You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: 1.1/openid-4-verifiable-credential-issuance-1_1.md
+87-9Lines changed: 87 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1218,9 +1218,9 @@ A Client makes a Credential Request to the Credential Endpoint by sending the fo
1218
1218
*`credential_configuration_id`: REQUIRED if a `credential_identifiers` parameter was not returned from the Token Response as part of the `authorization_details` parameter. It MUST NOT be used otherwise. String that uniquely identifies one of the keys in the name/value pairs stored in the `credential_configurations_supported` Credential Issuer metadata. The corresponding object in the `credential_configurations_supported` map MUST contain one of the value(s) used in the `scope` parameter in the Authorization Request. When this parameter is used, the `credential_identifier` MUST NOT be present.
1219
1219
*`proofs`: OPTIONAL. Object providing one or more proof of possessions of the cryptographic key material to which the issued Credential instances will be bound to. The `proofs` parameter contains exactly one parameter named as the proof type in (#proof-types), the value set for this parameter is a non-empty array containing parameters as defined by the corresponding proof type.
1220
1220
*`credential_response_encryption`: OPTIONAL. Object containing information for encrypting the Credential Response. If this request element is not present, the corresponding credential response returned is not encrypted.
1221
-
*`jwk`: REQUIRED. Object containing a single public key as a JWK used for encrypting the Credential Response.
1222
-
*`enc`: REQUIRED. JWE [@!RFC7516]`enc` algorithm [@!RFC7518] for encrypting Credential Responses.
1223
-
*`zip`: OPTIONAL. JWE [@!RFC7516]`zip` algorithm [@!RFC7518] for compressing Credential Responses prior to encryption. If absent then compression MUST not be used.
1221
+
*`jwk`: REQUIRED. Object containing a single public key as a JWK used for encrypting the Credential Response.
1222
+
*`enc`: REQUIRED. JWE [@!RFC7516]`enc` algorithm [@!RFC7518] for encrypting Credential Responses.
1223
+
*`zip`: OPTIONAL. JWE [@!RFC7516]`zip` algorithm [@!RFC7518] for compressing Credential Responses prior to encryption. If absent then compression MUST not be used.
1224
1224
1225
1225
See (#identifying_credential) for the summary of the options how requested Credential(s) are identified throughout the Issuance flow.
1226
1226
@@ -1340,10 +1340,11 @@ If the Credential Response is not encrypted, the media type of the response MUST
1340
1340
The following parameters are used in the JSON-encoded Credential Response body:
1341
1341
1342
1342
*`credentials`: OPTIONAL. Contains an array of one or more issued Credentials. It MUST NOT be used if the `transaction_id` parameter is present. The elements of the array MUST be objects. The number of elements in the `credentials` array matches the number of keys that the Wallet has provided via the `proofs` parameter of the Credential Request, unless the Issuer decides to issue fewer Credentials. Each key provided by the Wallet is used to bind to, at most, one Credential. This specification defines the following parameters to be used inside this object:
1343
-
*`credential`: REQUIRED. Contains one issued Credential. The encoding of the Credential depends on the Credential Format and MAY be a string or an object. Credential Formats expressed as binary data MUST be base64url-encoded and returned as a string. More details are defined in the Credential Format Profiles in (#format-profiles).
1343
+
*`credential`: REQUIRED. Contains one issued Credential. The encoding of the Credential depends on the Credential Format and MAY be a string or an object. Credential Formats expressed as binary data MUST be base64url-encoded and returned as a string. More details are defined in the Credential Format Profiles in (#format-profiles).
1344
1344
*`transaction_id`: OPTIONAL. String identifying a Deferred Issuance transaction. This parameter is contained in the response if the Credential Issuer cannot immediately issue the Credential. The value is subsequently used to obtain the respective Credential with the Deferred Credential Endpoint (see (#deferred-credential-issuance)). It MUST not be used if the `credentials` parameter is present. It MUST be invalidated after the Credential for which it was meant has been obtained by the Wallet.
