Variant B'
Issuance protocol
Important
The current implementation of B' is still based on the Architecture Proposal for the German eIDAS Implementation, version 2. Changes made with version 2.1 are not considered, yet:
- Seed credential requests require
"format": "jwt"
. - Token requests with seed credential grant require
grant_type=seed_credential
. - PID issuer nonces must be requested via b1/nonce, but already by utilizing the POST method.
- The issuer URI to be used as the base URL for metadata fetching is "https://demo.pid-issuer.bundesdruckerei.de/b1". The metadata contain the information required to construct the initial authorization request sent by the wallet to start the issuance.
- The variant implements OpenID for Verifiable Credential Issuance Implementers Draft 1 (Draft 13).
-
The issuance is performed using the authorization code flow with a
scope
parameter and can be initiated by the wallet. - The use of a Pushed Authorization Requests is required.
- The use of Proof Key for Code Exchange (PKCE) is required.
- The use of a Wallet Instance Attestation in the format of a Client Attestation is required in Pushed Authorization as well as Token Requests.
- The use of a Demonstrated Proof of Possession (DPoP) is required.
-
Issuance happens at the Credential Endpoint and requires a
Relying Party (RP) generated Elliptic Curve P-256 public key, transmitted via the
verifier_ka
parameter and used for Diffie-Hellman key agreement; for MSO mdoc credentials, additionally a Session Transcript in thesession_transcript
parameter is required. - Batch Credential Endpoint, deferred issuance and the Notification Endpoint are not needed and thus unsupported.
- Seed credentials can be issued using the provided test eID cards.