Standardization of OAuth2 server-to-server flows using DIF Presentation Exchange?

Hello everyone,

At the Nuts Foundation (https://github.com/nuts-foundation) we use DIDs, Verifiable Credentials and Presentations to facilitate decentralized healthcare data exchanges. There are basically 2 access authorization flows, the first one being with a user involved, for which we use OpenID4VP (https://openid.net/specs/openid-4-verifiable-presentations-1_0.html). The second flow is authorizing server-to-server exchanges, also involving an OAuth2 access token, but which isn't an OpenID4VP flow.

For this server-to-server exchange, a simplified OAuth2 flow is desirable (like JWT bearer grant type), which uses DIF Presentation Exchanges for authorizing the request. But this does not seem to be standardized.

What I found so far:

* The OpenID4VC spec suite is aimed at flows with an actual user with a browser/device involved, and are a bad match for server-to-server exchanges (redirects, overly complex auth code flow).
* There is RFC7523, OAuth2 JWT Bearer Grant, using a JWT signed by the client to get an access token, which is a good fit for server-to-server exchanges. But it obviously doesn't specify how to combine it with a DIF Presentation Exchange.
* EBSI (European Blockchain Service Infrastructure) specifies service-to-service exchange which is a sort of extended RFC7523. It looks promising, but is not standardized (see https://api-conformance.ebsi.eu/docs/ct/verifiable-presentation-exchange-guidelines-v3#service-to-service-token-flow)
o Note: the EU specified OpenID4VP in its Wallet Architecture Reference Framework, but server-to-server exchanges are not specified (see https://digital-strategy.ec.europa.eu/en/library/european-digital-identity-architecture-and-reference-framework-outline)

Is there (previous) work on, or interest for, such a standard? Or do you know of any initiatives to standardize it?


With best regards,
Rein Krul

https://github.com/reinkrul