[Openid-specs-ab] Issue #1434: Dubious support for authentication (openid/connect)

[David Chadwick]

New issue 1434: Dubious support for authentication
https://bitbucket.org/openid/connect/issues/1434/dubious-support-for-authentication

David Chadwick:

Standard OIDC supports authentication via the sub claim, and presumably the RP does not require any further claims because it assumes the OP’s data about the user is up to date and the user has been authenticated again. Nothing has changed since the last authentication event.

This no longer holds true for SIOPv2 with OIDC4VPs. In this case the user first registered/authenticated by presenting a set of possibly long lived VCs inside a VP. On subsequent authentication, the sub claim alone is not good enough, as all this proves is that the user has not changed the key pair on her mobile device that she first used to prove possession of the accompanying VCs. But the VCs might have changed. They might have been revoked or refreshed with different information. How is the RP to know this? The RP cannot contact the VC issuer as this breaks the privacy protection of the W3C VC data model.

Therefore the use of the sub claim alone is insufficient for a user authentication event when SIOPv2 and OIDC4VP were used on the first connection attempt.

My assertion is that the RP should always ask the user for the VCs/VP each time the user logs in, so that it can validate that the identity of the user has not changed.