Re: Standardization of OAuth2 server-to-server flows using DIF Presentation Exchange? from Adrian Gropper on 2023-08-07 (public-credentials@w3.org from August 2023)

From: Adrian Gropper <agropper@healthurl.com>
Date: Mon, 7 Aug 2023 16:50:14 -0400
To: Rein Krul <info@reinkrul.nl>
Cc: dzagidulin@gmail.com, public-credentials@w3.org
Message-ID: <CANYRo8jBuP64r5eKWJj9HDjHk0OrPaGaNo=WaKv1w_1q6+uW2g@mail.gmail.com>

Hi Rein,

Our HIE of One project is also demonstrating standards-based, decentralized
health information exchange. We’re trying to optimize for self-sovereign
(decentralized) communities that can offer customer support to the
self-sovereign patients and physicians.

Based on a decade of experience with OAuth-based flows in the health
information exchange context, we’re instead using IETF GNAP to present
standard VCs as part of the request to the authorization server. I’m happy
to share more directly, or via this list.

Adrian

On Mon, Aug 7, 2023 at 2:18 PM Dmitri Zagidulin <dzagidulin@gmail.com>
wrote:

> Hi Rein,
> Thanks for bringing this up, I'm also curious about this topic!
>
> Can you say a bit more about the use case? What sort of use case will you
> be using server-to-server request credentials flow for?
>
> Dmitri
>
> On Mon, Aug 7, 2023 at 10:36 AM Rein Krul <info@reinkrul.nl> wrote:
>
>> Hello everyone,
>>
>> At the Nuts Foundation (https://github.com/nuts-foundation) we use DIDs,
>> Verifiable Credentials and Presentations to facilitate decentralized
>> healthcare data exchanges. There are basically 2 access
>> authorization flows, the first one being with a user involved, for which we
>> use OpenID4VP (
>> https://openid.net/specs/openid-4-verifiable-presentations-1_0.html).
>> The second flow is authorizing server-to-server exchanges, also involving
>> an OAuth2 access token, but which isn't an OpenID4VP flow.
>>
>> For this server-to-server exchange, a simplified OAuth2 flow is desirable
>> (like JWT bearer grant type), which uses DIF Presentation Exchanges for
>> authorizing the request. But this does not seem to be standardized.
>>
>> What I found so far:
>>
>>    - The OpenID4VC spec suite is aimed at flows with an actual user with
>>    a browser/device involved, and are a bad match for server-to-server
>>    exchanges (redirects, overly complex auth code flow).
>>    - There is RFC7523, OAuth2 JWT Bearer Grant, using a JWT signed by
>>    the client to get an access token, which is a good fit for server-to-server
>>    exchanges. But it obviously doesn't specify how to combine it with a DIF
>>    Presentation Exchange.
>>    - EBSI (European Blockchain Service Infrastructure) specifies
>>    service-to-service exchange which is a sort of extended RFC7523. It looks
>>    promising, but is not standardized (see
>>    https://api-conformance.ebsi.eu/docs/ct/verifiable-presentation-exchange-guidelines-v3#service-to-service-token-flow
>>    )
>>       - Note: the EU specified OpenID4VP in its Wallet Architecture
>>       Reference Framework, but server-to-server exchanges are not specified (see
>>       https://digital-strategy.ec.europa.eu/en/library/european-digital-identity-architecture-and-reference-framework-outline
>>       )
>>
>> Is there (previous) work on, or interest for, such a standard? Or do you
>> know of any initiatives to standardize it?
>>
>>
>> With best regards,
>> Rein Krul
>>
>> https://github.com/reinkrul
>>
>>
>>

Received on Monday, 7 August 2023 20:50:32 UTC