Re: Standardization of OAuth2 server-to-server flows using DIF Presentation Exchange? from Matti Taimela on 2023-08-08 (public-credentials@w3.org from August 2023)

From: Matti Taimela <matti@taimela.com>
Date: Tue, 8 Aug 2023 13:40:58 +0000
To: Rein Krul <info@reinkrul.nl>, Alen Horvat <horvat.alen@yahoo.com>
CC: "W3C Credentials CG (Public List)" <public-credentials@w3.org>
Message-ID: <DB8P192MB06964BA0AEBBE1ECE7D14FBBA90DA@DB8P192MB0696.EURP192.PROD.OUTLOOK.COM>

Hi Rein,

Looking forward for the incoming standardisation. Feel free to drop improvement ideas if standardization proposal gets delayed/rejected. The invention of “vp_token” grant type allows the b2b wallet to deliver “decentralized access management” VCs to prove they are granted the access by 3rd party. If you already have pre-registered participants with known access, you might find it easier to invent “id_token” grant, as that is very close to RFC7523.

Best regards,
Matti

From: Rein Krul <info@reinkrul.nl>
Date: Tuesday, 8. August 2023 at 16.31
To: Alen Horvat <horvat.alen@yahoo.com>
Cc: W3C Credentials CG (Public List) <public-credentials@w3.org>, Matti Taimela <matti@taimela.com>
Subject: Re: Standardization of OAuth2 server-to-server flows using DIF Presentation Exchange?

Alen,

Thanks for your reply. We're starting specification on the service-to-service flow from our perspective, probably using the EBSI flow as starting point. We wanted to come up with something similar to EBSI service-to-service (to be at least compliant with something), but standardization could sure be the next step.

Rein
Op 8 augustus 2023 om 9:48 schreef Alen Horvat <horvat.alen@yahoo.com>:

Hi,

If you see EBSI’s flow as a valuable starting point, we can elaborate on the design and see how we could standardise the flow.
Note that the full flow consists of other existing standards.

BR, Alen

On 4 Aug 2023, at 14:16, Rein Krul <info@reinkrul.nl> wrote:

Hello everyone,

At the Nuts Foundation (https://github.com/nuts-foundation) we use DIDs, Verifiable Credentials and Presentations to facilitate decentralized healthcare data exchanges. There are basically 2 access authorization flows, the first one being with a user involved, for which we use OpenID4VP (https://openid.net/specs/openid-4-verifiable-presentations-1_0.html). The second flow is authorizing server-to-server exchanges, also involving an OAuth2 access token, but which isn't an OpenID4VP flow.

For this server-to-server exchange, a simplified OAuth2 flow is desirable (like JWT bearer grant type), which uses DIF Presentation Exchanges for authorizing the request. But this does not seem to be standardized.

What I found so far:

  *   The OpenID4VC spec suite is aimed at flows with an actual user with a browser/device involved, and are a bad match for server-to-server exchanges (redirects, overly complex auth code flow).
  *   There is RFC7523, OAuth2 JWT Bearer Grant, using a JWT signed by the client to get an access token, which is a good fit for server-to-server exchanges. But it obviously doesn't specify how to combine it with a DIF Presentation Exchange.
  *   EBSI (European Blockchain Service Infrastructure) specifies service-to-service exchange which is a sort of extended RFC7523. It looks promising, but is not standardized (see https://api-conformance.ebsi.eu/docs/ct/verifiable-presentation-exchange-guidelines-v3#service-to-service-token-flow)

     *   Note: the EU specified OpenID4VP in its Wallet Architecture Reference Framework, but server-to-server exchanges are not specified (see https://digital-strategy.ec.europa.eu/en/library/european-digital-identity-architecture-and-reference-framework-outline)

Is there (previous) work on, or interest for, such a standard? Or do you know of any initiatives to standardize it?

With best regards,
Rein Krul

https://github.com/reinkrul

Met vriendelijke groet,
Rein Krul

https://reinkrul.nl

e-mail: info@reinkrul.nl
tel.: +31 6 34411650

Received on Tuesday, 8 August 2023 13:44:30 UTC