Refresh Token and Re-Issuance Flows + Deferred Endpoint #566

fmarino-ipzs · 2025-02-19T09:54:48Z

This PR resolves #538

In particular:

Introduces the Refresh Token Flow and Re-Issuance Flow
Specifies how to use the RT flow when the Access Token is expired in order to:
- re-issue a new refreshed Digital Credential
- use the notification endpoint when a Digital Credential is deleted by the User
- properly use the deferred endpoint
Aligns the deferred endpoint with OID4VCI draft 15
Updates Low-Level Flow according to the new functionalities

docs/en/pid-eaa-issuance.rst

Co-authored-by: Giuseppe De Marco <[email protected]>

docs/en/pid-eaa-issuance.rst

Co-authored-by: Giuseppe De Marco <[email protected]>

docs/en/pid-eaa-issuance.rst

peppelinux · 2025-02-19T11:38:58Z

docs/en/pid-eaa-issuance.rst

+  Host: eaa-provider.example.org
+  Content-Type: application/json
+  Authorization: DPoP Kz~8mXK1EalYznwH-LC-1fBAo.4Ljp~zsPE_NeO.gxU
+  DPoP: eyJ0eXAiOiJkcG9wK2p3dCIsImFsZyI6IkVTMjU2IiwiandrIjp7Imt0eSI6Ik


memento review jwts

it seems ok. Do you see any issues here?

Co-authored-by: Giuseppe De Marco <[email protected]>

docs/en/pid-eaa-issuance.rst

peppelinux · 2025-02-20T09:22:01Z

docs/en/pid-eaa-issuance.rst

+  Host: eaa-provider.example.org
+  Content-Type: application/x-www-form-urlencoded
+  DPoP: eyJ0eXAiOiJkcG9wK2p3dCIsImFsZyI6IkVTMjU2IiwiandrIjp7Imt0eSI6IkVDIiwieCI6IjR2dDhNdEFISmlsMzBDNnpUTmt2c0VVcnlHTEUtQW5BNkc5LV8xa3l5Rk0iLCJ5IjoiTWdiNTFfbjNSRjNtbHNtS3dMd0xtRUFqVmlJM3Q1bTVWNTI2MFA5MzR3RSIsImNydiI6IlAtMjU2In19.eyJqdGkiOiItQndDM0VTYzZhY2MybFRjIiwiaHRtIjoiR0VUIiwiaHR1IjoiaHR0cHM6Ly9yZXNvdXJjZS5leGFtcGxlLm9yZy9wcm90ZWN0ZWRyZXNvdXJjZSIsImlhdCI6MTU2MjI2MjYxOH0.3Tp1ZlZ05PQYeZUHhiZwaQ1etqnwYwoiJHFR_JHb32381lMJL-8o2rE3VZ8X3yuqrGFfCVeP90Ln4J5r8ASIBg
+  OAuth-Client-Attestation: eyJhbGciOiJFUzI1NiIsImtpZCI6IjBiNDk4ZGRlMDkxNzJhZGE3MDFkMDdlYjZmOTg2N2FkIn0.eyJpc3MiOiJodHRwczovL2NsaWVudC5leGFtcGxlLmNvbSIsInN1YiI6IjQ3Yjk4MjM2OTc5MWQwODAwM2E3MjgzZjA1OWNiMGQxIiwibmJmIjoxMzAwODE1NzgwLCJleHAiOjEzMDA4MTkzODAsImNuZiI6eyJqd2siOnsia3R5IjoiRUMiLCJ4IjoiZ1YzSDI0WGQyakhfaWFBd3hkbWlmMm5oeG9uUDhpZTQyQmE5UFhxR0RBcyIsInkiOiJpckZ3b0xabVNZd1FBWHpkZzUxcElPVDdtQ1R3RGtKQWUtdEctVUttYndrIiwiY3J2IjoiUC0yNTYifX19.qlYrkSCkrSDmmQNbbbi6Vj5BHJogOS-y2UErKinhmVUKLLDcBp3C_wasArEHiLnzykLi3hURNJEAAU7v798O6w


