Re: Standardization of OAuth2 server-to-server flows using DIF Presentation Exchange? from Alen Horvat on 2023-08-08 (public-credentials@w3.org from August 2023)

From: Alen Horvat <horvat.alen@yahoo.com>
Date: Tue, 8 Aug 2023 09:48:16 +0200
To: Rein Krul <info@reinkrul.nl>
Cc: "W3C Credentials CG (Public List)" <public-credentials@w3.org>, Matti Taimela <matti@taimela.com>
Message-Id: <8A414C79-0ED3-4DA9-97C5-EC77A36FB328@yahoo.com>

Hi,

If you see EBSI’s flow as a valuable starting point, we can elaborate on the design and see how we could standardise the flow.
Note that the full flow consists of other existing standards.

BR, Alen

> On 4 Aug 2023, at 14:16, Rein Krul <info@reinkrul.nl> wrote:
> 
> Hello everyone,
> 
> At the Nuts Foundation (https://github.com/nuts-foundation) we use DIDs, Verifiable Credentials and Presentations to facilitate decentralized healthcare data exchanges. There are basically 2 access authorization flows, the first one being with a user involved, for which we use OpenID4VP (https://openid.net/specs/openid-4-verifiable-presentations-1_0.html). The second flow is authorizing server-to-server exchanges, also involving an OAuth2 access token, but which isn't an OpenID4VP flow.
> 
> For this server-to-server exchange, a simplified OAuth2 flow is desirable (like JWT bearer grant type), which uses DIF Presentation Exchanges for authorizing the request. But this does not seem to be standardized.
> 
> What I found so far:
> 
> The OpenID4VC spec suite is aimed at flows with an actual user with a browser/device involved, and are a bad match for server-to-server exchanges (redirects, overly complex auth code flow).
> There is RFC7523, OAuth2 JWT Bearer Grant, using a JWT signed by the client to get an access token, which is a good fit for server-to-server exchanges. But it obviously doesn't specify how to combine it with a DIF Presentation Exchange.
> EBSI (European Blockchain Service Infrastructure) specifies service-to-service exchange which is a sort of extended RFC7523. It looks promising, but is not standardized (see https://api-conformance.ebsi.eu/docs/ct/verifiable-presentation-exchange-guidelines-v3#service-to-service-token-flow)
> Note: the EU specified OpenID4VP in its Wallet Architecture Reference Framework, but server-to-server exchanges are not specified (see https://digital-strategy.ec.europa.eu/en/library/european-digital-identity-architecture-and-reference-framework-outline)
> Is there (previous) work on, or interest for, such a standard? Or do you know of any initiatives to standardize it?
> 
> 
> 
> With best regards,
> Rein Krul
> 
> https://github.com/reinkrul
> 
> 
> 
>

Received on Tuesday, 8 August 2023 07:48:40 UTC