Skip to content

Adds requirements regarding Issuance flow with external Authorization Servers #65

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
nanderstabel wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

Adds requirements regarding Issuance flow with external Authorization Servers #65

nanderstabel wants to merge 1 commit into from

Conversation

@nanderstabel
Copy link

@nanderstabel nanderstabel commented Aug 11, 2025
edited
Loading

(reopened from #64)

As described in #62.

This PR also includes some editorial fixes that where added to the spec.md file in #57, but where not included to the index.html file yet

@nanderstabel nanderstabel marked this pull request as ready for review August 11, 2025 12:54
@nanderstabel nanderstabel mentioned this pull request Aug 11, 2025
Closed
TimoGlastra
TimoGlastra reviewed Aug 21, 2025
View reviewed changes
spec/spec.md

**Requirement: DIIP-compliant [[ref: Wallet]]s MUST NOT assume the [[ref: Authorization Server]] is on the same domain as the [[ref: Issuer]].**

**Requirement: If the [[ref: Authorization Server]] is a separate entity, then DIIP-compliant [[ref: Issuer]]s MUST include the `issuer_state` parameter in the Credential Offer during the *Authorization Code Flow*.**
Copy link
Collaborator

@TimoGlastra TimoGlastra Aug 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is an implementation detail between the issuer and authorization server, and i see no need to standardize/require this. If you as an issuer want to work with an external authorization, you need to arrange with the authorization server how you can link the offer back to the issuance session

TimoGlastra
TimoGlastra reviewed Aug 21, 2025
View reviewed changes
spec/spec.md

**Requirement: If the [[ref: Authorization Server]] is a separate entity, then DIIP-compliant [[ref: Issuer]]s MUST include the `issuer_state` parameter in the Credential Offer during the *Authorization Code Flow*.**

**Requirement: If the [[ref: Authorization Server]] is a separate entity, then DIIP-compliant [[ref: Authorization Server]]s MUST issue Access Tokens as JWTs, compliant with the [[ref: JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens]]. The `issuer_state` value that it received via the Authorization Request from the [[ref: Wallet]] MUST be included as a claim in the Access Token JWT.**
Copy link
Collaborator

@TimoGlastra TimoGlastra Aug 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here, this is something that can be decided on a case by case basis. It makes sense for most deployments, but if an issuer and authorization server decide to do it differently it has 0 impact on interoperability. I don't think this should be a requirement

TimoGlastra
TimoGlastra reviewed Aug 21, 2025
View reviewed changes
spec/spec.md

**Requirement: If the [[ref: Authorization Server]] is a separate entity, then DIIP-compliant [[ref: Authorization Server]]s MUST issue Access Tokens as JWTs, compliant with the [[ref: JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens]]. The `issuer_state` value that it received via the Authorization Request from the [[ref: Wallet]] MUST be included as a claim in the Access Token JWT.**

**Requirement: If the [[ref: Authorization Server]] is a separate entity, then DIIP-compliant [[ref: Issuer]]s MUST issue the `pre-authorized_code` as a JWT when using the *Pre-Authorized Code Flow*. This JWT MUST be signed by the [[ref: Issuer]] and MUST contain the `issuer_state` as a claim. The [[ref: Authorization Server]] MUST validate this JWT and then include the extracted `issuer_state` into the Access Token JWT it issues to the [[ref: Wallet]].**
Copy link
Collaborator

@TimoGlastra TimoGlastra Aug 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Again not sure why we this, this seems like implementation details and not relevant to the interoperability between the wallet and issuer.

@nklomp nklomp changed the base branch from main to develop September 25, 2025 11:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@TimoGlastra TimoGlastra TimoGlastra left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nanderstabel @TimoGlastra