{"id":22006341,"url":"https://github.com/a-sit-plus/vck","last_synced_at":"2025-07-14T12:40:17.651Z","repository":{"id":70173424,"uuid":"602578639","full_name":"a-sit-plus/vck","owner":"a-sit-plus","description":"Kotlin Multiplatform library implementing W3C VC Data Model, SD-JWT and ISO 18013-5 credentials","archived":false,"fork":false,"pushed_at":"2025-05-05T13:11:36.000Z","size":5190,"stargazers_count":48,"open_issues_count":17,"forks_count":3,"subscribers_count":9,"default_branch":"main","last_synced_at":"2025-05-05T22:05:57.686Z","etag":null,"topics":["eudi-wallet","iso-18013-5","kotlin","kotlin-multiplatform","mdl","oid4vci","oid4vp","sd-jwt","siopv2","verifiable-credentials","wallet"],"latest_commit_sha":null,"homepage":"https://a-sit-plus.github.io/vck/","language":"Kotlin","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/a-sit-plus.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2023-02-16T14:07:40.000Z","updated_at":"2025-05-04T19:25:34.000Z","dependencies_parsed_at":"2023-11-20T12:25:38.118Z","dependency_job_id":"963d7a24-1554-4d65-bf16-ded3d98f1861","html_url":"https://github.com/a-sit-plus/vck","commit_stats":null,"previous_names":["a-sit-plus/vck","a-sit-plus/kmm-vc-library"],"tags_count":37,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/a-sit-plus%2Fvck","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/a-sit-plus%2Fvck/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/a-sit-plus%2Fvck/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/a-sit-plus%2Fvck/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/a-sit-plus","download_url":"https://codeload.github.com/a-sit-plus/vck/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252584330,"owners_count":21771945,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["eudi-wallet","iso-18013-5","kotlin","kotlin-multiplatform","mdl","oid4vci","oid4vp","sd-jwt","siopv2","verifiable-credentials","wallet"],"created_at":"2024-11-30T01:11:38.101Z","updated_at":"2025-07-14T12:40:17.638Z","avatar_url":"https://github.com/a-sit-plus.png","language":"Kotlin","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n\n\n\u003cpicture\u003e\n \u003csource media=\"(prefers-color-scheme: dark)\" srcset=\"vck-light.png\"\u003e\n \u003csource media=\"(prefers-color-scheme: light)\" srcset=\"vck-dark.png\"\u003e\n \u003cimg alt=\"VC-K – Verifiable Credentials Library for Kotlin Multiplatform\" src=\"vck-dark.png\"\u003e\n\u003c/picture\u003e\n\n\n# VC-K – Verifiable Credentials Library for Kotlin Multiplatform\n\n[![A-SIT Plus