Define claims display description and claims path query #276
Conversation
| } | ||
| {"path": ["email"]}, | ||
| {"path": ["phone_number"]}, | ||
| {"path": ["address", "street_address"]}, |
There was a problem hiding this comment.
We would like to give display properties to an object of claims. The wallet could use this property when collapsing the object's claims in the UI. Is this possible and would the following be the right way?
If so, this should be part of an example.
{
"path": ["address"],
"display": [
{
"name": "Address",
"locale": "en-US"
},
{
"name": "Adresse",
"locale": "de-DE"
}
],
"value_type": "object"
},
{"path": ["address", "street_address"]},
There was a problem hiding this comment.
+1 for this! I think supporting this is mandatory for having a clear and defined way to present this kind of data to the user. Let's use the example from your documentation and extend it with an arbitrary example:
...
"address": {
"street_address": "42 Market Street",
"city": "Milliways",
"postal_code": "12345"
},
...
"work_address": {
"city": "Berlin",
...
},
I would expect/imagine this to be displayed in the ui similar to this:
place of residence
+- street: 42 Market Street
+- city: Milliways
`- post code: 12345
....
place of work
+- city: Berlin
+...
| @@ -1987,13 +1989,7 @@ The following additional Credential Issuer metadata parameters are defined for t | |||
|
|
|||
| * `credential_definition`: REQUIRED. Object containing the detailed description of the Credential type. It consists of at least the following two parameters: | |||
| * `type`: REQUIRED. Array designating the types a certain Credential type supports, according to [@VC_DATA], Section 4.3. | |||
| * `credentialSubject`: OPTIONAL. Object containing a list of name/value pairs, where each name identifies a claim offered in the Credential. The value can be another such object (nested data structures), or an array of such objects. To express the specifics about the claim, the most deeply nested value MAY be an object that includes the following parameters defined by this specification (other parameters MAY also be used): | |||
| * `mandatory`: OPTIONAL. Boolean which, when set to `true`, indicates that the Credential Issuer will always include this claim in the issued Credential. If set to `false`, the claim is not included in the issued Credential if the wallet did not request the inclusion of the claim, and/or if the Credential Issuer chose to not include the claim. If the `mandatory` parameter is omitted, the default value is `false`. | |||
| * `value_type`: OPTIONAL. String value determining the type of value of the claim. Valid values defined by this specification are `string`, `number`, and image media types such as `image/jpeg` as defined in IANA media type registry for images (https://www.iana.org/assignments/media-types/media-types.xhtml#image). Other values MAY also be used. | |||
There was a problem hiding this comment.
The types array and object should also be mentioned explicitly and used in examples.
How can the type of array elements be determined?
{"path": ["nationalities"], "value_type": "array"}
{"path": ["nationalities", null], "value_type": "string"}
Sakurann
requested review from
jogu,
selfissued,
c2bo,
tplooker,
awoie,
bc-pi,
ve7jtb and
pmhsfelix
| @@ -2215,7 +2194,7 @@ The following is a non-normative example of an object comprising the `credential | |||
| The following additional claims are defined for authorization details of type `openid_credential` and this Credential format. | |||
|
|
|||
| * `vct`: REQUIRED. String as defined in (#server-metadata-sd-jwt-vc). This claim contains the type values the Wallet requests authorization for at the Credential Issuer. It MUST only be present if the `format` claim is present. It MUST not be present otherwise. | |||
| * `claims`: OPTIONAL. Object as defined in (#server-metadata-sd-jwt-vc) excluding the `display` and `value_type` parameters. `mandatory` parameter here is used by the Wallet to indicate to the Issuer that it only accepts Credential(s) issued with those claim(s). | |||
| * `claims`: OPTIONAL. An array of claims description objects as defined in (#claims-description), excluding the `display` and `value_type` parameters. The `mandatory` parameter here is used by the Wallet to indicate to the Issuer that it only accepts Credential(s) issued with those claim(s). | |||
There was a problem hiding this comment.
| * `claims`: OPTIONAL. An array of claims description objects as defined in (#claims-description), excluding the `display` and `value_type` parameters. The `mandatory` parameter here is used by the Wallet to indicate to the Issuer that it only accepts Credential(s) issued with those claim(s). | |
| * `claims`: OPTIONAL. An array of claims path queries as defined in (#claims-path-query). The parameter is used by the Wallet to indicate to the Issuer that it only accepts Credential(s) issued containing exactly those claim(s). |
There was a problem hiding this comment.
