Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clarification on authorization_details for Pre-Authorized Code Flow #242

Open
hesusruiz opened this issue Jan 29, 2024 · 8 comments
Open

Clarification on authorization_details for Pre-Authorized Code Flow #242

hesusruiz opened this issue Jan 29, 2024 · 8 comments
Labels
clarification pending close
Milestone
1.1

Comments

@hesusruiz
Copy link

I think it would be clarifying to mention explicitly that the Token Request, when using the Pre-Authorized Code Flow, can include an authorization_details object of type openid_credential with a credential_configuration_id.

The current text:

When the Pre-Authorized Grant Type is used, it is RECOMMENDED that the Credential Issuer issues an Access Token valid only for the Credentials indicated in the Credential Offer.

does not mention explicitly that the Token Request can indicate the specific credential being requested, via one of the credential_configuration_id described in the Credential Offer.

This explicit mention could help clear any potential confusion that the reader may have with this text in the Token Response:

authorization_details: REQUIRED when authorization_details parameter is used to request issuance of a certain Credential type as defined in [Section 5.1.1]

Because Section 5.1.1 is inside the Authorization Request section and the reader may understand that it can only be used in that context.
@babisRoutis
Copy link
Contributor

Indeed this is confusing for me as well.

Reading just the token response requirement

authorization_details: REQUIRED when authorization_details parameter is used to request issuance of a certain Credential type as defined in [Section 5.1.1](https://openid.github.io/OpenID4VCI/openid-4-verifiable-credential-issuance-wg-draft.html#authorization-details). It MUST NOT be used otherwise.

I get the impression that authorization_details must not be included in token response in case of pre-authorized grant.

I think thought that this is not the case. Otherwise there is no way, i think, that AS can convey to the wallet credential_identifiers in case of pre-authorized code.

I agree with @hesusruiz proposal to specify that authorization_details can also be used in case of pre-authorized grant

@Sakurann
Copy link
Collaborator

looks like there are several points...?

  • for the authorization code grant, it is true that authorization_details can be used in token request. but it is not a pre-requisite for authorization_details to be included in the token response because authorization details was already included in the authorization request.
  • the bigger question is whether for the authorization_details is required in the token request in the pre-auth code flow to use authorization_details in the token response, because there is no authorization request, and I think the answer should be yes? @tlodderstedt

@tlodderstedt
Copy link
Collaborator

tlodderstedt commented Feb 1, 2024
edited
Loading

good question. OAuth allows to request an access token without any scope or authorization details object. In case of a pre authz grant, I would assume a token request without authorization details will request an access token for all credentials authorized by the pre authz code. The wallet can specify authorization details, which makes especially sense if only a sub set of the authorized credentials shall be requested.

@jogu
Copy link
Contributor

jogu commented Feb 1, 2024

  • the bigger question is whether for the authorization_details is required in the token request in the pre-auth code flow to use authorization_details in the token response, because there is no authorization request, and I think the answer should be yes?

I think the AS could return authorization_details for the pre-auth code even when authorization_details is not in the token request.

Essentially as far as I can see we don't specify any details about how that pre-auth code was created, and the issuer would be free to have asked the AS to generate the authz code on the basis of a nominal authorization request that included a 'scope', or on the basis of a nominal authorization request that included an 'authorization_details'

@hesusruiz
Copy link
Author

good question. OAuth allows to request an access token without any scope or authorization details object. In case of a pre authz grant, I would assume a token request without authorization details will request an access token for all credentials authorized by the pre authz code. The wallet can specify authorization details, which makes especially sense if only a sub set of the authorized credentials shall be requested.

In my use case (an employee credential with delegated powers from the legal representative of the employer organisation), I feel like I want to return authorization_details from the Token response even in the case where the Token Request does not include authorization_details. My reasoning is the following:

  • We use Pre-Auth code flow to authorise only one credential (extracting employee data from the HR DB).
  • The credential is signed with the eIDAS certificate owned by the legal representative (a natural person).
  • After the Token Response, the Wallet can suspend the flow until the employee receives a notification that the legal representative has signed the credential (from minutes to days). There is no need for polling the (Deferred) Credential endpoint until the Credential is ready, given the timing.
  • Once the employee receives the notification, she can restart the flow by using the UI of the Wallet to select the suspended Token Response and activate it.

I would like to have the credential_configuration_id explicitly associated to the Token Response, so the Wallet can display to the user the proper information for restart. Of course, it is not strictly required, because the Wallet can derive the credential_configuration_id from the Credential Offer, but I think putting it also in the Token Response makes the flow more "self-documented" and less prone to errors.

@jogu jogu mentioned this issue Feb 28, 2024
Closed
@jogu jogu mentioned this issue Sep 6, 2024
Open
@Sakurann
Copy link
Collaborator

@hesusruiz putting pending-close and closing in a week unless objections, since i believe what you have been asking for has been enabled in #392.
Please take a look at https://openid.github.io/OpenID4VCI/openid-4-verifiable-credential-issuance-wg-draft.html#section-3.3.4 too

@Sakurann
Copy link
Collaborator

closing #279 (comment) conditional to "including in the spec the clarification of #242. As a clarification I consider your #242 (comment)"

@Sakurann Sakurann added this to the 1.1 milestone Jan 23, 2025
@hesusruiz
Copy link
Author

@hesusruiz putting pending-close and closing in a week unless objections, since i believe what you have been asking for has been enabled in #392. Please take a look at https://openid.github.io/OpenID4VCI/openid-4-verifiable-credential-issuance-wg-draft.html#section-3.3.4 too

Looks good to me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
clarification pending close
Projects
None yet
Milestone
1.1
Development

No branches or pull requests
5 participants
@jogu @tlodderstedt @hesusruiz @Sakurann @babisRoutis