Official](https://img.shields.io/badge/A--SIT_Plus-official-005b79?logo=data%3Aimage%2Fsvg%2Bxml%3Bbase64%2CPHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHZpZXdCb3g9IjAgMCAxNDMuNzYyODYgMTg0LjgxOTk5Ij48ZGVmcz48Y2xpcFBhdGggaWQ9ImEiIGNsaXBQYXRoVW5pdHM9InVzZXJTcGFjZU9uVXNlIj48cGF0aCBkPSJNMCA1OTUuMjhoODQxLjg5VjBIMFoiLz48L2NsaXBQYXRoPjwvZGVmcz48ZyBjbGlwLXBhdGg9InVybCgjYSkiIHRyYW5zZm9ybT0ibWF0cml4KDEuMzMzMzMzMyAwIDAgLTEuMzMzMzMzMyAtNDgyLjI1IDUxNy41MykiPjxwYXRoIGZpbGw9IiMwMDViNzkiIGQ9Ik00MTUuNjcgMjQ5LjUzYy03LjE1LjA4LTEzLjk0IDEtMjAuMTcgMi43NWE1Mi4zMyA1Mi4zMyAwIDAgMC0xNy40OCA4LjQ2IDQwLjQzIDQwLjQzIDAgMCAwLTExLjk2IDE0LjU2Yy0yLjY4IDUuNDEtNC4xNCAxMS44NC00LjM1IDE5LjA5bC0uMDIgNi4xMnYyLjE3YS43MS43MSAwIDAgMCAuNy43M2gxNi41MmMuMzkgMCAuNy0uMzIuNzEtLjdsLjAxLTIuMmMwLTIuNi4wMi01LjgyLjAzLTYuMDcuMi00LjYgMS4yNC04LjY2IDMuMDgtMTIuMDZhMjguNTIgMjguNTIgMCAwIDEgOC4yMy05LjU4IDM1LjI1IDM1LjI1IDAgMCAxIDExLjk2LTUuNTggNTUuMzggNTUuMzggMCAwIDEgMTIuNTgtMS43NmM0LjMyLjEgOC42LjcgMTIuNzQgMS44YTM1LjA3IDM1LjA3IDAgMCAxIDExLjk2IDUuNTcgMjguNTQgMjguNTQgMCAwIDEgOC4yNCA5LjU3YzEuOTYgMy42NCAzIDguMDIgMy4xMiAxMy4wMnYyNC4wOUgzNjIuNGEuNy43IDAgMCAwLS43MS43VjMzNWMwIDguNDMuMDEgOC4wNS4wMSA4LjE0LjIgNy4zIDEuNjcgMTMuNzcgNC4zNiAxOS4yMmE0MC40MyA0MC40MyAwIDAgMCAxMS45NiAxNC41N2M1IDMuNzYgMTAuODcgNi42MSAxNy40OCA4LjQ2YTc3LjUgNzcuNSAwIDAgMCAyMC4wMiAyLjc3YzcuMTUtLjA3IDEzLjk0LTEgMjAuMTctMi43NGE1Mi4zIDUyLjMgMCAwIDAgMTcuNDgtOC40NiA0MC40IDQwLjQgMCAwIDAgMTEuOTUtMTQuNTdjMS42Mi0zLjI2IDMuNzctMTAuMDQgMy43Ny0xNC42OCAwLS4zOC0uMTctLjc0LS41NC0uODJsLTE2Ljg5LS40Yy0uMi0uMDQtLjM0LjM0LS4zNC41NCAwIC4yNy0uMDMuNC0uMDYuNi0uNSAyLjgyLTEuMzggNS40LTIuNjEgNy42OWEyOC41MyAyOC41MyAwIDAgMS04LjI0IDkuNTggMzUuMDEgMzUuMDEgMCAwIDEtMTEuOTYgNS41NyA1NS4yNSA1NS4yNSAwIDAgMS0xMi41NyAxLjc3Yy00LjMyLS4xLTguNjEtLjcxLTEyLjc1LTEuOGEzNS4wNSAzNS4wNSAwIDAgMS0xMS45Ni01LjU3IDI4LjUyIDI4LjUyIDAgMCAxLTguMjMtOS41OGMtMS44Ni0zLjQ0LTIuOS03LjU1LTMuMDktMTIuMmwtLjAxLTcuNDdoODkuMTZhLjcuNyAwIDAgMCAuNy0uNzJ2LTM5LjVjLS4xLTcuNjUtMS41OC0xNC40LTQuMzgtMjAuMDZhNDAuNCA0MC40IDAgMCAwLTExLjk1LTE0LjU2IDUyLjM3IDUyLjM3IDAgMCAwLTE3LjQ4LTguNDcgNzcuNTYgNzcuNTYgMCAwIDAtMjAuMDEtMi43N1oiLz48cGF0aCBmaWxsPSIjY2U0OTJlIiBkPSJNNDE5LjM4IDI4MC42M2gtNy41N2EuNy43IDAgMCAwLS43MS43MXYxNS40MmE4LjE3IDguMTcgMCAwIDAtMy43OCA2LjkgOC4yOCA4LjI4IDAgMCAwIDE2LjU0IDAgOC4yOSA4LjI5IDAgMCAwLTMuNzYtNi45di0xNS40MmEuNy43IDAgMCAwLS43Mi0uNzEiLz48L2c%2BPC9zdmc%2B\u0026logoColor=white\u0026labelColor=white)](https://a-sit-plus.github.io)\n[![GitHub license](https://img.shields.io/badge/license-Apache%20License%202.0-brightgreen.svg?style=flat)](http://www.apache.org/licenses/LICENSE-2.0)\n[![Kotlin](https://img.shields.io/badge/kotlin-multiplatform--mobile-orange.svg?logo=kotlin)](http://kotlinlang.org)\n[![Kotlin](https://img.shields.io/badge/kotlin-2.1.20-blue.svg?logo=kotlin)](http://kotlinlang.org)\n[![Java](https://img.shields.io/badge/java-17-blue.svg?logo=OPENJDK)](https://www.oracle.com/java/technologies/downloads/#java17)\n[![Android](https://img.shields.io/badge/Android-SDK--30-37AA55?logo=android)](https://developer.android.com/tools/releases/platforms#11)\n[![Maven Central](https://img.shields.io/maven-central/v/at.asitplus.wallet/vck)](https://mvnrepository.com/artifact/at.asitplus.wallet/vck)\n\n\u003c/div\u003e\n\nThis library implements verifiable credentials to support several use cases, i.e. issuing of credentials, presentation of credentials and