OIDC4VC

The entity that creates and cryptographically signs Verifiable Credentials. In OIDC4VC, this role is often mapped to an OpenID Provider (OP). It exposes a Credential Endpoint from which a Wallet can request specific credentials after successful user authentication and authorization.

• Issues credentials in formats like W3C Verifiable Credentials or ISO mDL.
• Uses Decentralized Identifiers (DIDs) or other cryptographic keys for signing.
• Provides metadata about supported credential types via a Credential Issuer Metadata document.

The service that requests and validates Verifiable Credentials from a user to grant access or fulfill a transaction. It acts as the Relying Party (RP) in the OpenID Connect flow.

• Initiates the flow by sending a Presentation Request to the user's wallet.
• This request is encoded in a Presentation Definition, specifying the required credential types and constraints.
• After receiving the Verifiable Presentation, the verifier checks the cryptographic proofs and credential status.

The user-controlled software that stores credentials and interacts with Issuers and Verifiers. It is the central component for the Holder in the VC model.

• Manages the user's Decentralized Identifiers (DIDs) and private keys.
• Communicates with the Credential Issuer to fetch credentials via the Credential Endpoint.
• Receives Presentation Requests from Verifiers and creates Verifiable Presentations by selectively disclosing credentials.

OIDC4VC defines a specific interaction pattern, often using a QR code or deep link, that combines OAuth 2.0 authorization with credential exchange.

1. Initiation: Verifier sends a Presentation Request (containing a client_id and redirect_uri) to the Wallet.
2. Authorization: The Wallet authenticates the user with the Issuer (OP) to obtain an Access Token.
3. Credential Fetch: The Wallet uses the token to request credentials from the Issuer's Credential Endpoint.
4. Presentation: The Wallet submits the credentials as a Verifiable Presentation back to the Verifier's redirect_uri.

The protocol is built on several IETF and OpenID Foundation drafts that standardize the messages and endpoints.

• OIDC4VCI (Issuance): Defines how a Wallet requests credentials from an Issuer using an Access Token.
• OIDC4VP (Presentation): Defines how a Verifier requests credentials and how a Wallet presents them.
• SIOPv2 (Self-Issued OP): Allows a Wallet to act as its own OpenID Provider, enabling DID-based authentication without a central OP.
• Presentation Exchange: A common format for defining credential requirements, shared between OIDC4VP and other VP protocols.

OIDC4VC enhances traditional OpenID Connect by adding verifiable data and user control.

• Cryptographic Assurance: Credentials are digitally signed, making them tamper-evident and verifiable offline.
• Selective Disclosure: Users can prove specific claims (e.g., age > 21) without revealing the entire credential.
• Interoperability: Leverages existing OAuth 2.0 infrastructure while enabling portable credentials that are not locked to a single issuer or verifier.
• User-Centric Data Control: The Wallet model gives users a portable repository for their credentials, reducing reliance on siloed accounts.

OIDC4VC defines a standardized flow for requesting and presenting Verifiable Credentials (VCs). The key steps are:

• Credential Offer: An issuer (e.g., a university) sends a signed offer to a user's wallet.
• Authorization Request: The user's wallet requests an Authorization Server (like an issuer's endpoint) to issue credentials.
• Credential Response: The server returns a signed, cryptographically verifiable credential in a standardized format (e.g., JWT-VC or SD-JWT).
• Presentation: The user can later present this credential to a Relying Party (e.g., a job site) for authentication, proving specific claims without revealing their entire identity.

The standard integrates several critical components:

• OpenID Connect (OIDC): Leverages its established OAuth 2.0 framework and ID Token structure for authentication flows.
• W3C Verifiable Credentials Data Model: Provides the foundational data model for the credentials themselves, ensuring interoperability.
• Decentralized Identifiers (DIDs): Often used as the cryptographic identifiers for issuers, holders, and verifiers, enabling trust without centralized registries.
• Selective Disclosure: Protocols like SD-JWT allow users to reveal only specific claims from a credential (e.g., proving they are over 21 without showing their birthdate).

