Support for FIDO Authentication

Issue #1542 resolved

David W Chadwick created an issue 2022-07-01

Here is a proposal for how to include the use of FIDO authentication between the wallet and the issuer using existing open source FIDO2 code. It proposes an extension to OAuth by defining two new authorization grant types of FIDO Registration and FIDO Authentication.

The wallet (acting as RP/client) makes a request to the issuer’s authorization endpoint (authz server) using a new response type of FIDO Registration.
The authz server responds with a new token: the FIDO2 registration challenge, prepared using a standard FIDO2 server library (open source implementations of this exist), along with the FIDO UserID.
The wallet responds to the challenge by using a call to the FIDO2 client library already provided by Google on Android (and by a third party on iOS). This library creates a new FIDO key pair with the private key stored in the phone’s hardware and creates the response to the challenge. The user has to agree to this key being created and stored in the phone’s hardware by using the phone’s standard authn mechanism ie. faceid, fingerprint, PIN etc. The FIDO key pair is stored along with the FIDO UserID and Authz Server URL (to enforce SOP).
The wallet returns the FIDO2 response to the authz server’s token endpoint, and asks for an Access Token
The authz server validates the FIDO2 response token using the FIDO server, and stores the FIDO UserID of the wallet and its FIDO public key (to be used in subsequent authentication exchanges).
The authz server returns an Access Token to the wallet.
Flow continues as before, by the wallet using the Access Token to get the credential.

Subsequent connections between the wallet and issuer can be authenticated and secured using the FIDO private key stored in the wallet’s hardware.

The wallet makes a request to the authz server authorization endpoint using a new response type of FIDO Authentication, passing its FIDO UserID.
The authz server responds with a new token; the FIDO Authentication Request, created by the FIDO server especially for the wallet’s public key.
The wallet creates a response to this request by using a call to the FIDO2 client library. This library uses the existing FIDO key pair that is stored for this Authz Server (thereby enforcing SOP) and creates the response to the request. The user has to agree to the private key being used in the phone’s hardware by using the phone’s standard authn mechanism ie. faceid, fingerprint, PIN etc.
The wallet returns the Authentication Response to the Authz Server’s token endpoint
Upon validation of the Authentication Response the Authz Server returns an Access Token to the wallet.
Flow continues as before

The advantages of the above are:

i) Uses existing FIDO implementations (server and client)

ii) Stores wallet authentication keys in the wallet’s hardware removing any chance of the keys being stolen

iii) Enforces SOP between the wallet and issuer

iv) Can require the user to be present and authenticated by the phone in order to use the private key (dependent upon FIDO parameters)

v) Removes any need for the user to have a un/pw with the issuer

vi) Removes the need for the secure storage of Access Tokens and Refresh Tokens by the wallet as FIDO private keys provide the long term secure storage in the phone’s hardware.

Comments (16)

Kristina Yasuda
I believe this proposal is in scope for FIDO, but out of scope for OpenID Foundation.
- 2022-07-04T19:01:02+00:00
David W Chadwick reporter
It is not a FIDO issue, but an OIDF issue because we are specifying one way of using FIDO that will allow OIDC4VCI to leverage FIDO during the VC issuing process. We are not modifying FIDO nor suggesting any changes to FIDO.
- 2022-07-05T09:50:51+00:00
David W Chadwick reporter
- edited description
- 2022-07-05T12:28:53+00:00
Kristina Yasuda
what are the changes you are suggesting to VCI?
- 2022-08-25T17:31:21+00:00
Kristina Yasuda
also is this issue duplicate of ~~#1460~~
- 2022-08-25T17:35:56+00:00
David W Chadwick reporter
Issue ~~#1460~~ was background discussion that led to the current issue being published. Consequently 1460 can now be closed
- 2022-08-29T09:57:59+00:00
David W Chadwick reporter
what are the changes you are suggesting to VCI?

To have a way of including FIDO2 tokens in (one or more of) the OIDC4VCI flow(s) for the advantages described above. I also believe that it is a way of avoiding having a split wallet as described in PR~~#257~~
- 2022-08-29T10:08:48+00:00
David Waite Account Deactivated
The wallet (acting as RP/client) makes a request to the issuer’s authorization endpoint (authz server) using a new response type of FIDO Registration.