validation thereof. This library may be shared between backend services issuing credentials, wallet apps holding credentials, and verifier apps validating them. \n\n\n## Architecture\n\nThis library was built with [Kotlin Multiplatform](https://kotlinlang.org/docs/multiplatform.html) and [Multiplatform Mobile](https://kotlinlang.org/lp/mobile/) in mind. Its primary targets are JVM, Android and iOS. In order to achieve smooth usage especially under iOS, there have been some notable design decisions:\n\n - Code interfacing with client implementations uses the return type `KmmResult` to transport the `Success` case (i.e. a custom data type) as well as potential errors from native implementations as a `Failure`.\n - Native implementations can be plugged in by implementing interfaces, e.g. `PlatformCryptoShim` and `KeyMaterial`, as opposed to callback functions.\n - Use of primitive data types for constructor properties instead of e.g. [kotlinx datetime](https://github.com/Kotlin/kotlinx-datetime) types.\n - As much code as possible is implemented in the `commonMain` module\n\nNotable features for multiplatform are:\n\n - Use of [Napier](https://github.com/AAkira/Napier) as the logging framework\n - Use of [Kotest](https://kotest.io/) for unit tests\n - Use of [kotlinx-datetime](https://github.com/Kotlin/kotlinx-datetime) for date and time classes\n - Use of [kotlinx-serialization](https://github.com/Kotlin/kotlinx.serialization) for serialization from/to JSON and CBOR\n - Implementation of a ZLIB service in Kotlin with native parts, see `ZlibService`\n - Implementation of JWS and JWE operations in pure Kotlin (delegating to native crypto), see `JwsService`\n - Implementation of COSE operations in pure Kotlin (delegating to native crypto), see `CoseService`\n\nSome parts for increased multiplatform support have been extracted into separate repositories:\n - Reimplementation of Kotlin's [Result](https://kotlinlang.org/api/latest/jvm/stdlib/kotlin/-result/) called [KmmResult](https://github.com/a-sit-plus/kmmresult) for easy use from Swift code (since inline classes are [not supported](https://kotlinlang.org/docs/native-objc-interop.html#unsupported)).\n - Several crypto datatypes (including an ASN.1 parser and encoder), as well as a mulitplatform crypto library, called [Signum](https://github.com/a-sit-plus/signum).\n\nThe main entry point for applications is an instance of `HolderAgent`, `VerifierAgent` or `IssuerAgent`, according to the nomenclature from the [W3C VC Data Model](https://w3c.github.io/vc-data-model/).\n\nMany classes define several constructor parameters, some of them with default values, to enable a simple form of dependency injection. Implementers are advised to specify the parameter names of arguments passed to increase readability and prepare for future extensions.