OID4VC enables a wide range of real-world applications focused on user control and data minimization:

• Know Your Customer (KYC): Users can obtain a reusable credential from a bank and present it to multiple crypto exchanges, avoiding repetitive document submission.
• Academic & Professional Credentials: Universities can issue digital diplomas; employers can instantly verify them.
• Age Verification: Proving age for age-restricted services without handing over a full driver's license copy.
• Access Management: Logging into enterprise or government portals with verified attributes (e.g., employment status, citizenship).

Adoption relies on interoperable software components:

• Digital Identity Wallets: User-held apps (e.g., Trinsic, Spruce ID, Microsoft Authenticator) that store VCs and manage OIDC4VC flows.
• Credential Issuers: Entities (governments, corporations, universities) that operate Authorization Servers compliant with the standard to issue trusted VCs.
• Verifiers/Relying Parties: Services that accept OIDC4VC presentations for login or authorization, integrating standard libraries from providers like Auth0 or Keycloak.
• Trust Registries: Optional systems that maintain lists of trusted issuers and the types of credentials they are authorized to issue.

OIDC4VC offers significant improvements:

• User Privacy & Control: Users hold credentials in their wallet and decide when and with whom to share them, enabling selective disclosure.
• Reduced Liability for Relying Parties: Verifiers don't store sensitive PII; they only cryptographically verify claims.
• Interoperability: Builds on widely adopted web standards (OIDC), easing integration for existing enterprises.
• Portability: Credentials are not locked into a single vendor's ecosystem; they can be used across any compliant verifier.
• Auditability: Cryptographic proofs create a verifiable chain of issuance and presentation.

OIDC4VC is not a single specification but a family of drafts and profiles developed within major standards organizations:

• OpenID Foundation: The OpenID Connect Working Group develops the core specifications (e.g., OpenID for Verifiable Credential Issuance, OpenID for Verifiable Presentations).
• ISO: Components are being standardized under ISO/IEC 18013-5 (mobile driver's licenses) and other working groups.
• W3C: Provides the foundational Verifiable Credentials Data Model and Decentralized Identifiers (DIDs) specifications that OIDC4VC credentials are built upon.
• IETF: Standards like SD-JWT (RFC 9561) and JWT-VC are developed here, providing the concrete cryptographic formats.

Self-Sovereign Identity (SSI) is a digital identity model where individuals or entities have sole ownership and control over their credentials and identity data, without relying on centralized intermediaries. OIDC4VC is a key technical protocol enabling SSI on the web.

• Principles: User control, portability, and minimal disclosure.
• Architecture: Built on DIDs and Verifiable Credentials.
• Use Case: Logging into a service by presenting a VC from a trusted issuer, without creating a new password.

SIOPv2 is an OpenID Connect extension that allows a user to act as their own OpenID Provider using a Decentralized Identifier (DID). It is a foundational layer for OIDC4VC, enabling DID-based authentication before credential presentation.

• Mechanism: The user's wallet acts as the OIDC Provider.
• Flow: Generates a signed ID Token containing the user's DID.
• Role: Establishes the initial authenticated session for the subsequent VC exchange.

A Verifiable Presentation (VP) is a package of one or more Verifiable Credentials presented by a holder to a verifier, often with additional proof. In OIDC4VC, VPs are typically conveyed within a Verifiable Presentation Request flow.

• Purpose: Selective disclosure of claims from one or more VCs.
• Security: Cryptographically proves the holder possesses the credentials.
• Format: A W3C-standard data structure that can be signed by the holder.

These are complementary specifications that standardize how verifiers request credentials and how issuers describe what they offer.

• Credential Manifest: An issuer's document detailing the Verifiable Credentials it can issue and the requirements to obtain them.
• Presentation Definition: A verifier's document specifying the exact credentials or claims required from a user (e.g., "a driver's license with age > 21").

Together, they enable interoperable, machine-readable credential exchange in OIDC4VC flows.