[Openid-specs-ab] Issue #1465: OIDC4VCI: Alternative Authorization Flow (openid/connect)
tlodderstedt
issues-reply at bitbucket.org
Thu Mar 17 14:25:02 UTC 2022
New issue 1465: OIDC4VCI: Alternative Authorization Flow
https://bitbucket.org/openid/connect/issues/1465/oidc4vci-alternative-authorization-flow
Torsten Lodderstedt:
The spec currently utilizes the traditional OIDC/OAuth code flow to authorize access to the credential issuance endpoint. That works well for use cases, where the wallet starts the issuance process towards the issuer. There are, however, use cases, where the user starts the process ultimately resulting in the issuance of credentials at the issuer’s site. For those cases, we should add an alternative flow.
Sketch: the issuer generates a code and sends it to the wallet \(or renders a QR code that is scanned with the user’s device\). The wallet uses this code \(working title pre-authorized code\) to obtain an access token for the credential endpoint. There are additional security measures required to prevent replay of the pre-authorized code. Initial ideas include user pins, FIDO keys, and call backs/approvals by the user on the device where the flow started.
More information about the Openid-specs-ab
mailing list