-
Notifications
You must be signed in to change notification settings - Fork 18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add transaction_data #197
base: main
Are you sure you want to change the base?
add transaction_data #197
Changes from all commits
b2f69ec
7d47e4b
1f15ab3
76380c6
351bf76
923aabd
cc55aa3
681677f
bd9b35b
6d871c8
8e5792f
dab521c
2e29da5
0acd29a
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
|
@@ -7,7 +7,7 @@ keyword = ["security", "openid", "ssi"] | |||||
|
||||||
[seriesInfo] | ||||||
name = "Internet-Draft" | ||||||
value = "openid-4-verifiable-presentations-1_0-21" | ||||||
value = "openid-4-verifiable-presentations-1_0-22" | ||||||
status = "standard" | ||||||
|
||||||
[[author]] | ||||||
|
@@ -269,7 +269,17 @@ A public key to be used by the Wallet as an input to the key agreement to encryp | |||||
: OPTIONAL. A string determining the HTTP method to be used when the `request_uri` parameter is included in the same request. Two case-sensitive valid values are defined in this specification: `get` and `post`. If `request_uri_method` value is `get`, the Wallet MUST send the request to retrieve the Request Object using the HTTP GET method, i.e., as defined in [@RFC9101]. If `request_uri_method` value is `post`, a supporting Wallet MUST send the request using the HTTP POST method as detailed in (#request_uri_method_post). If the `request_uri_method` parameter is not present, the Wallet MUST process the `request_uri` parameter as defined in [@RFC9101]. Wallets not supporting the `post` method will send a GET request to the Request URI (default behavior as defined in [@RFC9101]). `request_uri_method` parameter MUST NOT be present if a `request_uri` parameter is not present. | ||||||
|
||||||
If the Verifier set the `request_uri_method` parameter value to `post` and there is no other means to convey its capabilities to the Wallet, it SHOULD add the `client_metadata` parameter to the Authorization Request. | ||||||
This enables the Wallet to assess the Verifier's capabilities, allowing it to transmit only the relevant capabilities through the `wallet_metadata` parameter in the Request URI POST request. If the Verifier uses the `client_id_scheme` parameter in the Request Object, it MUST also add the same `client_id_scheme` value in the Authorization Request. | ||||||
This enables the Wallet to assess the Verifier's capabilities, allowing it to transmit only the relevant capabilities through the `wallet_metadata` parameter in the Request URI POST request. If the Verifier uses the `client_id_scheme` parameter in the Request Object, it MUST also add the same `client_id_scheme` value in the Authorization Request. | ||||||
|
||||||
`transaction_data`: | ||||||
: OPTIONAL. Array of strings, where each string is a base64url encoded JSON object that contains a typed parameter set with details about the transaction that the Verifier is requesting the End-User to authorize. See (#transaction_data) for details. The Wallet MUST return an error if a request contains even one unrecognized transaction data type or transaction data not conforming to the respective type definition. Each object consists of the following parameters: | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I have a feeling there's an unintended consequence here between this PR (if merged after 1.0) and the extensibility PR. I think this language says "a wallet MUST fail a request that includes a I think we need the first behaviour - i.e. particularly when using the browser api, a wallet that doesn't support transaction_data must never say it can satisfy a request that contains transaction_data. If we agree on that, then I can see two solutions:
|
||||||
|
||||||
* `type`: REQUIRED. String that is the Identifier of the transaction data type and determines the allowable contents of the object that contains it. The specific values are out of scope of this specification. It is RECOMMENDED to use collision-resistant names for `type` values. | ||||||
* `credential_ids`: REQUIRED. Array of strings each pointing to an identifier that identifies a set of information describing a Credential that the Verifier is requesting transaction data in a particular object to be bound to (Input Descriptor in Presentation Exchange). | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. adding one little generalization to the generalization you did (thanks for that generalization btw)
Suggested change
|
||||||
The claim transaction_data_alg indicates the hash algorithm used to generate the digests. If the claim is not present, a default value of sha-256 MUST be used. | ||||||
