[Openid-specs-ab] Issue #1441: [oidc4vci] Consider a simplified openid request option that only uses scopes (openid/connect)

Tue Feb 22 22:47:32 UTC 2022

New issue 1441: [oidc4vci] Consider a simplified openid request option that only uses scopes
https://bitbucket.org/openid/connect/issues/1441/oidc4vci-consider-a-simplified-openid

Tobias Looker:

Currently the authorization request \([https://openid.net/specs/openid-connect-4-verifiable-credential-issuance-1\_0.html#name-authorization-request](https://openid.net/specs/openid-connect-4-verifiable-credential-issuance-1_0.html#name-authorization-request)\) requires the usage of the claims parameter to convey the elements of the request. Which means the way an OP comes to determine the authorization request is in fact a credential request is by inspect the contents of the claims parameter. I suggest that a scope such as openid\_credential be defined \(as is the case in OIDC CP [https://mattrglobal.github.io/oidc-client-bound-assertions-spec/](https://mattrglobal.github.io/oidc-client-bound-assertions-spec/)\) and be included as the basis for detecting the nature of the request. Using this scope we can also offer more simply credential request examples that negate the need for the claims request object.

For example by defining this scope, the simplest credential request could be simplified to

```
GET /authorize?
    response_type=code
    &client_id=s6BhdRkqt3
    &redirect_uri=https%3A%2F%2Fwallet.example.org%2Fcb
    &scope=openid openid_credential
    &state=af0ifjsldkj
```

Which simply indicates that the client is requesting authorisation to all credentials offered by the the provider.

Given a provider may support multiple credential types the syntax of this scope could be extended to encoded the credential type e.g

```
GET /authorize?
    response_type=code
    &client_id=s6BhdRkqt3
    &redirect_uri=https%3A%2F%2Fwallet.example.org%2Fcb
    &scope=openid openid_credential:credential_type_1 openid_credential:credential_type_2
    &state=af0ifjsldkj
```

This request indicates that the client is requesting authorization to two credential types offered by the provider \(credential\_type\_1 and credential\_type\_2\)

‌