-
Notifications
You must be signed in to change notification settings - Fork 22
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support contextual presentation requests #86
Comments
how does the user know what VC to submit in step 3 if step 1 does not contain information about what VC is being requested? |
I guess it would be nice to have some concept of an access token. That is of course a bit strange in a SIOP case, but would solve the above problem. Does require the RP to issue the token. If that is a JWT it would be offline verifiable by the RP or any Resource Server. |
a presentation request would be included in the auth response (step 2) |
@decentralgabe what is the problem you want to solve? Do you want to determine whether the user is already known with the SIOP v2 identifier and if not get one of more credentials to onboard the user? |
@tlodderstedt yes exactly, avoid needing to re-request credentials depending on if they're known after authN |
the wallet need to send something to the verifier so that the verifier can determine if the user has been authenticated or not, right? can verifier request SIOP in the first request and within the same browser session request credential presentation if there is credential presentation needed? the downside is that the user will have to click a URL twice or scan a QR code twice.. in step 4 you have "Auth token sent to user", why is this a requrement? |
yes
this would be ideal - SIOP first, determine what is needed, and contextually request presentation
hmm I suppose this is unavoidable unless the server was able to send a notification/callback to the client invoking the presentation flow. I don't think needing to scan twice is the worst experience, if need-be.
I was imaging a case where a new auth token would be useful with additional scopes, though this can be achieved through other means |
there seems to be an agreement that doing SIOP (or some kind of user authentication) first and using that to determine if there is a need to request any credentials solves the problem without any changes to the spec? |
I believe language in the spec would be useful to add to show this as a possibility. |
would you like to do a PR? or propose something? |
@Sakurann yes - if there is consensus then I am happy to self-assign and attempt a PR! |
Currently presentation requests are statically defined and sent to the wallet/user in the auth request. This seems inefficient in the case where the user is re-authenticating using SIOPv2 and has already submitted/fulfilled the presentation request. They may have to submit the same presentation each time they authenticate.
Instead, it would be nice to support a flow like:
I believe this means updating this section. I'm not sure how to fit this in to the current flow and could use some feedback from the group. Perhaps a user gets a preliminary access token and after presentation they get a new access token with increased scope.
The text was updated successfully, but these errors were encountered: