Variant B'

Issuance protocol

The current implementation of B' is still based on the Architecture Proposal for the German eIDAS Implementation, version 2. Changes made with version 2.1 are not considered, yet:

Seed credential requests require "format": "jwt".
Token requests with seed credential grant require grant_type=seed_credential.
PID issuer nonces must be requested via b1/nonce, but already by utilizing the POST method.

The issuer URI to be used as the base URL for metadata fetching is "https://demo.pid-issuer.bundesdruckerei.de/b1". The metadata contain the information required to construct the initial authorization request sent by the wallet to start the issuance.
The variant implements OpenID for Verifiable Credential Issuance Implementers Draft 1 (Draft 13).
The issuance is performed using the authorization code flow with a scope parameter and can be initiated by the wallet.
The use of a Pushed Authorization Requests is required.
The use of Proof Key for Code Exchange (PKCE) is required.
The use of a Wallet Instance Attestation in the format of a Client Attestation is required in Pushed Authorization as well as Token Requests.
The use of a Demonstrated Proof of Possession (DPoP) is required.
Issuance happens at the Credential Endpoint and requires a Relying Party (RP) generated Elliptic Curve P-256 public key, transmitted via the verifier_ka parameter and used for Diffie-Hellman key agreement; for MSO mdoc credentials, additionally a Session Transcript in the session_transcript parameter is required.
Batch Credential Endpoint, deferred issuance and the Notification Endpoint are not needed and thus unsupported.
Seed credentials can be issued using the provided test eID cards.