- From: Rein Krul <info@reinkrul.nl>
- Date: Tue, 8 Aug 2023 14:56:32 +0200 (CEST)
- To: dzagidulin@gmail.com
- Cc: public-credentials@w3.org
- Message-ID: <1375494827.64205.1691499392431@s.appsuite.hostnet.nl>
Hi Dmitri, Our use case is exchange of medical records between care organizations. This could be an exchange between any 2 types of care-related (or non-care-related, or cross-domain) organization. E.g., a patient transfer from a hospital to a care home (e.g., patient is discharged). The care home then accesses 2 types of information at the hospital: * Information without medical data or PII, e.g., metadata ("hospital XYZ wants to transfer a patient to your care organization"). This information can be accessed by systems without an actual person requesting the data (service-to-service). * Records with medical data (health problems, interventions, lab results, etc) or PII (patient name, birthdate, etc). This information requires an actual person requesting the data by (Dutch) law. So for exchanges where an actual person is requesting the data, OpenID4VP is used. For server-to-server exchanges, we're looking for a simplified flow (since there's no user consent/authentication and browser involved). Rein > Op 7 augustus 2023 om 19:17 schreef Dmitri Zagidulin <dzagidulin@gmail.com>: > > Hi Rein, > Thanks for bringing this up, I'm also curious about this topic! > > Can you say a bit more about the use case? What sort of use case will you be using server-to-server request credentials flow for? > > Dmitri > > On Mon, Aug 7, 2023 at 10:36 AM Rein Krul < info@reinkrul.nl mailto:info@reinkrul.nl > wrote: > > > > > > Hello everyone, > > > > At the Nuts Foundation (https://github.com/nuts-foundation) we use DIDs, Verifiable Credentials and Presentations to facilitate decentralized healthcare data exchanges. There are basically 2 access authorization flows, the first one being with a user involved, for which we use OpenID4VP (https://openid.net/specs/openid-4-verifiable-presentations-1_0.html). The second flow is authorizing server-to-server exchanges, also involving an OAuth2 access token, but which isn't an OpenID4VP flow. > > > > For this server-to-server exchange, a simplified OAuth2 flow is desirable (like JWT bearer grant type), which uses DIF Presentation Exchanges for authorizing the request. But this does not seem to be standardized. > > > > What I found so far: > > > > * The OpenID4VC spec suite is aimed at flows with an actual user with a browser/device involved, and are a bad match for server-to-server exchanges (redirects, overly complex auth code flow). > > * There is RFC7523, OAuth2 JWT Bearer Grant, using a JWT signed by the client to get an access token, which is a good fit for server-to-server exchanges. But it obviously doesn't specify how to combine it with a DIF Presentation Exchange. > > * EBSI (European Blockchain Service Infrastructure) specifies service-to-service exchange which is a sort of extended RFC7523. It looks promising, but is not standardized (see https://api-conformance.ebsi.eu/docs/ct/verifiable-presentation-exchange-guidelines-v3#service-to-service-token-flow) > > o Note: the EU specified OpenID4VP in its Wallet Architecture Reference Framework, but server-to-server exchanges are not specified (see https://digital-strategy.ec.europa.eu/en/library/european-digital-identity-architecture-and-reference-framework-outline) > > > > Is there (previous) work on, or interest for, such a standard? Or do you know of any initiatives to standardize it? > > > > > > With best regards, > > Rein Krul > > > > https://github.com/reinkrul > > > > > > > > > > > > > > > Met vriendelijke groet, Rein Krul https://reinkrul.nl e-mail: info@reinkrul.nl tel.: +31 6 34411650
Received on Tuesday, 8 August 2023 13:22:54 UTC