OpenID4VP over the DC API

[deshmukhrajvardhan]

What type of PR is this? (check all applicable)

• Minor content update (spelling, grammar)
• Substantive content update (changes meaning)
• Net new content
• Reference content update (platforms, device support, etc)
• Core platform updates (Docusaurus / Cloudflare)
• Administrivia / chores

Description, Motivation, and Context

Related Issues

• Related Issue #
• Closes # [Docs] Requesting a Credential > OpenID4VP #28

[cloudflare-workers-and-pages]

Deploying digitalcredentials-dev-prod with    Cloudflare Pages

Latest commit:	d3679c5
Status:	✅  Deploy successful!
Preview URL:	https://78e6c541.digitalcredentials-dev-prod.pages.dev
Branch Preview URL:	https://28-openid4vp.digitalcredentials-dev-prod.pages.dev

View logs

[ewewraw]

Hello @deshmukhrajvardhan @timcappalli ,
What's the status of this PR? I've made a couple of minor suggestions. Also, it looks like the encrypted response is different in the spec, is that right?
Thanks!

[ewewraw]

Should the unsigned request section be placed before the signed one? Developers essentially have to construct an unsigned request first, so it seems logical.

[ewewraw]

Suggested change

	"request": "eyJ0eXAiOiJvYXV0aC1hdXRoei1yZXErand0IiwiYWxnIjoiRVMyNTYiLCJ4NWMiOlsiTUlJQjl6Q0NBWnlnQXdJQkFnSVVVR1d5TllsajZSbnpwNUxJUHRHUFdLelN6QTB3Q2dZSUtvWkl6ajBFQXdJd09URUxNQWtHQTFVRUJoTUNWVk14S2pBb0JnTlZCQU1NSVdScFoybDBZV3hqY21Wa2N5NWtaWFl1ZEhKMWMzUmxaSEJoZEdndWFXNW1iekFlRncweU5UQTBNak14T1RVMk1ETmFGdzB5TmpBME1qTXhPVFUyTUROYU1Ea3hDekFKQmdOVkJBWVRBbFZUTVNvd0tBWURWUVFERENGa2FXZHBkR0ZzWTNKbFpITXVaR1YyTG5SeWRYTjBaV1J3WVhSb0xtbHVabTh3V1RBVEJnY3Foa2pPUFFJQkJnZ3Foa2pPUFFNQkJ3TkNBQVRFUTM1UGd6TlUrMUFnUjZMeGJCUVphSk5pRzlSeEhXQmxkeFdLd25FZ3RWRDFhOGw1eGNnaGxGeGQ2b0lJd3Y2T0FrOE1TaHY4WXpkaTVaWlBWb2pWbzRHQk1IOHdMQVlEVlIwUkJDVXdJNEloWkdsbmFYUmhiR055WldSekxtUmxkaTUwY25WemRHVmtjR0YwYUM1cGJtWnZNQjBHQTFVZERnUVdCQlNDNGVRNXdkVjIrOFE5aU1MMkdEaXArL2l6aVRBZkJnTlZIU01FR0RBV2dCU0M0ZVE1d2RWMis4UTlpTUwyR0RpcCsvaXppVEFQQmdOVkhSTUJBZjhFQlRBREFRSC9NQW9HQ0NxR1NNNDlCQU1DQTBrQU1FWUNJUURYNkJRbW5YN3FOcWl4MWJBeWNaSmZiclJ5VVNPcU8ydUYySDh0MXBoWE5nSWhBUG9yMXNNOE9KaUhYMGUvalRsc01zQ3BpMGk1ekJBaGxUZDBWVndYN0lsOSJdfQ.eyJyZXNwb25zZV90eXBlIjoidnBfdG9rZW4iLCJyZXNwb25zZV9tb2RlIjoiZGNfYXBpLmp3dCIsIm5vbmNlIjoiWlFTQ2t2VktoR2xjUkcyZGRwR0d6c1lOMSIsImNsaWVudF9tZXRhZGF0YSI6eyJqd2tzIjp7ImtleXMiOlt7Imt0eSI6IkVDIiwidXNlIjoiZW5jIiwiY3J2IjoiUC0yNTYiLCJraWQiOiI4OWI3YWIyNDg4ODUyZjVmNDhjMWM0NGNjZTk5NTk1MGMyMWNhM2YxNjRkODFjMDlkNmE1Yzk3Nzk1YjYxOGIzIiwieCI6IkxaMm14c0MzWEQ0TVVNTUVVamRXUFV1MkR5dDc1X2YwVHF1a29FOVFDaVkiLCJ5IjoiV0FuTjNjQlkwVHRueHY1QlBNbksyXzZ1cS1yQTN0ME03MGpkZ25VbmhsRSJ9XX0sInZwX2Zvcm1hdHNfc3VwcG9ydGVkIjp7Im1zb19tZG9jIjp7Imlzc3VlcmF1dGhfYWxnX3ZhbHVlcyI6Wy03XSwiZGV2aWNlYXV0aF9hbGdfdmFsdWVzIjpbLTddfX19LCJkY3FsX3F1ZXJ5Ijp7ImNyZWRlbnRpYWxzIjpbeyJpZCI6Im1kbCIsImZvcm1hdCI6Im1zb19tZG9jIiwibWV0YSI6eyJkb2N0eXBlX3ZhbHVlIjoib3JnLmlzby4xODAxMy41LjEubURMIn0sImNsYWltcyI6W3sicGF0aCI6WyJvcmcuaXNvLjE4MDEzLjUuMSIsImZhbWlseV9uYW1lIl19LHsicGF0aCI6WyJvcmcuaXNvLjE4MDEzLjUuMSIsImdpdmVuX25hbWUiXX1dfV19LCJjbGllbnRfaWQiOiJ4NTA5X3Nhbl9kbnM6ZGlnaXRhbGNyZWRzLmRldi50cnVzdGVkcGF0aC5pbmZvIiwiZXhwZWN0ZWRfb3JpZ2lucyI6WyJodHRwczovL2RpZ2l0YWxjcmVkcy5kZXYudHJ1c3RlZHBhdGguaW5mbyJdfQ.uybMmjpTG9wCXNgnXGkBiFax8owB-cPy560PSxrufFGS4puw_E9tPgMueah_Wj87tSfKC0f3YIuD4MW1ca1M3g"
	// First, construct the request object as you would for an unsigned request.
	// This object is then signed and serialized into a JWS string.
	"request": "eyJ0eXAiOiJvYXV0aC1hdXRoei1yZXErand0IiwiYWxnIjoiRVMyNTYiLCJ4NWMiOlsiTUlJQjl6Q0NBWnlnQXdJQkFnSVVVR1d5TllsajZSbnpwNUxJUHRHUFdLelN6QTB3Q2dZSUtvWkl6ajBFQXdJd09URUxNQWtHQTFVRUJoTUNWVk14S2pBb0JnTlZCQU1NSVdScFoybDBZV3hqY21Wa2N5NWtaWFl1ZEhKMWMzUmxaSEJoZEdndWFXNW1iekFlRncweU5UQTBNak14T1RVMk1ETmFGdzB5TmpBME1qTXhPVFUyTUROYU1Ea3hDekFKQmdOVkJBWVRBbFZUTVNvd0tBWURWUVFERENGa2FXZHBkR0ZzWTNKbFpITXVaR1YyTG5SeWRYTjBaV1J3WVhSb0xtbHVabTh3V1RBVEJnY3Foa2pPUFFJQkJnZ3Foa2pPUFFNQkJ3TkNBQVRFUTM1UGd6TlUrMUFnUjZMeGJCUVphSk5pRzlSeEhXQmxkeFdLd25FZ3RWRDFhOGw1eGNnaGxGeGQ2b0lJd3Y2T0FrOE1TaHY4WXpkaTVaWlBWb2pWbzRHQk1IOHdMQVlEVlIwUkJDVXdJNEloWkdsbmFYUmhiR055WldSekxtUmxkaTUwY25WemRHVmtjR0YwYUM1cGJtWnZNQjBHQTFVZERnUVdCQlNDNGVRNXdkVjIrOFE5aU1MMkdEaXArL2l6aVRBZkJnTlZIU01FR0RBV2dCU0M0ZVE1d2RWMis4UTlpTUwyR0RpcCsvaXppVEFQQmdOVkhSTUJBZjhFQlRBREFRSC9NQW9HQ0NxR1NNNDlCQU1DQTBrQU1FWUNJUURYNkJRbW5YN3FOcWl4MWJBeWNaSmZiclJ5VVNPcU8ydUYySDh0MXBoWE5nSWhBUG9yMXNNOE9KaUhYMGUvalRsc01zQ3BpMGk1ekJBaGxUZDBWVndYN0lsOSJdfQ.eyJyZXNwb25zZV90eXBlIjoidnBfdG9rZW4iLCJyZXNwb25zZV9tb2RlIjoiZGNfYXBpLmp3dCIsIm5vbmNlIjoiWlFTQ2t2VktoR2xjUkcyZGRwR0d6c1lOMSIsImNsaWVudF9tZXRhZGF0YSI6eyJqd2tzIjp7ImtleXMiOlt7Imt0eSI6IkVDIiwidXNlIjoiZW5jIiwiY3J2IjoiUC0yNTYiLCJraWQiOiI4OWI3YWIyNDg4ODUyZjVmNDhjMWM0NGNjZTk5NTk1MGMyMWNhM2YxNjRkODFjMDlkNmE1Yzk3Nzk1YjYxOGIzIiwieCI6IkxaMm14c0MzWEQ0TVVNTUVVamRXUFV1MkR5dDc1X2YwVHF1a29FOVFDaVkiLCJ5IjoiV0FuTjNjQlkwVHRueHY1QlBNbksyXzZ1cS1yQTN0ME03MGpkZ25VbmhsRSJ9XX0sInZwX2Zvcm1hdHNfc3VwcG9ydGVkIjp7Im1zb19tZG9jIjp7Imlzc3VlcmF1dGhfYWxnX3ZhbHVlcyI6Wy03XSwiZGV2aWNlYXV0aF9hbGdfdmFsdWVzIjpbLTddfX19LCJkY3FsX3F1ZXJ5Ijp7ImNyZWRlbnRpYWxzIjpbeyJpZCI6Im1kbCIsImZvcm1hdCI6Im1zb19tZG9jIiwibWV0YSI6eyJkb2N0eXBlX3ZhbHVlIjoib3JnLmlzby4xODAxMy41LjEubURMIn0sImNsYWltcyI6W3sicGF0aCI6WyJvcmcuaXNvLjE4MDEzLjUuMSIsImZhbWlseV9uYW1lIl19LHsicGF0aCI6WyJvcmcuaXNvLjE4MDEzLjUuMSIsImdpdmVuX25hbWUiXX1dfV19LCJjbGllbnRfaWQiOiJ4NTA5X3Nhbl9kbnM6ZGlnaXRhbGNyZWRzLmRldi50cnVzdGVkcGF0aC5pbmZvIiwiZXhwZWN0ZWRfb3JpZ2lucyI6WyJodHRwczovL2RpZ2l0YWxjcmVkcy5kZXYudHJ1c3RlZHBhdGguaW5mbyJdfQ.uybMmjpTG9wCXNgnXGkBiFax8owB-cPy560PSxrufFGS4puw_E9tPgMueah_Wj87tSfKC0f3YIuD4MW1ca1M3g"

