-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add resource parameter to PAR #301
Add resource parameter to PAR #301
Conversation
As recommended by the OpenID4VCI draft 14, use RFC8707 resource parameter when requesting issuance using scope parameter. The exact phrasing in the draft reads "If the Credential Issuer metadata contains an authorization_servers property, it is RECOMMENDED to use a resource parameter". However, this information is lost in the TO->domain conversion, so it's not taken into account.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Dear @spheroid
Thanks for this.
In general, we can understand whether the credential issuer is a resource server that uses another authorization server or whether is both resource & authorization server by comparing the credentialIssuerId
and the authorizationIssuer
attributes.
So, please check my comments
- Introduce a new function
isCredentialIssuerAuthorizationServer()
- Use it, to identify
- If location attribute has to be populated in the
authorization_details
(your last change) - if resource attribute needs to be populated in the PAR (your first change)
- if resource attribute needs to be populated in the simple authorization request (not PAR) at line 190
- If location attribute has to be populated in the
src/main/kotlin/eu/europa/ec/eudi/openid4vci/internal/http/AuthorizationEndpointClient.kt
Outdated
Show resolved
Hide resolved
src/main/kotlin/eu/europa/ec/eudi/openid4vci/internal/http/AuthorizationEndpointClient.kt
Outdated
Show resolved
Hide resolved
Thanks for quick reply, a few thoughts:
Technically this is against the specification, as it states (emphasis mine):
I understand this is hard to determine this way as the information is lost in the domain conversion and to me it feels like you're suggesting to capture the "spirit of the specification" instead of literally implementing it. I think there's two more alternatives to consider:
I know I'm not in the position to demand how it is to be implemented, but wanted to point out my opinion and the alternatives.
Good catch! This issue came up during interop and obviously I was focused on the code paths related to our use case. 😄 |
Instead of separately determining whether the credential issuer works as the authorization issuer in every use case, define a single property that does it.
Dear @spheroid , I don't agree with your assessment 😄
This means, that it is not the responsibility of the this class to choose (based on the issuer metadata) which authorization server will be used. Whose responsibility is this? The caller's of course and in our case, eudi-lib-jvm-openid4vci-kt/src/main/kotlin/eu/europa/ec/eudi/openid4vci/Issuer.kt Line 120 in a284025
As you can see, for the initialization a Here we choose among the authorization server possibly found in the grants of an offer or (in the absence of it) fallback to the first authorization server advertised by metadata (or the credential issuer itself) Line 106 in a284025
In summary, in my subjective opinion, we are fully aligned with the specification and no information is being lost. PS: Why choose the first authorization server advertised ? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I know I'm splitting hairs here but that's not my point. My point is that the current draft says that it's both recommended to use the Don't get me wrong, I do agree that your approach makes sense. Perhaps this issue should be raised in the OpenID4VCI repository instead to clarify their point: Is it tied to the existence of the |
I really value your comments and of course I don't get you wrong. Unless I missing something, Mind though that nothing stops an issuer (acting as authorization server) to populate Raising an issue to spec sounds like a good idea. I think there are two options:
|
Yes, exactly. 👍 Anyway – thank you for the discussion and accepting this PR in such a quick manner! |
As recommended by the OpenID4VCI draft 14, use RFC8707
resource
parameter when requesting issuance usingscope
parameter.The exact phrasing in the draft reads:
The information about existence of
authorization_servers
property is unfortunately lost in the TO → domain conversion, so it's not taken into account.This fix has already been applied to the iOS library in eu-digital-identity-wallet/eudi-lib-ios-openid4vci-swift#56.
Closes #302