\n\n## Features\n\nCredentials may be represented as plain JWTs in the [W3C VC Data Model](https://w3c.github.io/vc-data-model/), as ISO mDoc credentials according to [ISO/IEC 18013-5:2021](https://www.iso.org/standard/69084.html), or simply as a list of claims and values for [SD-JWT](https://datatracker.ietf.org/doc/draft-ietf-oauth-selective-disclosure-jwt/).\n\nFor SD-JWT, we're implementing [SD-JWT VC](https://www.ietf.org/archive/id/draft-ietf-oauth-sd-jwt-vc-08.html), including features like key binding JWT, and JWT VC issuer metadata. Not supported are SD-JWT VC type metadata, document integrity, display metadata and claim metadata. We're also following [SD-JWT](https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-15.html), including features like key binding JWT and nested structures. \n\nWhen using the plain JWT representation, the single credential itself is an instance of `CredentialSubject`. For ISO mDoc claims see `IssuerSignedItems` and related classes like `Document` and `MobileSecurityObject`. For SD-JWT claims see `SelectiveDisclosureItem` and `SdJwtSigned`.\n\nOther libraries implementing credential schemes may call `LibraryInitializer.registerExtensionLibrary()` to register with this library. See our implementation of the [EU PID credential](https://github.com/a-sit-plus/eu-pid-credential) and our implementation of the [Mobile Driving Licence](https://github.com/a-sit-plus/mobile-driving-licence-credential/) for examples. We also maintain a comprehensive list of [all credentials powered by this library](https://github.com/a-sit-plus/credentials-collection).\n\nFor the OpenID protocol family, issuing is implemented using [OpenID for Verifiable Credential Issuance](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html), see `WalletService` and `CredentialIssuer`. This library supports several features of the OpenID4VCI draft 15: Pre-authorized code grants, authorization code flow, selecting credentials with authorization details and scopes, pushed authorization requests. Not supported are the deferred credential endpoint and the notification endpoint.\n\nPresentation of credentials is implemented using [Self-Issued OpenID Provider v2](https://openid.net/specs/openid-connect-self-issued-v2-1_0.html), supporting [OpenID for Verifiable Presentations](https://openid.net/specs/openid-4-verifiable-presentations-1_0.html), see `OpenId4VpVerifier` and `OpenId4VpHolder`. This library supports several features of the OpenID4VP draft 23: Same device and cross device flows, response mode `direct_post` and `direct_post.jwt`, request objects by value or reference, presentation definitions and submissions, verifier attestations, signed and/or encrypted responses, client identifier schemes embedded in the client identifier. Not supported are the Digital Credential Query Language, using scopes for referencing presentation definitions, client identifier schemes OpenID Federation and DID.