[ewewraw]

I'd suggest to add a comment for more clarity

[ewewraw]

Should the documentation also cover how to structure the request for the response to be encrypted? Specifically, that the response mode value should be set to "response_mode": "dc_api.jwt", and the "jwks" object should be included?

[ewewraw]

As suggested in the comment below in the Presentation Response section, maybe here it could be also specified that the requests can be signed and unsigned, as well as structured for encrypted on unencrypted response?

[ewewraw]

Suggested change

	"vp_token":{
	// The unencrypted response's 'vp_token' object contains the one ore more
	// credential presentations, keyed by their `id` value from the `dcql_query`
	// request object. In this case, the "pid" credential is returned as an array
	// containing a SD-JWT.
	"vp_token":{

[ewewraw]

This looks like a decrypted payload. Shouldn't the encrypted response be of the format:

{
 "protocol": "openid4vp-v1-unsigned",
 "data": {
   "response": "<token>"
 }
}

?

[ewewraw]

Suggested change

	"vp_token":{
	// Decrypt this token with the private key that corresponds
	// to the public key you sent in the original request. The decrypted
	// payload will be structured just like an unencrypted response.
	"response": "<token>"

[ewewraw]

If my understanding of the encrypted response format is correct, this bit needs to be updated, and they "mdl" property should be removed. I'd also suggest to add a comment.

[timcappalli]

What's the status of this PR? I

It is parked right now. There is a lot of good content in here, but it needs to be broken up across different pages.

[deshmukhrajvardhan]

@ewewraw @timcappalli thanks for the comments. I'll be happy to contribute once we decide to work on this and unpark this, would appreciate your guidance then.