Are you thinking of this as a new grant type, to be in parallel to code and implicit flow? A response type does not sound appropriate, as it is used to form an existing response to a particular ‘channel’ for returning data - e.g. a form post to a redirect endpoint, or encoded into query parameters to the same. Response modes aren’t normally used to indicate additional data being sent.

The authz server responds with a new token: the FIDO2 registration challenge, prepared using a standard FIDO2 server library (open source implementations of this exist), along with the FIDO UserID.

What would the RPID be for this? Both native and web-hosted wallets can only fulfill requests for their own domain (with web having a benefit of being able to use iframes or child windows, but that isn’t what I think you are describing here)

What sort of limitations do you see on this challenge? Requesting discoverable credentials or certain extensions can have a possibly negative effect on the relying party (e.g. the wallet domain)
- 2022-08-29T20:02:08+00:00
David W Chadwick reporter
@DW “Are you thinking of this as a new grant type, to be in parallel to code and implicit flow?"

Yes, because code is not appropriate as the authorization server is not an intermediary between the client and resource owner. In OIDC4VCI the resource owner is the credential issuer and not the user.

My reading of RFC6749 is that the client informs the authorization server of the desired grant type using the response_type parameter. Since a new grant type is being requested then a new response_type is needed isnt it? In this case the response is different because it contains the FIDO Registration Challenge token.

"What would the RPID be for this?"

This is the ID of the Authz Server, so that SOP can be enforced by the wallet. The wallet is the client.

The client/wallet is a confidential client (in OAuth2 terminology) because it can store its private keys in the phone’s hardware, to be released on the say-so of the phone’s user.

Does this answer all your questions?

‌
- 2022-08-31T16:21:58+00:00
David Waite Account Deactivated
This is the ID of the Authz Server, so that SOP can be enforced by the wallet. The wallet is the client.

This will preclude support by many platforms, which expect an entitlement for an app (wallet) to be able to create or request credentials against a particular rpid. The entitlement to request for all domains may require a special arrangement or only be given in certain circumstances - for instance to a web browser.

The platforms expect by default that native apps will act as relying parties, not as clients.
- 2022-09-14T20:20:06+00:00
David W Chadwick reporter
OIDC4VCI expects the authenticated client to request a credential to be issued to a freshly minted public key that can be presented to any RP. So after FIDO authentication between the client and OIDC4VCI issuer, an OIDC4VCI issuer will behave in exactly the same way.

The Android platform fully supports native apps to work as clients. The iOS platform also supports this (using third party FIDO software).
- 2022-09-15T07:55:57+00:00
Anders Rundgren
I’m all for reusing FIDO. However, OAuth is not the only possible target. For payments (my particular area of interest…), building on an enhanced EMV scheme seems like a better idea because it lends itself to wallets which OAuth (AFAICT…) does not. The SPC scheme recently launched by Google and the W3C does not make much sense to me:
https://github.com/mozilla/standards-positions/issues/570#issuecomment-972578433
- 2022-09-17T07:43:41+00:00
Anders Rundgren
I don’t fully understand how this proposal is supposed to be used on Web.
- 2022-09-17T08:54:08+00:00
David W Chadwick reporter
It is designed to create a strong long term FIDO authentication key pair between the wallet and the issuer’s Oauth server. The OIDC4VCI model is that the wallet creates a fresh key pair for the issuer to bind to each new VC that it issues. The FIDO key pair can replace the OAuth refresh token which is a bearer token so not as strong. So after authentication using FIDO, the wallet will get a short lived access token to send to the issuer along with a new key pair for the VC. In this way all the user has to do in order to get a fresh VC is swipe their finger on their smartphone, or use face-id etc. and a new VC will be provided to the wallet.
- 2022-09-17T09:52:22+00:00
gffletch
One concern I have is that we are defining authentication and registration semantics around the token endpoint which historically have been out-of-scope for OAuth. I’d prefer these authentication mechanisms be implemented on a separate endpoint. I do get the similarity to either ROPC or client_credentials flow though in neither of those cases is there a “dynamic” “registration” event.
- 2023-01-28T14:02:41+00:00
Mark Haine
- changed status to resolved
Migrated to GitHub

https://github.com/openid/OpenID4VCI
- 2023-09-01T16:52:59+00:00
Log in to comment

Assignee: –

Type: enhancement

Priority: major

Status: resolved

Component: Credential Issuance

Milestone: –

Version: –

Votes: 0

Watchers: 5