\n\n\n## Usage\nVC-K uses a modular structure to separate concerns. Hence, depending on the use cases you want to cover, you will need different artefacts:\n\n\n| Artefact | Info |\n|:---------------------:|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| `vck` | VC-K base functionality. Contains business logic for creating, issuing, presenting, and verifying credentials. |\n| `vck-openid` | OpenID protocol implementation, including OpenID4VCI. Contains client and server authentication business logic and the actual issuing protocol. |\n| `vck-openid-ktor` | Contains ktor-based OpenID4VCI client and OpenID4VP wallet implementations. **please call `Initializer.initOpenIdModule()` at the start of your project!** |\n| `vck-rqes` | RQES implementation; depends on `vck-openid` **Please call `Initializer.initRqesModule()` at the start of your project. This initializer fully overrides `Initializer.initOpenIdModule()` which does not need to be called if `vck-rqes` is used.** |\n| `dif-data-classes` | [DIF Presentation Exchange v1.0.0](https://identity.foundation/presentation-exchange/spec/v1.0.0/#presentation-definition) data classes. **Does not depend on any other vck artefact** and can hence be used independently of VC-K! |\n| `openid-data-classes` | OpenID data classes. **Only depends on `dif-data-classes`** and can hence be used independently of VC-K! |\n| `rqes-data-classes` | RQES data classes. **Only depends on `dif-data-classes` and `openid-data-classes`** and can hence be used independently of VC-K! |\n\nSimply declare the desired dependency to get going. This will usually be one of:\n\n```kotlin \nimplementation(\"at.asitplus.wallet:vck:$version\")\n```\n\n```kotlin \nimplementation(\"at.asitplus.wallet:vck-openid:$version\")\n```\n\n```kotlin \nimplementation(\"at.asitplus.wallet:vck-rqes:$version\")\n```\n\nEverything else (serialization, crypto through Signum, …) will be taken care of.\nTherefore, **do not** manually add serialization dependencies! In case you are using this project in a codebase with dependencies on `kotlinx-serialization`, plese use the `vck-versionCatalog` artefact to keep versions in sync.\nIf you\nAs discovered in [#226](https://github.com/a-sit-plus/vck/issues/226), using the deprecated `io.spring.dependency-management` will cause issues.\n\nThe actual credentials are provided as discrete artefacts and are maintained separately [over here](https://github.com/a-sit-plus/credentials-collection).\nIt is fine to add credentials **and** VC-K to as project dependencies, e. g., to use a version of VC-K that is more recent than the one a certain credentials depends on.\n\n## Limitations\n\n - Several parts of the W3C VC Data Model have not been fully implemented, i.e. everything around resolving cryptographic key material.\n - Anything related to ledgers (e.g. resolving DID documents) is out of scope.\n - JSON-LD is not supported for W3C credentials.\n - Trust relationships are mostly up to clients using this library.