OIDC4VC parameters
Updated the 14th of October 2024.
To access the OIDC4VCI parameters:
- Choose profile "Custom",
- Select Settings/Self Sovereign Identity/OIDC4VCI settings
This section allows an advanced user to specify manually the SSI profile of his wallet.
More parameters are available through the Wallet Provider Backend. This feature can be hidden in case of a specific wallet configuration defined with the Wallet Provider Backend.
Wallet Level
Wallet Security Level can be low (default) or strict.
If low security, wallet does not check the signature of the :
- verifiable credentials,
- status list credential,
- authorization request object (OIDC4VP)
Default DID
it can be any one of the DID methods of the list (did:key, did:jwk) associated to one of the types of keys available (EdDSA, P-256 or seck256k1). For EBSI the did:key method is specific, see specification here.
- did:key with EdDSA key,
- did:key with secp256k1 key,
- did:key with P-256 key,
- did:key with EBSI encoding and P-256 key,
- did:jwk with P-256 key
OIDC4VCI
The OIDC4VCI draft release. For EBSI V3.x must be Draft 11.
Cryptographic Holder Binding
- Yes (default): Keeps cryptographic binding enabled, ensuring that credentials are cryptographically tied to the holder, providing higher security,
- No: Disables cryptographic binding, allowing credentials to be bound without cryptographic proofs for claim binding for instance.
Learn more about crypto binding here.
Scope parameters
Scope parameters define the specific scope of the credential inside the authorization request request. If scope is not used, wallet will use an authorization details object.
Learn more about scope here.
Client Authentication Method
Select one authentication method among the following ones:
- none: No authentication required,
- client_secret_basic: Sends ID and secret in the HTTP header,
- client_secret_post: Sends ID and secret in the request body,
- client_id: Identifies the client with a unique ID,
Learn more about authentication method here.
Wallet Client_id scheme
The client type affects how the wallet authenticates and interacts with the authorization server during credential issuance.
- DID: Decentralized Identifier, typically used for secure, decentralized identity interactions,
- P-256 JWK Thumbprint Used when the subject is identified via a jwk thumbprint,
- confidential Client: For confidential clients that require secure and private interaction with the authorization server.
VC Format
Select the VC format:
- ldp_vc: W3C verifiable credentials using linked data proofs.
- jwt_vc: EBSI compatible credentials in jwt format.
- jwt_vc_json: Structured JSON format with jwt flexibility.
- jwt_vc_json-ld: Linked data support with jwt.
- vc+sd-jwt: Selective disclosure for privacy.
Learn more about VC format here.
OIDC4VCI Proof Type
The proof type determines how the wallet proves its key ownership when presenting credentials.
- ldp_vp: Verifiable Presentation with linkedin data proof,
- jwt: Uses JWT to prove key ownership..
Learn more about proof type here.
Proof of Possession Headers
This setting determines what data to include in the header of the JWT proof type.
- kid: Key ID, used to identify the key in the proof of possession.
- jwk: JSON Web Key, representing the key in a structured format for proof of possession.
Learn more about proof of possession headers here.
Push Authorization Request (PAR)
PAR is an advanced feature that enhances security during the authorization process by ensuring the integrity of the request.
- Yes: Push authorization requests to the server,
- No: Uses traditional redirect for authorization requests.
Learn more about PAR here.
StatusList caching
The Status List cache duration controls how long the wallet stores status lists used to verify credentials (e.g., revoked or valid). Adjusting this duration can balance performance with up-to-date information.