Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add small note about client id parameters for dc api #458

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

add small note about client id parameters for dc api #458

wants to merge 1 commit into from
+1 −1

Conversation

TimoGlastra
Copy link
Member

Fixes #436

@TimoGlastra
Copy link
Member Author

Some notes I also shared with @peppelinux over email:

After re-reading the section on DC API, I must say that there is already a line indicating the set of parameters can be extended: "Additional request parameters MAY be defined and used with OpenID4VP over the DC API.".

So it may not be needed to merge the clarification, although me and another engineer on our team both were in doubt about the restrictions from the supported parameters.

@jogu
Copy link
Collaborator

jogu commented Mar 17, 2025

Some notes I also shared with @peppelinux over email:

After re-reading the section on DC API, I must say that there is already a line indicating the set of parameters can be extended: "Additional request parameters MAY be defined and used with OpenID4VP over the DC API.".
So it may not be needed to merge the clarification, although me and another engineer on our team both were in doubt about the restrictions from the supported parameters.

The list of parameters that can be used in the DC API defined in section A.2 is explicitly prefixed with:

Out of the Authorization Request parameters defined in [@!RFC6749] and (#vp_token_request), the following are supported with OpenID4VP over the W3C Digital Credentials API

I'm not actually sure how to interpret that text, given that trust_chain is defined in OID Federation.

The intent of all this text was to make sure that not all the request parameters from https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#parameters automatically became allowable to use in the DC API. For example, state and code_challenge are deliberately excluded from the list as they serves no purpose in the DC API.

So likely your proposed text makes sense as I can't currently think of a case where a client id scheme might define a parameter that doesn't make sense in the DC API.

jogu
jogu reviewed Mar 17, 2025
View reviewed changes
openid-4-verifiable-presentations-1_0.md
@@ -2181,7 +2181,7 @@ In addition to the above-mentioned parameters, a new parameter is introduced for

* `expected_origins`: REQUIRED when signed requests defined in (#signed_request) are used with the Digital Credentials API (DC API). An array of strings, each string representing an Origin of the Verifier that is making the request. The Wallet can detect replay of the request from a malicious Verifier by comparing values in this parameter to the Origin. This parameter is not for use in unsigned requests and therefore a Wallet MUST ignore this parameter if it is present in an unsigned request.

Additional request parameters MAY be defined and used with OpenID4VP over the DC API.
Additional request parameters MAY be defined and used with OpenID4VP over the DC API, including parameters defined by a specific client identifier scheme (such as the `trust_chain` parameter for the `https` client id scheme).
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it actually makes sense to add this note further up - either before line 2176 or before 2180? And word it more like:

Parameters defined by a specific client identifier scheme (such as the trust_chain parameter for the OpenID Federation client id scheme) are also supported over the W3C Digital Credentials API.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jogu jogu jogu left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Is OpenID Federation supported for DC API requests?
2 participants
@TimoGlastra @jogu