credential" +summary: Authorization Request +description: | + An Authorization Request is an OAuth 2.0 Authorization Request as defined in Section 4.1.1 of [RFC6749]. This request seeks to obtain authorization to access the Credential Endpoint. +operationId: authorizationRequest +parameters: + - name: response_type + in: query + required: true + schema: + type: string + description: | + REQUIRED. The value must be "code" to request an authorization code. + - name: client_id + in: query + required: true + schema: + type: string + description: | + REQUIRED. The identifier for the client making the request. + - name: code_challenge + in: query + required: true + schema: + type: string + description: | + REQUIRED. The code challenge used for Proof Key for Code Exchange (PKCE) as specified in OAuth 2.0 for Public Clients. + - name: code_challenge_method + in: query + required: true + schema: + type: string + description: | + OPTIONAL. The method used to transform the code verifier. Defaults to "plain" if not present. Possible values are "S256" or "plain", as defined in PKCE for OAuth 2.0. + - name: authorization_details + in: query + required: false + schema: + type: string + description: | + OPTIONAL. Provides fine-grained access details as specified in the OAuth 2.0 Rich Authorization Requests specification. The `authorization_details` parameter, as defined in Section 2 of [RFC9396], should be used to convey the specifics of the Credentials the Wallet intends to obtain. This specification introduces a new authorization details type, `openid_credential`. + - name: redirect_uri + in: query + required: false + schema: + type: string + description: | + OPTIONAL. The redirection endpoint where the authorization server will send the user-agent after authorization is complete. + - name: scope + in: query + required: false + schema: + type: string + description: | + OPTIONAL. Defines the scope of the Credential request. If the Wallet is unsure of the scope value, it can discover it using the 'scope' parameter from the Credential Issuer's metadata. This parameter assists in identifying the appropriate Credential configuration based on the Credential Offer or other parameters from the Credential Issuer. + - name: issuer_state + in: query + required: false + schema: + type: string + description: | + OPTIONAL. A string value representing a specific processing context at the Credential Issuer. This value is usually provided in a Credential Offer from the Credential Issuer to the Wallet and is used to pass the issuer_state value back to the Credential Issuer. +responses: + "302": + description: Authorization Response + headers: + Location: + schema: + type: string + description: | + The URL to which the user-agent will be redirected after successful authorization. This URL contains the authorization code and any additional parameters as specified in the OAuth 2.0 Authorization framework. diff --git a/openapi-spec/paths/rfc001/authorisationServerMetadata.yaml b/openapi-spec/paths/rfc001/authorisationServerMetadata.yaml new file mode 100644 index 0000000..a3ebd91 --- /dev/null +++ b/openapi-spec/paths/rfc001/authorisationServerMetadata.yaml @@ -0,0 +1,13 @@ +summary: Authorisation Server Metadata +description: The Authorization server metadata contain metadata describing authorisation server configuration. +operationId: authorisationServerMetadata +responses: + "200": + description: "" + content: + application/json: + schema: + $ref: "../../definitions/rfc001/authorisationServerMetadata.yaml" + +tags: + - "EWC RFC001: Issue Verifiable Credential" \ No newline at end of file diff --git a/openapi-spec/paths/rfc001/credential.yaml b/openapi-spec/paths/rfc001/credential.yaml new file mode 100644 index 0000000..137b09d --- /dev/null +++ b/openapi-spec/paths/rfc001/credential.yaml @@ -0,0 +1,27 @@ +tags: + - "EWC RFC001: Issue Verifiable Credential" +summary: Credential Request +requestBody: + required: true + content: + application/json: + schema: + oneOf: + - $ref: "../../definitions/rfc001/jwtVcJsonCredentialRequest.yaml" + - $ref: "../../definitions/rfc001/msoMdocCredentialRequest.yaml" + - $ref: "../../definitions/rfc001/ietfSdJwtVcCredentialRequest.yaml" +responses: + "200": + description: Credential response + content: + application/json: + schema: + oneOf: + - $ref: "../../definitions/rfc001/inTimeCredentialResponse.yaml" + - $ref: "../../definitions/rfc001/deferredCredentialResponse.yaml" + "400": + description: Error Response + content: + application/json: + schema: + $ref: "../../definitions/rfc001/inTimeCredentialErrorResponse.yaml" \ No newline at end of file diff --git a/openapi-spec/paths/rfc001/credentialIssuerMetadata.yaml b/openapi-spec/paths/rfc001/credentialIssuerMetadata.yaml new file mode 100644 index 0000000..aa522ff --- /dev/null +++ b/openapi-spec/paths/rfc001/credentialIssuerMetadata.yaml @@ -0,0 +1,13 @@ +summary: Credential Issuer Metadata +description: The credential issuer metdata contains information on the Credential Issuer's technical capabilities, supported Credentials, and (internationalized) display information. +operationId: credentialIssuerMetadata +responses: + "200": + description: "" + content: + application/json: + schema: + oneOf: + - $ref: "../../definitions/rfc001/credentialIssuerMetadata.yaml" +tags: + - "EWC RFC001: Issue Verifiable Credential" diff --git a/openapi-spec/paths/rfc001/credentialOffer.yaml b/openapi-spec/paths/rfc001/credentialOffer.yaml new file mode 100644 index 0000000..19ab3c9 --- /dev/null +++ b/openapi-spec/paths/rfc001/credentialOffer.yaml @@ -0,0 +1,24 @@ +summary: Credential Offer Endpoint +description: The Credential Issuer sends Credential Offer using an HTTP GET request or an HTTP redirect to the Wallet's Credential Offer Endpoint +operationId: credentialOfferEndpoint +parameters: + - description: Object with the Credential Offer parameters. This MUST NOT be present when the `credential_offer_uri` parameter is present. + in: query + name: credential_offer + schema: + type: string + - description: String that is a URL using the https scheme referencing a resource containing a JSON object with the Credential Offer parameters. This MUST NOT be present when the `credential_offer` parameter is present. + in: query + name: credential_offer_uri + schema: + type: string +responses: + "200": + description: "" + content: + application/json: + schema: + oneOf: + - $ref: "./../../definitions/rfc001/credentialOffer.yaml" +tags: + - "EWC RFC001: Issue Verifiable Credential" \ No newline at end of file diff --git a/openapi-spec/paths/rfc001/deferredCredential.yaml b/openapi-spec/paths/rfc001/deferredCredential.yaml new file mode 100644 index 0000000..f231198 --- /dev/null +++ b/openapi-spec/paths/rfc001/deferredCredential.yaml @@ -0,0 +1,31 @@ +tags: + - "EWC RFC001: Issue Verifiable Credential" +summary: Deferred Credential Request +parameters: + - in: header + name: Authorization + schema: + type: string + example: Bearer eyJ0eXAi...KTjcrDMg + description: Acceptance token from the credential response +requestBody: + required: true + content: + application/json: + schema: + oneOf: + - $ref: "../../definitions/rfc001/deferredCredentialRequest.yaml" +responses: + "200": + description: Credential response + content: + application/json: + schema: + $ref: "../../definitions/rfc001/inTimeCredentialResponse.yaml" + "400": + description: Error Response + content: + application/json: + schema: + $ref: "../../definitions/rfc001/deferredCredentialErrorResponse.yaml" + diff --git a/openapi-spec/paths/rfc001/directPost.yaml b/openapi-spec/paths/rfc001/directPost.yaml new file mode 100644 index 0000000..483e71a --- /dev/null +++ b/openapi-spec/paths/rfc001/directPost.yaml @@ -0,0 +1,21 @@ +tags: + - "EWC RFC001: Issue Verifiable Credential" +summary: Direct post +requestBody: + required: true + content: + application/x-www-form-urlencoded: + schema: + type: object + properties: + id_token: + type: string + description: The id_token signed by the DID +responses: + "302": + description: Direct Post response + headers: + Location: + schema: + type: string + description: The URL to redirect to after processing the request diff --git a/openapi-spec/paths/rfc001/pushedAuthorisationRequest.yaml