1345
1345
*`interval`: REQUIRED if `transaction_id` is present. Contains a positive number that represents the minimum amount of time in seconds that the Wallet SHOULD wait after receiving the response before sending a new request to the Deferred Credential Endpoint. It MUST NOT be used if the `credentials` parameter is present.
1346
1346
*`notification_id`: OPTIONAL. String identifying one or more Credentials issued in one Credential Response. It MUST be included in the Notification Request as defined in (#notification). It MUST not be used if the `credentials` parameter is not present.
1347
+
*`credential_metadata`: OPTIONAL. Object that contains additional metadata specific to the issued Credential(s). The definitions and contained parameters for this Object are identical to the `credential_metadata` parameter as defined in Credential Issuer Metadata (see (#credential-issuer-metadata)) See (#display-metadata-considerations) for implementation considerations on credential metadata.
1347
1348
1348
1349
Additional Credential Response parameters MAY be defined and used. The Wallet MUST ignore any unrecognized parameters.
1349
1350
@@ -1485,7 +1486,7 @@ A Deferred Credential Response may either contain the requested Credentials or f
1485
1486
* If the Credential Issuer is able to issue the requested Credentials, the Deferred Credential Response MUST use the `credentials` parameter as defined in (#credential-response) and MUST respond with the HTTP status code 200 (see Section 15.3.3 of [@!RFC9110]).
1486
1487
* If the Credential Issuer still requires more time, the Deferred Credential Response MUST use the `interval` and `transaction_id` parameters as defined in (#credential-response) and it MUST respond with the HTTP status code 202 (see Section 15.3.3 of [@!RFC9110]). The value of `transaction_id` MUST be same as the value of `transaction_id` in the Deferred Credential Request.
1487
1488
1488
-
The Deferred Credential Response MAY use the `notification_id`parameter as defined in (#credential-response).
1489
+
The Deferred Credential Response MAY use the `notification_id`and `credential_metadata` parameters as defined in (#credential-response).
1489
1490
1490
1491
Additional Deferred Credential Response parameters MAY be defined and used.
1491
1492
The Wallet MUST ignore any unrecognized parameters.
@@ -1779,17 +1780,17 @@ This specification defines the following Credential Issuer Metadata parameters:
1779
1780
*`key_attestations_required`: OPTIONAL. Object that describes the requirement for key attestations as described in (#keyattestation), which the Credential Issuer expects the Wallet to send within the proof(s) of the Credential Request. If the Credential Issuer does not require a key attestation, this parameter MUST NOT be present in the metadata. If both `key_storage` and `user_authentication` parameters are absent, the `key_attestations_required` parameter may be empty, indicating a key attestation is needed without additional constraints.
1780
1781
*`key_storage`: OPTIONAL. A non-empty array defining values specified in (#keyattestation-apr) accepted by the Credential Issuer.
1781
1782
*`user_authentication`: OPTIONAL. A non-empty array defining values specified in (#keyattestation-apr) accepted by the Credential Issuer.
1782
-
*`credential_metadata`: OPTIONAL. Object containing information relevant to the usage and display of issued Credentials. Credential Format-specific mechanisms can overwrite the information in this object to convey Credential metadata. Format-specific mechanisms, such as SD-JWT VC display metadata are always preferred by the Wallet over the information in this object, which serves as the default fallback. Below is a non-exhaustive list of parameters that MAY be included:
1783
+
*`credential_metadata`: OPTIONAL. Object containing information relevant to the usage and display of issued Credentials. Credential Format-specific mechanisms can overwrite the information in this object to convey Credential metadata and is preferred by the Wallet over the information in this object, which serves as the default fallback. Additionally, the Credential Response MUST be preferred by the Wallet over any other information, effectively overwriting the information in this object and any Credential Format-specific mechanisms. See (#display-metadata-considerations) for implementation considerations on credential metadata. Below is a default, non-exhaustive, extensible list of parameters that MAY be included:
1783
1784
*`display`: OPTIONAL. A non-empty array of objects, where each object contains the display properties of the supported Credential for a certain language. Below is a non-exhaustive list of parameters that MAY be included.
1784
1785
*`name`: REQUIRED. String value of a display name for the Credential.
1785
1786
*`locale`: OPTIONAL. String value that identifies the language of this object represented as a language tag taken from values defined in BCP47 [@!RFC5646]. Multiple `display` objects MAY be included for separate languages. There MUST be only one object for each language identifier.
1786
1787
*`logo`: OPTIONAL. Object with information about the logo of the Credential. The following non-exhaustive set of parameters MAY be included:
1787
-
*`uri`: REQUIRED. String value that contains a URI where the Wallet can obtain the logo of the Credential from the Credential Issuer. The Wallet needs to determine the scheme, since the URI value could use the `https:` scheme, the `data:` scheme, etc.
1788
-
*`alt_text`: OPTIONAL. String value of the alternative text for the logo image.
1788
+
*`uri`: REQUIRED. String value that contains a URI where the Wallet can obtain the logo of the Credential from the Credential Issuer. The Wallet needs to determine the scheme, since the URI value could use the `https:` scheme, the `data:` scheme, etc.
1789
+
*`alt_text`: OPTIONAL. String value of the alternative text for the logo image.
1789
1790
*`description`: OPTIONAL. String value of a description of the Credential.
1790
1791
*`background_color`: OPTIONAL. String value of a background color of the Credential represented as numerical color values defined in CSS Color Module Level 3 [@!CSS-Color].
1791
1792
*`background_image`: OPTIONAL. Object with information about the background image of the Credential. At least the following parameter MUST be included:
1792
-
*`uri`: REQUIRED. String value that contains a URI where the Wallet can obtain the background image of the Credential from the Credential Issuer. The Wallet needs to determine the scheme, since the URI value could use the `https:` scheme, the `data:` scheme, etc.
1793
+
*`uri`: REQUIRED. String value that contains a URI where the Wallet can obtain the background image of the Credential from the Credential Issuer. The Wallet needs to determine the scheme, since the URI value could use the `https:` scheme, the `data:` scheme, etc.
1793
1794
*`text_color`: OPTIONAL. String value of a text color of the Credential represented as numerical color values defined in CSS Color Module Level 3 [@!CSS-Color].
1794
1795
*`claims`: OPTIONAL. A non-empty array of claims description objects as defined in (#claims-description-issuer-metadata).
1795
1796
@@ -1987,6 +1988,82 @@ It is up to the Credential Issuer whether to update both the signature and the c
1987
1988
1988
1989
The Credential Issuer determines the number of the Credentials issued in the Credential Response, regardless of number of proofs/keys contained in the `proofs` parameter in the Credential Request.
Credential metadata is provided by the Credential Issuer, but can be conveyed using different mechanisms. Defined mechanisms to provide display metadata are:
1994
+
1995
+
* Credential Issuer metadata MAY contain credential metadata as defined in (#credential-issuer-parameters)
1996
+
* Credential Formats MAY define their own mechanisms for metadata
1997
+
* Credential Response MAY also contain metadata as defined in (#credential-response)
1998
+
1999
+
Credential metadata provided via the Credential Issuer metadata SHOULD be interpreted as the most generic form of metadata and as a general fallback solution. If defined and present, Credential Format specific metadata overwrites the values from the Credential Issuer metadata. If present, metadata in the Credential Response overwrites existing values.
2000
+
2001
+
(#credential-issuer-parameters) defines a set of default Credential metadata parameters, but additional ones can be defined and added by profiles or extensions. Other standardization organizations or ecosystems defining extensions to the Credential metadata parameters SHOULD do so by defining a collision-resistant parameter that contains an Object with all parameters they are defining.
2002
+
2003
+
Below is a non-normative example of how credential metadata from the Credential Issuer metadata and the Credential Response would be merged:
2004
+
2005
+
Credential metadata contained in Credential Issuer metadata:
0 commit comments