Add version and request type to protocol identifier for DC API #381
Conversation
awoie
requested review from
jogu,
tlodderstedt,
timcappalli,
c2bo,
paulbastian,
Sakurann,
leecam and
hlozi
|
Is there any issue with setting the value to |
| @@ -1958,7 +1958,14 @@ And lastly, as part of the request, the Wallet is provided with information abou | |||
|
|
|||
| ## Protocol | |||
|
|
|||
| To use OpenID4VP over the DC API, the value of the exchange protocol used with the Digital Credentials API (DC API), is `openid4vp`. | |||
| To use OpenID4VP with the Digital Credentials API (DC API), the exchange protocol value has the following format: `urn:openid:protocol:oid4vp:<version>:<request-type>`. The `<version>` field adheres to semantic versioning, and `<request-type>` explicitly specifies the type of request. This approach eliminates the need for wallets to perform implicit parameter matching to accurately identify the version and the expected request and response parameters. | |||
There was a problem hiding this comment.
| To use OpenID4VP with the Digital Credentials API (DC API), the exchange protocol value has the following format: `urn:openid:protocol:oid4vp:<version>:<request-type>`. The `<version>` field adheres to semantic versioning, and `<request-type>` explicitly specifies the type of request. This approach eliminates the need for wallets to perform implicit parameter matching to accurately identify the version and the expected request and response parameters. | |
| To use OpenID4VP with the Digital Credentials API (DC API), the exchange protocol value has the following format: `urn:openid:protocol:openid4vp:<version>:<request-type>`. The `<version>` field adheres to semantic versioning, and `<request-type>` explicitly specifies the type of request. This approach eliminates the need for wallets to perform implicit parameter matching to accurately identify the version and the expected request and response parameters. |
There was a problem hiding this comment.
If there are no requirements, I would use the shortest version possible, e.g., urn:openid4vp:1.0:signed, urn:openid4vp:1.0:unsigned. What do you think @c2bo @timcappalli ?
There was a problem hiding this comment.
Fine with dropping "protocol" but I believe keeping the org name is common practice. If length is the concern, maybe just use "oidf"? So it would be urn:oidf:openid4vp:1.0:signed.
@selfissued should weigh in here.
There was a problem hiding this comment.
I am happy with either one.
Adding the oidf seems to be a bit cleaner in terms of namespacing, but I don't think it's likely to encounter a naming clash here, so I guess urn:openid4vp:1.0:signed would be fine as well if we need/want to optimize for size?
There was a problem hiding this comment.
so there is some OIDF precedent. CIBA defines a URN-based grant type that includes both the organization and the type (in this case params): urn:openid:params:grant-type:ciba. There's also urn:openid:params:jwt:claim:auth_req_id and urn:openid:params:jwt:claim:rt_hash.
So if we wanted to be consistent with other OIDF specs, I think we'd want it to be urn:openid:protocol:openid4vp:1.0:signed.
@selfissued @ve7jtb any comments on this?
There was a problem hiding this comment.
Current proposal is:
- Unsigned requests:
urn:openid:protocol:openid4vp:1.0:unsigned - Signed requests:
urn:openid:protocol:openid4vp:1.0:signed
Could you please elaborate this a bit further? I'm not sure if this is related to this PR. |
|
@hlozi I think from the perspective of processing rules in OpenID4VP, if the verifier signed the request, and the wallet cannot validate it, the wallet needs to abort the request. when the request is signed it's not wallet's choice to validate it or not, the wallet muct validate it |
Would agree here, aren't those always "protocols" that do into DC API? |
While I agree it seems unnecessary at face, isn't there value in being consistent with other OIDF URNs? |
| The following exchange protocol values are defined by this specification: | ||
|
|
||
| * Unsigned requests: `urn:openid:protocol:openid4vp:1.0:unsigned` | ||
| * Signed requests: `urn:openid:protocol:openid4vp:1.0:signed` |
There was a problem hiding this comment.
As a thought experiment, what happens when OpenID4VP v1.1 comes along and is compatible with v1.0 but not strictly v1.0?
There was a problem hiding this comment.
IMO, the version identifier does not have to match the OID4VP version. In this regards, we might have to think about if this PR should really set the version to 1.0 already or if we should start with 0.1 first.
There was a problem hiding this comment.
The version in the protocol identifier will need to be mapped back to a specification in the registry, so the version needs to at a minimum be defined somewhere in the spec, if its not going to the be the spec version itself.
There was a problem hiding this comment.
Or, and hear me out, having that level of specificity in the identifier is not a good idea.
There was a problem hiding this comment.
agreement that there is a need to differentiate major versions (not differentiating minor versions like 1.1, 1.2, etc.).
- version is part of URN, i.e.,
:1.0
based on that agreement, bullet 1 should be just :1 or :v1
There was a problem hiding this comment.
1.No
2.voted No on 1 but in case we do versioning, just major.
3.No,
4.just a string, we can avoid collisions using a Reverse domain name.
There was a problem hiding this comment.
Answers to @timcappalli questions
- Yes
- Major
- Yes
- urn
There was a problem hiding this comment.