I put a comment in issue #266, but after today's WG call where a concern that this is a very big breaking change was raised, we discussed this internally with Microsoft engineers. We do not currently have use-cases with the claims that have nested structure and array-based solution is too big of a breaking change since we just finished implementing OpenID4VCI based on the text that went to ID-1 voting. So our preference is actually defining the new property nested which may contain descriptions about nested objects (original approach 2).
As a compromise for the existing implementations, my suggestion would be fixing the text that becomes ID-1 with nested approach. and than after ID-1, incorporating the array approach defined in this PR.
Then we need a new PR for that.
That would mean two breaking changes. |
Co-authored-by: Giuseppe De Marco <[email protected]>
|
Todos for me:
|
|
Updated, please re-review. |
| "family_name": {}, | ||
| "degree": {} | ||
| } | ||
| "credentialSubject": [ |
There was a problem hiding this comment.
This PR would be the opportunity to rename this to just 'claims'. The open question is whether this should then match all claims or start within "credentialSubject".
There was a problem hiding this comment.
@danielfett as I mentioned on the wgc it is possible for claims to be in the root of the vc in vcdm (eg. openbadgecredential). Therefore it needs to be
"claims": {
"path": ["credentialSubject", "given_name"],
"path": ["credentialSubject", "family_name"],
...
}
There was a problem hiding this comment.
This is a very good point and I'll make this change accordingly.
There was a problem hiding this comment.
In the latest change, I aligned the "claims" element between all credential formats, i.e., moved it one level higher, called it "claims" instead of "credentialSubject" and in the examples made the change shown in @sloops77's example.
| * `path`: REQUIRED if the Credential Format uses a JSON-based claims | ||
| structure; SHOULD NOT be present otherwise. The value MUST be a non-empty | ||
| array representing a claims path pointer that specifies the path to a claim | ||
| within the credential, as defined in (#claims_path_pointer). | ||
| * `namespace`: REQUIRED if the Credential Format is based on the mdoc format | ||
| defined in ISO 18013-5; SHOULD NOT be present otherwise. The value MUST be a | ||
| string that specifies the namespace of the data element within the mdoc, | ||
| e.g., `org.iso.18013.5.1`. | ||
| * `claim_name`: REQUIRED if the Credential Format is based on mdoc format | ||
| defined in ISO 18013-5; SHOULD NOT be present otherwise. The value MUST be a | ||
| string that specifies the data element identifier of the data element within | ||
| the provided namespace in the mdoc, e.g., `first_name`. |
There was a problem hiding this comment.
I wonder if we should change (remove namespace/claim_name) as per the discussion on openid/OpenID4VP#293
| "claims": [ | ||
| { | ||
| "namespace": "org.iso.18013.5.1", | ||
| "claim_name": ["given_name"] |
There was a problem hiding this comment.
Based on the definition here
Should all instances of claim_name have a value type of string not an array of strings?
| "claim_name": ["given_name"] | |
| "claim_name": "given_name" |
| @@ -34,38 +34,43 @@ | |||
| "credential_signing_alg_values_supported": [ | |||
| "ES256" | |||
| ], | |||
| "credential_definition": { | |||
| "credential_definition":{ | |||
There was a problem hiding this comment.
@context is not required for jwt_vc_json, right? https://openid.github.io/OpenID4VCI/openid-4-verifiable-credential-issuance-wg-draft.html#name-vc-signed-as-a-jwt-not-usin
| "birth_date": {} | ||
| "claims": [ | ||
| { | ||
| "namespace": "org.iso.18013.5.1", |
There was a problem hiding this comment.
this is missing path and does not match the claims description further down
| * `mandatory`: OPTIONAL. Boolean which, when set to `true`, indicates that the | ||
| Wallet will only accept a Credential that includes this claim. If set to | ||
| `false`, the claim is not required to be included in the Credential. If the | ||
| `mandatory` parameter is omitted, the default value is `false`. |
There was a problem hiding this comment.
I think authorization details really starts making sense, if we add value here, letting the Client say that he wants a Credential with particular values, which would be possible now. Is there any support for this?
There was a problem hiding this comment.
relevant issue: #262
I still think it would make sense to add as an optional feature for cases where you already know what you want (e.g., from another app) and want to provide a hint to the Issuer.
There was a problem hiding this comment.
Please open another issuer/PR so that we can discuss it there
| "namespace": "org.iso.18013.5.1", | ||
| "claim_name": "given_name", |
There was a problem hiding this comment.