missing typ

peppelinux · 2025-02-20T09:22:46Z

docs/en/pid-eaa-issuance.rst

+  Content-Type: application/x-www-form-urlencoded
+  DPoP: eyJ0eXAiOiJkcG9wK2p3dCIsImFsZyI6IkVTMjU2IiwiandrIjp7Imt0eSI6IkVDIiwieCI6IjR2dDhNdEFISmlsMzBDNnpUTmt2c0VVcnlHTEUtQW5BNkc5LV8xa3l5Rk0iLCJ5IjoiTWdiNTFfbjNSRjNtbHNtS3dMd0xtRUFqVmlJM3Q1bTVWNTI2MFA5MzR3RSIsImNydiI6IlAtMjU2In19.eyJqdGkiOiItQndDM0VTYzZhY2MybFRjIiwiaHRtIjoiR0VUIiwiaHR1IjoiaHR0cHM6Ly9yZXNvdXJjZS5leGFtcGxlLm9yZy9wcm90ZWN0ZWRyZXNvdXJjZSIsImlhdCI6MTU2MjI2MjYxOH0.3Tp1ZlZ05PQYeZUHhiZwaQ1etqnwYwoiJHFR_JHb32381lMJL-8o2rE3VZ8X3yuqrGFfCVeP90Ln4J5r8ASIBg
+  OAuth-Client-Attestation: eyJhbGciOiJFUzI1NiIsImtpZCI6IjBiNDk4ZGRlMDkxNzJhZGE3MDFkMDdlYjZmOTg2N2FkIn0.eyJpc3MiOiJodHRwczovL2NsaWVudC5leGFtcGxlLmNvbSIsInN1YiI6IjQ3Yjk4MjM2OTc5MWQwODAwM2E3MjgzZjA1OWNiMGQxIiwibmJmIjoxMzAwODE1NzgwLCJleHAiOjEzMDA4MTkzODAsImNuZiI6eyJqd2siOnsia3R5IjoiRUMiLCJ4IjoiZ1YzSDI0WGQyakhfaWFBd3hkbWlmMm5oeG9uUDhpZTQyQmE5UFhxR0RBcyIsInkiOiJpckZ3b0xabVNZd1FBWHpkZzUxcElPVDdtQ1R3RGtKQWUtdEctVUttYndrIiwiY3J2IjoiUC0yNTYifX19.qlYrkSCkrSDmmQNbbbi6Vj5BHJogOS-y2UErKinhmVUKLLDcBp3C_wasArEHiLnzykLi3hURNJEAAU7v798O6w
+  OAuth-Client-Attestation-PoP: eyJhbGciOiJFUzI1NiJ9.eyJpc3MiOiIgaHR0cHM6Ly9jbGllbnQuZXhhbXBsZS5jb20iLCJhdWQiOiJodHRwczovL2FzLmV4YW1wbGUuY29tIiwianRpIjoiZDI1ZDAwYWItNTUyYi00NmZjLWFlMTktOThmNDQwZjI1MDY0IiwiaWF0IjoxNzIyMjQ5NDQ3LCJleHAiOjE3MjIyNDk3NDd9.8pS0-4QWSl8kfR9FpbS51IQ0BvP0ZbTutbBlVX5V_LIBzC5weCD_mfl339-zVKAqZXc7rAWa3TH2A5SzsimuIA


missing typ

iat and exp have the same value, they must be one minor than the other

docs/en/pid-eaa-issuance.rst

peppelinux · 2025-02-20T09:29:43Z

docs/en/pid-eaa-issuance.rst

+In the first case, the new Digital Credential's Users attribute set will match the original one. For example, a Credential Issuer may need to update the Digital Credential metadata or data format without changing the User's attribute set. In this case, the direct involvement of the User is not mandatory for the replacement and storage of a Digital Credential. 
+
+In the second case, Credential Issuers may also need to modify one or more User's attribute values during re-issuance. In this case, the Wallet Instance MUST inform the User that the attribute data set has been changed and MUST then request the User's authorization to store the new Digital Credential. 
+
+In both cases, the newly issued Digital Credential MUST have the same expiry date as the previous one. 
+
+Re-issuance after Digital Credential expiration MUST always require User authentication.


@fmarino-ipzs there are points for IA WG

This is an important requirement for us. If we allow indefinite Credential renewals without proper User authentication, any security problem that occurred during the first-issuance would propagate indefinitely. This is one of the reasons why documents expire in the physical world and new identity proofing is required to issue a new document. Probably, we could relax this requirement in case a Digital Credential doesn't require User authentication during the first-issuance.

@giadas ^^

docs/en/pid-eaa-issuance.rst

Co-authored-by: Giuseppe De Marco <[email protected]>

…-it-docs into refresh-token

fmarino-ipzs

@peppelinux we made a revision of non-normative example. Now they look good to me.

fmarino-ipzs · 2025-02-21T17:38:23Z

@peppelinux we also decided to remove ath claim in the Refresh Token as we don't see any benefit in having it.
Moreover, we removed Token Rotation as well. As we have client authentication and DPoP tokens, the token rotation is not needed anymore.

fmarino-ipzs and others added 15 commits February 18, 2025 18:35

chore: add Re-Issuance structure of the section

07be552

Update pid-eaa-issuance.rst

b13959f

update Low-level Flow

7a89de4

fix figure issuance

e4f3a7c

feat: added re-issuance flow description

9858b74

feat: added refresh token flow

528c234

fix: code directive error fix

288309d

chore: update deferred endpoint section

e9f0669

feat: added refresh token jwt + updated token endpoint section

127d47e

chore: editorial

f319e0b

chore: editorial

145b87f

update token endpoint section

083b976

chore: editorial + added more details to deferred response sec

3ec4414

update example AT and RT

fcaf2af

fix: rt payload json example

643765f

fmarino-ipzs requested review from grausof, peppelinux, giadas and m-basili February 19, 2025 09:55

fmarino-ipzs added this to the 0.9.2 milestone Feb 19, 2025

fix: reference to oid4vci

cd77805

peppelinux reviewed Feb 19, 2025

View reviewed changes