* `transaction_data_hashes_alg`: OPTIONAL. Array of strings each representing a hash algorithm identifier, one of which MUST be used to calculate hashes in `transaction_data_hashes` response parameter. The value of the identifier MUST be a hash algorithm value from the "Hash Name String" column in the IANA "Named Information Hash Algorithm" registry [IANA.Hash.Algorithms] or a value defined in another specification and/or profile of this specification. If this parameter is not present, a default value of `sha-256` MUST be used. To promote interoperability, implementations MUST support the sha-256 hash algorithm. | ||||||
|
||||||
Each document defining a transaction data type specifies whether that type requires a Credential that is bound to transaction data to be specifically issued for that purpose. How the Credential Issuer expresses that a particular Credential can be used for obtaining user's authorization using transaction data mechanism is out of scope for this specification. | ||||||
|
||||||
The following additional considerations are given for pre-existing Authorization Request parameters: | ||||||
|
||||||
|
@@ -293,7 +303,7 @@ GET /authorize? | |||||
&nonce=n-0S6_WzA2Mj HTTP/1.1 | ||||||
``` | ||||||
|
||||||
The following is a non-normative example of an Authorization Request with a `request_uri_method` parameter (including the additional `client_id_scheme` and `client_metadata` parameters): | ||||||
The following is a non-normative example of an Authorization Request with a `request_uri_method` parameter (including the additional `client_id_scheme`, `client_metadata` and `transaction_data` parameters): | ||||||
|
||||||
``` | ||||||
GET /authorize? | ||||||
|
@@ -302,6 +312,7 @@ GET /authorize? | |||||
&client_metadata=... | ||||||
&request_uri=https%3A%2F%2Fclient.example.org%2Frequest%2Fvapof4ql2i7m41m68uep | ||||||
&request_uri_method=post HTTP/1.1 | ||||||
&transaction_data=... | ||||||
``` | ||||||
|
||||||
## `presentation_definition` Parameter {#request_presentation_definition} | ||||||
|
@@ -430,7 +441,7 @@ When the Verifier is sending a Request Object as defined in [@!RFC9101], the `au | |||||
|
||||||
Note: "https://self-issued.me/v2" is a symbolic string and can be used as an `aud` Claim value even when this specification is used standalone, without SIOPv2. | ||||||
|
||||||
## Verifier Metadata Management {#client_metadata_management} | ||||||
## Verifier Metadata Management (Client Identifier schemes) {#client_metadata_management} | ||||||
|
||||||
The `client_id_scheme` enables deployments of this specification to use different mechanisms to obtain and validate metadata of the Verifier beyond the scope of [@!RFC6749]. The term `client_id_scheme` is used since the Verifier is acting as an OAuth 2.0 Client. | ||||||
|
||||||
|
@@ -745,7 +756,18 @@ The following is a non-normative example of the payload of the JWT used in the e | |||||
|
||||||
<{{examples/response/jarm_jwt_vc_json_body.json}} | ||||||
|
||||||
## Error Response | ||||||
## Transaction Data {#transaction_data} | ||||||
|
||||||
The transaction data mechanism enables a binding between the user's identification/authentication and the user’s authorization, for example to complete a payment transaction, or to sign specific document(s) using QES (Qualified Electronic Signatures). This is achieved by signing the transaction data used for user authorization with the user-controlled key used for proof of possession of the Credential being presented as a means for user identification/authentication. | ||||||
|
||||||
The Wallet that received the `transaction_data` parameter in the request MUST include in the response a `transaction_data_hashes` parameter defined below. If the wallet does not support `transaction_data` parameter, it MUST return an error. | ||||||
|
||||||
Where to include`transaction_data_hashes` parameter in the response is specific to each credential format and is defined in a respective Credential Format Profile. | ||||||
|
||||||
* `transaction_data_hashes`: Array of hashes, where each hash is calculated using a hash function over the strings received in the `transaction_data` request parameter. Each hash value ensures the integrity of, and maps to, the respective transaction data object. Where in the response this parameter is included is defined by each Credential Format Profile, but it has to be included in the mechanism used for the proof of possession of the Credential that is signed using the user-controlled key. | ||||||
* `transaction_data_hashes_alg`: REQUIRED when this parameter was present in the `transaction_data` request parameter. String representing a hash algorithm identifier used to calculate hashes in `transaction_data_hashes` response parameter. | ||||||
|
||||||
## Error Response {#error_response} | ||||||
|
||||||
The error response follows the rules as defined in [@!RFC6749], with the following additional clarifications: | ||||||
