OpenID4VCI
Overview
The OpenID4VCI specification is an open standard developed by the OpenID Foundation, defining how digital wallets can receive verifiable credentials from credential issuers in a secure and interoperable way. It leverages the widely adopted OAuth 2.0 and OpenID Connect to establish a trust framework for credential issuance, ensuring both privacy and user control.
MATTR VII supports issuing credentials using the OpenID4VCI specification. Supported credential formats include CWT, Semantic CWT, JSON, and mDocs.
Workflows
OID4VCI defines two distinct workflows, each tailored to different use cases and requirements:
- Authorization Code flow: This interactive, user-driven flow requires the credential recipient (typically a wallet) to redirect the user to the issuer (such as a government or organization) for authentication. After the user successfully authenticates and gives consent, the issuer’s authentication provider returns an authorization code. The wallet then exchanges this code for an access token, which is used to obtain the credential.
- Pre-authorized Code flow: In this flow, the issuer prepares the credential issuance in advance and may authenticate and authorize the holder ahead of time. Instead of obtaining an authorization code through user authentication, the wallet receives a pre-authorized code directly from the issuer, often via an out-of-band method. The user does not need to authenticate again and the wallet presents the pre-authorized code to retrieve an access token and then claim the credential. For added security, the issuer can require a transaction code (shared separately with the holder) which the wallet must also provide to claim the credential.
MATTR VII supports both workflows, allowing you to choose the one that best fits your use case.
Last updated on