[Openid-specs-ab] OpenID Connect Key Binding vs OpenID Connect UserInfo Verifiable Credentials

[Dick Hardt]

Here is my homework as assigned by the working group chair. :)

KB = OpenID Connect Key Binding
UVC = OpenID Connect UserInfo Verifiable Credentials
Links to specs at bottom


*Tl;dr:*KB adds the key to an ID Token
UVC creates a verifiable credential with same info, but VC syntax
KB does it in one call to OP
UVC requires two calls to OP

*Key Bound Token*
KB outputs an id_token that includes a `cnf` claim of the public key
UVC outputs a verifiable credential with a `did:jwk:ey...` claim
Both include all the same user claims


*Authentication Request*
- KB uses `dpop` scope as well as `dpop_jkt` parameter
- UVC uses `userinfo_credential`

KB has extra layer of security as `dpop_jkt` provides additional assurance
between authentication request and token request

*Token Request*
- KB - RP passes DPoP JWT as header
- UVC has no changes

*Token Response*
- KB - OP passes back id_token that includes `cnf` claim
- UVC - OP passes back an access_token as well as c_nonce and
c_nonce_expires_in

At this point, KB has completed the key binding ...

*Credential Request and Response *
UVC continues on
- RP generates a verifiable credential request and passes it with the
access_token as a bearer token to the OP's credential endpoint
- OP returns a verifiable credential


https://dickhardt.github.io/openid-key-binding/main.html
https://github.com/dickhardt/openid-key-binding

https://openid.net/specs/openid-connect-userinfo-vc-1_0.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20250821/6be3c92c/attachment-0001.htm>