|
||||||
|
@@ -790,11 +812,19 @@ This document also defines the following additional error codes and error descri | |||||
|
||||||
- The value of the `request_uri_method` request parameter is neither `get` nor `post` (case-sensitive). | ||||||
|
||||||
`invalid_transaction_data`: | ||||||
|
||||||
- any of the following is true for at least one object in the transaction_data structure: | ||||||
- contains an unknown transaction data type value, | ||||||
- is an object of known type but containing unknown fields, | ||||||
- contains fields of the wrong type for the transaction data type, | ||||||
- contains fields with invalid values for the transaction data type, or | ||||||
- is missing required fields for the transaction data type. | ||||||
|
||||||
`wallet_unavailable`: | ||||||
|
||||||
- The Wallet appears to be unavailable and therefore unable to respond to the request. It can be useful in situations where the user agent cannot invoke the Wallet and another component receives the request while the End-User wishes to continue the journey on the Verifier website. For example, this applies when using claimed HTTPS URIs handled by the Wallet provider in case the platform cannot or does not translate the URI into a platform intent to invoke the Wallet. In this case, the Wallet provider would return the Authorization Error Response to the Verifier and might redirect the user agent back to the Verifier website. | ||||||
|
||||||
|
||||||
## VP Token Validation | ||||||
|
||||||
Verifiers MUST validate the VP Token in the following manner: | ||||||
|
@@ -1907,6 +1937,8 @@ Setting `limit_disclosure` property defined in [@!DIF.PresentationExchange] to ` | |||||
|
||||||
A non-normative example of the Authorization Response would look the same as in the examples of other Credential formats in this Annex. | ||||||
|
||||||
The `transaction_data_hashes` response parameter defined in (#transaction_data) MUST be included in the Key Binding JWT as a top level claim. This means that transaction data mechanism cannot be used with SD-JWT VCs without cryptographic key binding and, therefore, do not use KB JWT. | ||||||
|
||||||
The following is a non-normative example of the content of the `presentation_submission` parameter: | ||||||
|
||||||
<{{examples/response/ps_sd_jwt_vc.json}} | ||||||
|
@@ -2050,6 +2082,10 @@ The technology described in this specification was made available from contribut | |||||
|
||||||
[[ To be removed from the final specification ]] | ||||||
|
||||||
-22 | ||||||
|
||||||
* add transaction data mechanism | ||||||
|
||||||
-21 | ||||||
|
||||||
* removed `client_metadata_uri` authorization parameter | ||||||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi,
questions:
a) Is transaction data different from a consent?
b) Transaction data needs to be displayed to the end user, except if it's a M2M exchange. Keeping it generic, can lead to implementation issues. Should at least "display" or similar parameter be defined?
c) Should the RAR or PE (presentation definition?) syntax be reused? (https://datatracker.ietf.org/doc/html/rfc9396#name-authorization-request)
d) Explicit yes/no: default mode is that the user must authorise all actions, or the transaction fails?
e) If user declines 1 action, should it be recorded?
f) Is there a need for more elaborate transactions, such as conditional statements (e.g., you must answer all, you must answer to some of the questions), supporting multiple options (e.g., do you want to tip 5, 10 or 20%)? Or for QES: select a signature profile (e.g., advanced, qualified).
We introduced something similar about 2 years ago for our B2B/M2M VP exchange (https://hub.ebsi.eu/conformance/learn/verifiable-presentation-exchange#service-to-service-token-flow). We defined a simple key:value approach where, where key is a scope, and value is a VP definition. I believe this matches your definition of transaction_data. In our model, for a given action all conditions must be fulfilled, no conditional statements, no multiple options (like tipping).
Thank you!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi Alen,
a) transaction data is about authorization. the end user agrees to authorize a certain transaction (payments, QES, etc.)
b), c), f) specific details of transaction data are left to the experts of each use-case. so they will not be defined in openid4vp
d) yes, there is not partial succcess. we agreed to make that clearer. I just have not reflected in the PR text yet..
e) recorded where? in the wallet? according to eidas regulation, i think so?
I will look at the pointer! thank you!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi. Thank you for the answers.
e) recorded by the "verifier"