Add resource parameter to PAR #301
Conversation
As recommended by the OpenID4VCI draft 14, use RFC8707 resource parameter when requesting issuance using scope parameter. The exact phrasing in the draft reads "If the Credential Issuer metadata contains an authorization_servers property, it is RECOMMENDED to use a resource parameter". However, this information is lost in the TO->domain conversion, so it's not taken into account.
There was a problem hiding this comment.
Dear @spheroid
Thanks for this.
In general, we can understand whether the credential issuer is a resource server that uses another authorization server or whether is both resource & authorization server by comparing the credentialIssuerId and the authorizationIssuer attributes.
So, please check my comments
- Introduce a new function
isCredentialIssuerAuthorizationServer() - Use it, to identify
- If location attribute has to be populated in the
authorization_details(your last change) - if resource attribute needs to be populated in the PAR (your first change)
- if resource attribute needs to be populated in the simple authorization request (not PAR) at line 190
- If location attribute has to be populated in the
src/main/kotlin/eu/europa/ec/eudi/openid4vci/internal/http/AuthorizationEndpointClient.kt
Outdated
Show resolved
Hide resolved
src/main/kotlin/eu/europa/ec/eudi/openid4vci/internal/http/AuthorizationEndpointClient.kt
Outdated
Show resolved
Hide resolved
|
Thanks for quick reply, a few thoughts:
Technically this is against the specification, as it states (emphasis mine):
I understand this is hard to determine this way as the information is lost in the domain conversion and to me it feels like you're suggesting to capture the "spirit of the specification" instead of literally implementing it. I think there's two more alternatives to consider:
I know I'm not in the position to demand how it is to be implemented, but wanted to point out my opinion and the alternatives.
Good catch! This issue came up during interop and obviously I was focused on the code paths related to our use case. 😄 |
Instead of separately determining whether the credential issuer works as the authorization issuer in every use case, define a single property that does it.
|
Dear @spheroid , I don't agree with your assessment 😄
This means, that it is not the responsibility of the this class to choose (based on the issuer metadata) which authorization server will be used. Whose responsibility is this? The caller's of course and in our case, As you can see, for the initialization a Here we choose among the authorization server possibly found in the grants of an offer or (in the absence of it) fallback to the first authorization server advertised by metadata (or the credential issuer itself) In summary, in my subjective opinion, we are fully aligned with the specification and no information is being lost. PS: Why choose the first authorization server advertised ? |
I know I'm splitting hairs here but that's not my point. My point is that the current draft says that it's both recommended to use the Don't get me wrong, I do agree that your approach makes sense. Perhaps this issue should be raised in the OpenID4VCI repository instead to clarify their point: Is it tied to the existence of the |
I really value your comments and of course I don't get you wrong. Unless I missing something, Mind though that nothing stops an issuer (acting as authorization server) to populate Raising an issue to spec sounds like a good idea. I think there are two options:
|
|
Yes, exactly. 👍 Anyway – thank you for the discussion and accepting this PR in such a quick manner! |
As recommended by the OpenID4VCI draft 14, use RFC8707
resourceparameter when requesting issuance usingscopeparameter.The exact phrasing in the draft reads:
The information about existence of
authorization_serversproperty is unfortunately lost in the TO → domain conversion, so it's not taken into account.This fix has already been applied to the iOS library in eu-digital-identity-wallet/eudi-lib-ios-openid4vci-swift#56.
Closes #302