Re: Standardization of OAuth2 server-to-server flows using DIF Presentation Exchange? from Rein Krul on 2023-08-08 (public-credentials@w3.org from August 2023)

From: Rein Krul <info@reinkrul.nl>
Date: Tue, 8 Aug 2023 15:22:22 +0200 (CEST)
To: Alen Horvat <horvat.alen@yahoo.com>
Cc: "W3C Credentials CG (Public List)" <public-credentials@w3.org>, Matti Taimela <matti@taimela.com>
Message-ID: <251442959.65221.1691500942983@s.appsuite.hostnet.nl>

Alen,

Thanks for your reply. We're starting specification on the service-to-service flow from our perspective, probably using the EBSI flow as starting point. We wanted to come up with something similar to EBSI service-to-service (to be at least compliant with something), but standardization could sure be the next step.

Rein

> Op 8 augustus 2023 om 9:48 schreef Alen Horvat <horvat.alen@yahoo.com>:
> 
>     Hi,
> 
>     If you see EBSI’s flow as a valuable starting point, we can elaborate on the design and see how we could standardise the flow.
>     Note that the full flow consists of other existing standards.
> 
>     BR, Alen
> 
> 
>         > >         On 4 Aug 2023, at 14:16, Rein Krul <info@reinkrul.nl> wrote:
> > 
> > 
> >         Hello everyone,
> > 
> >         At the Nuts Foundation (https://github.com/nuts-foundation) we use DIDs, Verifiable Credentials and Presentations to facilitate decentralized healthcare data exchanges. There are basically 2 access authorization flows, the first one being with a user involved, for which we use OpenID4VP (https://openid.net/specs/openid-4-verifiable-presentations-1_0.html). The second flow is authorizing server-to-server exchanges, also involving an OAuth2 access token, but which isn't an OpenID4VP flow.
> > 
> >         For this server-to-server exchange, a simplified OAuth2 flow is desirable (like JWT bearer grant type), which uses DIF Presentation Exchanges for authorizing the request. But this does not seem to be standardized.
> > 
> >         What I found so far:
> > 
> >             * The OpenID4VC spec suite is aimed at flows with an actual user with a browser/device involved, and are a bad match for server-to-server exchanges (redirects, overly complex auth code flow).
> >             * There is RFC7523, OAuth2 JWT Bearer Grant, using a JWT signed by the client to get an access token, which is a good fit for server-to-server exchanges. But it obviously doesn't specify how to combine it with a DIF Presentation Exchange.
> >             * EBSI (European Blockchain Service Infrastructure) specifies service-to-service exchange which is a sort of extended RFC7523. It looks promising, but is not standardized (see https://api-conformance.ebsi.eu/docs/ct/verifiable-presentation-exchange-guidelines-v3#service-to-service-token-flow)
> >                   o Note: the EU specified OpenID4VP in its Wallet Architecture Reference Framework, but server-to-server exchanges are not specified (see https://digital-strategy.ec.europa.eu/en/library/european-digital-identity-architecture-and-reference-framework-outline)
> > 
> >         Is there (previous) work on, or interest for, such a standard? Or do you know of any initiatives to standardize it?
> > 
> > 
> >         With best regards,
> >         Rein Krul
> > 
> >         https://github.com/reinkrul
> > 
> > 
> > 
> >          
> > 
> >     > 
> 


 


Met vriendelijke groet,
Rein Krul


https://reinkrul.nl
e-mail: info@reinkrul.nl
tel.: +31 6 34411650

Received on Tuesday, 8 August 2023 13:28:26 UTC