I think using path for mdoc as well and use namespace+cliam_name as two array elements seems cleaner to me
There was a problem hiding this comment.
Discussed on the WG call today: tendency to do the change and do it now in VP and VCI.
| wallet did not request the inclusion of the claim, and/or if the Credential | ||
| Issuer chose to not include the claim. If the `mandatory` parameter is | ||
| omitted, the default value is `false`. | ||
| * `value_type`: OPTIONAL. String value determining the type of value of the |
There was a problem hiding this comment.
To me the value_type doesn't seem very thoughtthrough/complete, maybe its better to leave it out for this merge and add it later if we really want it
There was a problem hiding this comment.
@paulbastian i agree (I made a comment earlier listing a number of value_type values that are required to correctly format rendered claims). I think removing value_type for now and adding it back in with more consideration would make sense
There was a problem hiding this comment.
@paulbastian , @sloops77 I also agree with this (to remove value_type from this PR)
Current values (string, number etc) make little sense for mdoc, as @sloops77 commented a while ago.
I tend to believe that this is also the case for JSON based credentials.
For instance, is it helpful to have for claim birthdate a value_type string?
There was a problem hiding this comment.
It feels like we are mixing 2 aspects here: meta information for display and schema information.
Do we really need both? Do we need things like value types or information like this in metadata:
{"path": ["address", "locality"]},
{"path": ["address", "region"]},
{"path": ["address", "country"]},
{"path": ["birthdate"]},
{"path": ["is_over_18"]},I like the way the new display description works with its alignment to DCQL, but I feel we are trying to overload with too much (or I am not fully understanding the requirement which might very well be the case).
| * `mandatory`: OPTIONAL. Boolean which, when set to `true`, indicates that the | ||
| Wallet will only accept a Credential that includes this claim. If set to | ||
| `false`, the claim is not required to be included in the Credential. If the | ||
| `mandatory` parameter is omitted, the default value is `false`. |
There was a problem hiding this comment.
relevant issue: #262
I still think it would make sense to add as an optional feature for cases where you already know what you want (e.g., from another app) and want to provide a hint to the Issuer.
| * `claims`: OPTIONAL. An array of claims description objects as defined in (#claims-description-issuer-metadata). | ||
| * `credential_definition`: REQUIRED. Object containing the detailed description of the Credential type. It consists of the following parameter: |
There was a problem hiding this comment.
why is claims not part of credential_definition?
There was a problem hiding this comment.
It is a top-level element for all other formats, so should be one here as well.
Co-authored-by: Christian Bormann <[email protected]> Co-authored-by: Kristina <[email protected]> Co-authored-by: Micha Kraus <[email protected]>
| omitted, the default value is `false`. | ||
| * `value_type`: OPTIONAL. String value determining the type of value of the | ||
| claim. Valid values defined by this specification are `string`, `number`, | ||
| and image media types such as `image/jpeg` as defined in IANA media type |
| @@ -16,35 +16,44 @@ | |||
| "type": [ | |||
| "VerifiableCredential", | |||
| "UniversityDegreeCredential" | |||
| ] | |||
| }, | |||
| "@context": [ | |||
There was a problem hiding this comment.
@danielfett
@context is not supposed to be here. its already specified under credential_definition
Also please fix the indentation
| non-negative, 0-based integer). | ||
| - To address all elements within an array, append a null value to the array. | ||
|
|
||
| Verifiers MUST NOT point to the same claim more than once in a single query. |
There was a problem hiding this comment.
i think this reference to "Verifiers" should be removed or rephrased as it's not relevant to creating claims descriptions
| @@ -2085,15 +2085,9 @@ Cryptographic algorithm names used in the `credential_signing_alg_values_support | |||
|
|
|||
| The following additional Credential Issuer metadata parameters are defined for this Credential Format for use in the `credential_configurations_supported` parameter, in addition to those defined in (#credential-issuer-parameters). | |||
|
|
|||
| * `credential_definition`: REQUIRED. Object containing the detailed description of the Credential type. It consists of the following parameters defined by this specification: | |||
| * `claims`: OPTIONAL. An array of claims description objects as defined in (#claims-description-issuer-metadata). | |||
There was a problem hiding this comment.
given that claims is now generic across seemingly all credential formats can claims be added just once to the the Credential Type Metadata Parameters section?
Mainly fixes #266 based on https://vcstuff.github.io/sd-jwt-vc-types/danielfett/fix-claims/draft-fett-oauth-sd-jwt-vc-types.html#section-8
Also Fixes #272
Also Fixes #271