- yes
- just major is fine
- not sure (not opinionated)
- urn sounds reasonable to achieve the goal
| To use OpenID4VP with the Digital Credentials API (DC API), the exchange protocol value has the following format: `urn:openid:protocol:openid4vp:<version>:<request-type>`. The `<version>` field adheres to semantic versioning, and `<request-type>` explicitly specifies the type of request. This approach eliminates the need for wallets to perform implicit parameter matching to accurately identify the version and the expected request and response parameters. | ||
|
|
||
| The value `1.0` MUST be used for the `<version>` field to indicate the request and response conform to this version of the specification. For `<request-type>`, unsigned requests, as defined in (#unsigned_request), MUST use `unsigned`, and signed requests, as defined in (#signed_request), MUST use `signed`. | ||
|
|
||
| The following exchange protocol values are defined by this specification: | ||
|
|
||
| * Unsigned requests: `urn:openid:protocol:openid4vp:1.0:unsigned` | ||
| * Signed requests: `urn:openid:protocol:openid4vp:1.0:signed` |
There was a problem hiding this comment.
it increasingly seems better long-term not to include both version and signed/unsigned in the protocol identifier:
- no version, because for 1.0, we know there will be backward compatible 1.1, 1.2, etc. and having to maintain those most likely will turn out to be an unnecessary maintenance overhead.
- no signed/unsigned because wallets already need to differentiate signed/unsigned requests and is not worth the complexity of asking the platforms to support both.
| To use OpenID4VP with the Digital Credentials API (DC API), the exchange protocol value has the following format: `urn:openid:protocol:openid4vp:<version>:<request-type>`. The `<version>` field adheres to semantic versioning, and `<request-type>` explicitly specifies the type of request. This approach eliminates the need for wallets to perform implicit parameter matching to accurately identify the version and the expected request and response parameters. | |
| The value `1.0` MUST be used for the `<version>` field to indicate the request and response conform to this version of the specification. For `<request-type>`, unsigned requests, as defined in (#unsigned_request), MUST use `unsigned`, and signed requests, as defined in (#signed_request), MUST use `signed`. | |
| The following exchange protocol values are defined by this specification: | |
| * Unsigned requests: `urn:openid:protocol:openid4vp:1.0:unsigned` | |
| * Signed requests: `urn:openid:protocol:openid4vp:1.0:signed` | |
| To use OpenID4VP over the DC API, the value of the exchange protocol used with the Digital Credentials API (DC API), is `urn:openid:protocol:openid4vp`. |
There was a problem hiding this comment.
Seems much better for a wallet to not even to have to start parsing a request if it knows it cannot support the options being presented, rather than to always have to parse requests it subsequently finds out it cannot support
There was a problem hiding this comment.
If not in the protocol string (so that platforms/wallet don't have to support multiple "protocols"), I would like to see the signed vs unsigned indication somewhere in the request
It feels like bad practice to have wallets determine the type of request by failing to parse the request and then trying the other option. For example, this would make it hard to debug (and print easy-to-understand log messages) for truly malformed requests, since that could mean either: the request is actually malformed, or it is of the other type...
There was a problem hiding this comment.
For the version: I agree with the comment from awoie yesterday essentially stating that the OpenID4VP spec version and the "API" version might be different concepts.
If theres agreement with that, we would just need to find some versioning system that each OpenID4VP Spec version is in charge of clearly indicating (and is semantically different from the OpenID4VP major.minor scheme to avoid having folks correlate the two concepts).
I liked v1, and any non-backwards compatible change in the spec can be update the "API" version to v2
|
This has been discussed extensively in both groups and consensus was reached. Why the sudden change? |
Co-authored-by: Giuseppe De Marco <[email protected]>
awoie
requested review from
hlozi,
bc-pi,
Sakurann,
dyiop,
timcappalli,
David-Chadwick and
peppelinux
|
@hlozi @timcappalli @David-Chadwick @peppelinux @Sakurann @bc-pi @dyiop I updated the PR to remove the minor version from the |
Co-authored-by: Joseph Heenan <[email protected]>
Co-authored-by: Kristina <[email protected]>
|
I don't have a strong opinion on the signed vs unsigned suffix and from an implementation perspective, having an identifier for signed seems to make ones life easier with parsing which is good. One concern I have would be #395. If we agree that this kind of flow is a good idea and want to support such a planned downgrade in the protocol, then that would also mean that we are switching from a signed request to a response that would belong to an unsigned flow. This wouldn't change the data structure of the response, but having two different identifiers for signed and unsigned and then switching between them in a request/response sequence would be pretty weird imho. |
|
Will there be any part of the request which can tell the Wallet which minor version this request is using? This could be useful for the Wallet to track errors for different minor versions coming in from various verifiers? Agreed that it should not need to be part of the protocol identifier! Otherwise LGTM! |
The protocol identifier won't have any minor version. I believe this was the consensus that was achieved in this PR and in the DCP WG meeting. |
There was a problem hiding this comment.
I’m still not convinced about making the identifier format too complicated. In reality, it’ll mostly be used to uniquely identify a specification, so the browser will still need to look at the payload regardless. I guess this is a discussion for the DC API group, not this group so I don't want to block this.
| The following exchange protocol values are defined by this specification: | ||
|
|
||
| * Unsigned requests: `urn:openid:protocol:openid4vp:1.0:unsigned` | ||
| * Signed requests: `urn:openid:protocol:openid4vp:1.0:signed` |
There was a problem hiding this comment.
1.No
2.voted No on 1 but in case we do versioning, just major.
3.No,
4.just a string, we can avoid collisions using a Reverse domain name.
This PR adds version and request type to the protocol identifier for DC API.
Fixes #326, fixes #363