Episode 193 - GluuFederation/identerati-office-hours GitHub Wiki
Title: OpenID4VCI Meets OAuth First-Party Apps
- Host: Mike Schwartz, Founder/CEO Gluu
- Guest: Frederik Krogsdal Jacobsen, Staff Software Engineer, Idura
Channels
Description
Could OpenID for Verifiable Credential Issuance reuse the new OAuth First-Party Applications draft instead of reinventing its own Interactive Authorization Endpoint? This session explores the overlap, the protocol quirks that still need solving, and whether shared security analysis and a plugin-style architecture make the dependency worthwhile. Discussions may ensue on redirect semantics, negotiation patterns, and fixes for AS mix-up attacks that could shape the future of digital credential flows.
Homework
- Github Issue: Revisiting building IAE on top of first party apps draft #719
- Github Issue: AS Mix-Up Attack on Interactive Authorization Endpoint
- OpenID for Verifiable Presentations 1.0
- OAuth 2.0 for First-Party Applications IETF Draft
- IIW Notes
Takeaways
-
⚡ OpenID4VCI does not need to reinvent interactive authorization if OAuth First-Party Apps already solves most of the flow. But a profile is probably needed for some of the wallet specific trust models.
-
⚡ Wallet trust frameworks could safely extend “first-party” concepts into regulated third-party ecosystems.
-
⚡ Wallets are evolving from passive credential holders into personal identity orchestration engines! When will they incorporate MyTerms?
-
⚡ A new class of hybrid wallets are emerging that have some of the benefits of "restorability". Cloud wallets are also more accessible, and may be a bridge from the current OpenID-based systems (or OpenID-like...) that exist today in some countries, like the Nordics.