Re: Standardization of OAuth2 server-to-server flows using DIF Presentation Exchange? from Dmitri Zagidulin on 2023-08-07 (public-credentials@w3.org from August 2023)

From: Dmitri Zagidulin <dzagidulin@gmail.com>
Date: Mon, 7 Aug 2023 13:17:14 -0400
To: Rein Krul <info@reinkrul.nl>
Cc: public-credentials@w3.org
Message-ID: <CANnQ-L6svAmFh1mNbry7ZSzpuNzj12-FhoRcf_v5po0aaq2bQQ@mail.gmail.com>

Hi Rein,
Thanks for bringing this up, I'm also curious about this topic!

Can you say a bit more about the use case? What sort of use case will you
be using server-to-server request credentials flow for?

Dmitri

On Mon, Aug 7, 2023 at 10:36 AM Rein Krul <info@reinkrul.nl> wrote:

> Hello everyone,
>
> At the Nuts Foundation (https://github.com/nuts-foundation) we use DIDs,
> Verifiable Credentials and Presentations to facilitate decentralized
> healthcare data exchanges. There are basically 2 access
> authorization flows, the first one being with a user involved, for which we
> use OpenID4VP (
> https://openid.net/specs/openid-4-verifiable-presentations-1_0.html). The
> second flow is authorizing server-to-server exchanges, also involving an
> OAuth2 access token, but which isn't an OpenID4VP flow.
>
> For this server-to-server exchange, a simplified OAuth2 flow is desirable
> (like JWT bearer grant type), which uses DIF Presentation Exchanges for
> authorizing the request. But this does not seem to be standardized.
>
> What I found so far:
>
>    - The OpenID4VC spec suite is aimed at flows with an actual user with
>    a browser/device involved, and are a bad match for server-to-server
>    exchanges (redirects, overly complex auth code flow).
>    - There is RFC7523, OAuth2 JWT Bearer Grant, using a JWT signed by the
>    client to get an access token, which is a good fit for server-to-server
>    exchanges. But it obviously doesn't specify how to combine it with a DIF
>    Presentation Exchange.
>    - EBSI (European Blockchain Service Infrastructure) specifies
>    service-to-service exchange which is a sort of extended RFC7523. It looks
>    promising, but is not standardized (see
>    https://api-conformance.ebsi.eu/docs/ct/verifiable-presentation-exchange-guidelines-v3#service-to-service-token-flow
>    )
>       - Note: the EU specified OpenID4VP in its Wallet Architecture
>       Reference Framework, but server-to-server exchanges are not specified (see
>       https://digital-strategy.ec.europa.eu/en/library/european-digital-identity-architecture-and-reference-framework-outline
>       )
>
> Is there (previous) work on, or interest for, such a standard? Or do you
> know of any initiatives to standardize it?
>
>
> With best regards,
> Rein Krul
>
> https://github.com/reinkrul
>
>
>

Received on Monday, 7 August 2023 17:17:38 UTC