b/openapi-spec/paths/rfc001/pushedAuthorisationRequest.yaml new file mode 100644 index 0000000..bb00e95 --- /dev/null +++ b/openapi-spec/paths/rfc001/pushedAuthorisationRequest.yaml @@ -0,0 +1,67 @@ +tags: + - "EWC RFC001: Issue Verifiable Credential" +summary: Pushed Authorization Request +description: | + A Pushed Authorization Request (PAR) allows a client to submit its authorization request parameters to the authorization server in advance, providing a PAR endpoint that stores these parameters and returns a request URI. The client then uses this URI in its authorization request to the authorization endpoint. This method enhances security by avoiding the exposure of sensitive parameters in the URL. + +operationId: pushedAuthorizationRequest +requestBody: + content: + application/x-www-form-urlencoded: + schema: + type: object + properties: + response_type: + type: string + description: | + REQUIRED. The value must be "code" to request an authorization code. + client_id: + type: string + description: | + REQUIRED. The identifier for the client making the request. + code_challenge: + type: string + description: | + REQUIRED. The code challenge used for Proof Key for Code Exchange (PKCE) as specified in OAuth 2.0 for Public Clients. + code_challenge_method: + type: string + description: | + OPTIONAL. The method used to transform the code verifier. Defaults to "plain" if not present. Possible values are "S256" or "plain", as defined in PKCE for OAuth 2.0. + authorization_details: + type: string + description: | + OPTIONAL. Provides fine-grained access details as specified in the OAuth 2.0 Rich Authorization Requests specification. The `authorization_details` parameter, as defined in Section 2 of [RFC9396], should be used to convey the specifics of the Credentials the Wallet intends to obtain. This specification introduces a new authorization details type, `openid_credential`. + redirect_uri: + type: string + description: | + OPTIONAL. The redirection endpoint where the authorization server will send the user-agent after authorization is complete. + scope: + type: string + description: | + OPTIONAL. Defines the scope of the Credential request. If the Wallet is unsure of the scope value, it can discover it using the 'scope' parameter from the Credential Issuer's metadata. This parameter assists in identifying the appropriate Credential configuration based on the Credential Offer or other parameters from the Credential Issuer. + issuer_state: + type: string + description: | + OPTIONAL. A string value representing a specific processing context at the Credential Issuer. This value is usually provided in a Credential Offer from the Credential Issuer to the Wallet and is used to pass the issuer_state value back to the Credential Issuer. + required: + - response_type + - client_id + - code_challenge + - code_challenge_method + required: true +responses: + "201": + description: Pushed Authorization Request Created + content: + application/json: + schema: + type: object + properties: + request_uri: + type: string + description: | + The URI that can be used in an authorization request to reference the parameters submitted in the PAR request. + expires_in: + type: integer + description: | + The lifetime in seconds of the request_uri. After this time, the request_uri will no longer be valid. diff --git a/openapi-spec/paths/rfc001/token.yaml b/openapi-spec/paths/rfc001/token.yaml new file mode 100644 index 0000000..fdbc6d3 --- /dev/null +++ b/openapi-spec/paths/rfc001/token.yaml @@ -0,0 +1,24 @@ +tags: + - "EWC RFC001: Issue Verifiable Credential" +summary: Token request +requestBody: + required: true + content: + application/x-www-form-urlencoded: + schema: + oneOf: + - $ref: "../../definitions/rfc001/authorisationCodeTokenRequest.yaml" + - $ref: "../../definitions/rfc001/preAuthorisedCodeTokenRequest.yaml" +responses: + "200": + description: Token response + content: + application/json: + schema: + $ref: "../../definitions/rfc001/tokenResponse.yaml" + "400": + description: Error Response + content: + application/json: + schema: + $ref: "../../definitions/rfc001/tokenErrorResponse.yaml"