Variant B'

Issuance protocol

The current implementation of B' is still based on the Architecture Proposal for the German eIDAS Implementation, version 2. Changes made with version 2.1 are not considered, yet:

The issuer URI to be used as the base URL for metadata fetching is "https://demo.pid-issuer.bundesdruckerei.de/b1". The metadata contain the information required to construct the initial authorization request sent by the wallet to start the issuance.
The variant implements OpenID for Verifiable Credential Issuance Implementers Draft 1 (Draft 13).
The issuance is performed using the authorization code flow with a scope parameter and can be initiated by the wallet.
The use of a Pushed Authorization Requests is required.
The use of Proof Key for Code Exchange (PKCE) is required.
The use of any Client Attestation is currently completely ignored.
The use of a Demonstrated Proof of Possession (DPoP) is required.
Issuance happens at the Credential Endpoint and requires a Relying Party (RP) generated Elliptic Curve P-256 public key, transmitted via the verifier_ka parameter and used for Diffie-Hellman key agreement; for MSO mdoc credentials, additionally a Session Transcript in the session_transcript parameter is required.
Batch Credential Endpoint, deferred issuance and the Notification Endpoint are not needed and thus unsupported.
Seed credentials can be issued using the provided test eID cards.