\n\n## Dataflow for OID4VCI\n\nWe'll present an issuing process according to [OID4VCI](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html), along with [OID4VP](https://openid.net/specs/openid-4-verifiable-presentations-1_0.html), with all terms taken from there.\n\n\u003cdetails\u003e\n\u003csummary\u003eThe credential issuer serves the following metadata:\u003c/summary\u003e \n\n```json\n{\n \"issuer\": \"https://wallet.a-sit.at/credential-issuer\",\n \"credential_issuer\": \"https://wallet.a-sit.at/credential-issuer\",\n \"authorization_servers\": [\n \"https://wallet.a-sit.at/authorization-server\"\n ],\n \"credential_endpoint\": \"https://wallet.a-sit.at/credential-issuer/credential\",\n \"batch_credential_issuance\": {\n \"batch_size\": 1\n },\n \"credential_configurations_supported\": {\n \"at.a-sit.wallet.atomic-attribute-2023\": {\n \"format\": \"mso_mdoc\",\n \"scope\": \"at.a-sit.wallet.atomic-attribute-2023\",\n \"cryptographic_binding_methods_supported\": [\n \"jwk\",\n \"cose_key\"\n ],\n \"credential_signing_alg_values_supported\": [\n \"ES256\"\n ],\n \"doctype\": \"at.a-sit.wallet.atomic-attribute-2023.iso\",\n \"claims\": {\n \"at.a-sit.wallet.atomic-attribute-2023\": {\n \"given_name\": {},\n \"family_name\": {},\n \"date_of_birth\": {},\n \"portrait\": {}\n }\n }\n },\n \"AtomicAttribute2023#jwt_vc_json\": {\n \"format\": \"jwt_vc_json\",\n \"scope\": \"AtomicAttribute2023\",\n \"cryptographic_binding_methods_supported\": [\n \"jwk\",\n \"urn:ietf:params:oauth:jwk-thumbprint\"\n ],\n \"credential_signing_alg_values_supported\": [\n \"ES256\"\n ],\n \"credential_definition\": {\n \"type\": [\n \"VerifiableCredential\",\n \"AtomicAttribute2023\"\n ],\n \"credentialSubject\": {\n \"given_name\": {},\n \"family_name\": {},\n \"date_of_birth\": {},\n \"portrait\": {}\n }\n }\n },\n \"AtomicAttribute2023#vc+sd-jwt\": {\n \"format\": \"vc+sd-jwt\",\n \"scope\": \"AtomicAttribute2023\",\n \"cryptographic_binding_methods_supported\": [\n \"jwk\",\n \"urn:ietf:params:oauth:jwk-thumbprint\"\n ],\n \"credential_signing_alg_values_supported\": [\n \"ES256\"\n ],\n \"vct\": \"AtomicAttribute2023\",\n \"claims\": {\n \"given_name\": {},\n \"family_name\": {},\n \"date_of_birth\": {},\n \"portrait\": {}\n }\n },\n \"org.iso.18013.5.1\": {\n \"format\": \"mso_mdoc\",\n \"scope\": \"org.iso.18013.5.1\",\n \"cryptographic_binding_methods_supported\": [\n \"jwk\",\n \"cose_key\"\n ],\n \"credential_signing_alg_values_supported\": [\n \"ES256\"\n ],\n \"doctype\": \"org.iso.18013.5.1.mDL\",\n \"claims\": {\n \"org.iso.18013.5.1\": {\n \"family_name\": {},\n \"given_name\": {},\n \"birth_date\": {},\n \"issue_date\": {},\n \"expiry_date\": {},\n \"issuing_country\": {},\n \"issuing_authority\": {},\n \"document_number\": {},\n \"portrait\": {},\n \"driving_privileges\": {},\n \"un_distinguishing_sign\": {},\n \"administrative_number\": {},\n \"sex\": {},\n \"height\": {},\n \"weight\": {},\n \"eye_colour\": {},\n \"hair_colour\": {},\n \"birth_place\": {},\n \"resident_address\": {},\n \"portrait_capture_date\": {},\n \"age_in_years\": {},\n \"age_birth_year\": {},\n \"age_over_18\": {},\n \"issuing_jurisdiction\": {},\n \"nationality\": {},\n \"resident_city\": {},\n \"resident_state\": {},\n \"resident_postal_code\": {},\n \"resident_country\": {},\n \"family_name_national_character\": {},\n \"given_name_national_character\": {},\n \"signature_usual_mark\": {}\n }\n }\n }\n }\n}\n```\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003eThe credential issuer starts with a credential offer:\u003c/summary\u003e\n\n```json\n{\n \"credential_issuer\": \"https://wallet.a-sit.at/credential-issuer\",\n \"credential_configuration_ids\": [\n \"at.a-sit.wallet.atomic-attribute-2023\",\n \"AtomicAttribute2023#jwt_vc_json\",\n \"AtomicAttribute2023#vc+sd-jwt\",\n \"org.iso.18013.5.1\"\n ],\n \"grants\": {\n \"urn:ietf:params:oauth:grant-type:pre-authorized_code\": {\n \"pre-authorized_code\": \"fe8cee09-1b9a-4be4-90f4-3c77c44c37a6\",\n \"authorization_server\": \"https://wallet.a-sit.at/authorization-server\"\n }\n }\n}\n```\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003eSince the issuer provides a pre-authorized code, the wallet uses this for the token request:\u003c/summary\u003e\n\n```json\n{\n \"grant_type\": \"urn:ietf:params:oauth:grant-type:pre-authorized_code\",\n \"redirect_uri\": \"https://wallet.a-sit.at/app/callback\",\n \"client_id\": \"https://wallet.a-sit.at/app\",\n \"authorization_details\": [\n {\n \"type\": \"openid_credential\",\n \"credential_configuration_id\": \"AtomicAttribute2023#vc+sd-jwt\",\n \"locations\": [\n \"https://wallet.a-sit.at/authorization-server\"\n ],\n \"credential_identifiers\": [\n \"AtomicAttribute2023#vc+sd-jwt\"\n ]\n }\n ],\n \"pre-authorized_code\": \"fe8cee09-1b9a-4be4-90f4-3c77c44c37a6\"\n}\n```\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003eThe credential issuer answers with an access token:\u003c/summary\u003e\n\n```json\n{\n \"access_token\": \"8c41ad84-01ec-4300-9627-d210d1c0800e\",\n \"token_type\": \"bearer\",\n \"expires_in\": 3600,\n \"c_nonce\": \"cf0875c8-afec-4890-aba1-b87aa0bfd4ce\",\n \"authorization_details\": [\n {\n \"type\": \"openid_credential\",\n \"credential_configuration_id\": \"AtomicAttribute2023#vc+sd-jwt\",\n \"locations\": [\n \"https://wallet.a-sit.at/authorization-server\"\n ],\n \"credential_identifiers\": [\n \"AtomicAttribute2023#vc+sd-jwt\"\n ]\n }\n ]\n}\n```\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003eThe wallet creates a credential request, including a proof-of-possession of its private key:\u003c/summary\u003e\n\n```json\n{\n \"credential_identifier\": \"AtomicAttribute2023#vc+sd-jwt\",\n \"proof\": {\n \"proof_type\": \"jwt\",\n \"jwt\": \"eyJ0eXAiOiJvcGVuaWQ0dmNpLXByb29mK2p3dCIsImFsZyI6IkVTMjU2IiwiandrIjp7ImNydiI6IlAtMjU2Iiwia2lkIjoiZGlkOmtleTp6RG5hZVlUN3BwWDRGeVM1Z3ZvcXJmQ2lMNmdMYm92bjVKQzRZelh4dUEydXBvcGtmIiwia3R5IjoiRUMiLCJ4IjoiZHlrQXRvMmhVcG85MzllX0IzaHRjQ0hDY1Y4c3Y1TkRfRDhZX0EtdlQtQSIsInkiOiJXc1pIazZ4N090bXI3WE5YNk9GT3lCdkpOYUxYX0RBVTFZemFMWnZNb3NnIn19.eyJpc3MiOiJodHRwczovL3dhbGxldC5hLXNpdC5hdC9hcHAiLCJhdWQiOiJodHRwczovL3dhbGxldC5hLXNpdC5hdC9jcmVkZW50aWFsLWlzc3VlciIsIm5vbmNlIjoiY2YwODc1YzgtYWZlYy00ODkwLWFiYTEtYjg3YWEwYmZkNGNlIiwiaWF0IjoxNzMzODIxNzQ0fQ.vSmPOkdtaAPHfpYocNG1af45SZvEpvhN9kKVKJ2-5TS_0dnn0ap7_91pJq_WlKGxhf5UF1T1j9TKITV8zEpb1Q\"\n }\n}\n```\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003eThe JWT included decodes to the following:\u003c/summary\u003e\n\n```json\n{\n \"typ\": \"openid4vci-proof+jwt\",\n \"alg\": \"ES256\",\n \"jwk\": {\n \"crv\": \"P-256\",\n \"kid\": \"did:key:zDnaeYT7ppX4FyS5gvoqrfCiL6gLbovn5JC4YzXxuA2upopkf\",\n \"kty\": \"EC\",\n \"x\": \"dykAto2hUpo939e_B3htcCHCcV8sv5ND_D8Y_A-vT-A\",\n \"y\": \"WsZHk6x7Otmr7XNX6OFOyBvJNaLX_DAU1YzaLZvMosg\"\n }\n}\n```\n\nand\n\n```json\n{\n \"iss\": \"https://wallet.a-sit.at/app\",\n \"aud\": \"https://wallet.a-sit.at/credential-issuer\",\n \"nonce\": \"cf0875c8-afec-4890-aba1-b87aa0bfd4ce\",\n \"iat\": 1733821744\n}\n```\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003eThe credential issuer issues the following credential:\u003c/summary\u003e\n\n```json\n{\n \"format\": \"vc+sd-jwt\",\n \"credential\": \"eyJraWQiOiJkaWQ6a2V5OnpEbmFlZHBaWjlwM3ZXQ2VBZlA2OU5EcGVoU2VuNGNTVWFCZDNHQlh6TUs3RnZ3UkIiLCJ0eXAiOiJ2YytzZC1qd3QiLCJhbGciOiJFUzI1NiJ9.eyJzdWIiOiJkaWQ6a2V5OnpEbmFlWVQ3cHBYNEZ5UzVndm9xcmZDaUw2Z0xib3ZuNUpDNFl6WHh1QTJ1cG9wa2YiLCJuYmYiOjE3MzM4MjE3NDQsImlzcyI6ImRpZDprZXk6ekRuYWVkcFpaOXAzdldDZUFmUDY5TkRwZWhTZW40Y1NVYUJkM0dCWHpNSzdGdndSQiIsImV4cCI6MTczMzgyMTgwNCwiaWF0IjoxNzMzODIxNzQ0LCJqdGkiOiJ1cm46dXVpZDowYzE4MGQ5Zi0wNzJkLTQyMGUtYmE1ZC00ZDllMGQxY2ViMWUiLCJ2Y3QiOiJBdG9taWNBdHRyaWJ1dGUyMDIzIiwic3RhdHVzIjp7ImlkIjoiaHR0cHM6Ly93YWxsZXQuYS1zaXQuYXQvYmFja2VuZC9jcmVkZW50aWFscy9zdGF0dXMvMSMxIiwidHlwZSI6IlJldm9jYXRpb25MaXN0MjAyMFN0YXR1cyIsInJldm9jYXRpb25MaXN0SW5kZXgiOjEsInJldm9jYXRpb25MaXN0Q3JlZGVudGlhbCI6Imh0dHBzOi8vd2FsbGV0LmEtc2l0LmF0L2JhY2tlbmQvY3JlZGVudGlhbHMvc3RhdHVzLzEifSwiX3NkX2FsZyI6InNoYS0yNTYiLCJjbmYiOnsiandrIjp7ImNydiI6IlAtMjU2Iiwia2lkIjoiZGlkOmtleTp6RG5hZVlUN3BwWDRGeVM1Z3ZvcXJmQ2lMNmdMYm92bjVKQzRZelh4dUEydXBvcGtmIiwia3R5IjoiRUMiLCJ4IjoiZHlrQXRvMmhVcG85MzllX0IzaHRjQ0hDY1Y4c3Y1TkRfRDhZX0EtdlQtQSIsInkiOiJXc1pIazZ4N090bXI3WE5YNk9GT3lCdkpOYUxYX0RBVTFZemFMWnZNb3NnIn19LCJfc2QiOlsiM29aamN4Yy1XTi1idDF0aUJTamx3clJBbUY0OGpSMTNfeFUyandLWU9HTSIsIlNBcEhtRjJUN3lLazYwamxTbkFvbFdhMEZpYnljLWZwdkNWRlBJN0NPNDAiLCJIUFpyaHpTQno1U2ZtbmxCeml5QzNXX3JmRXFobkh3YTNwQ21GYzc3U19zIiwidXl6YXBxcDdNWkZFY1pVX3lqYnJRcW5mcUhUT1pudjM2MG1XRUh3ajM0TSJdfQ.KhdVWwIJAPoxm8vxQ4Fbq9_DC_szV2aLziDFe5Opns0H2bHgT4WAkR4yPf1cs1mJV7DEgJcMqAw1ABXTeaEpvw~WyJwQ0xUeXd0NTRnOFlSWGMwWkZuZlRYU05xSGR3YkpUZm1KM3l0SmJfTmYwIiwiZ2l2ZW5fbmFtZSIsIlN1c2FubmUiXQ~WyJXemdkNmI0QWg4WGdzcExKM1IxNzJrczV1Qi1la3NiajNXRk5RcE52SjBBIiwiZmFtaWx5X25hbWUiLCJNZWllciJd~WyJ4Q3hpcWZUUzNXNkUtbW15UVEwbVFmbVRBYjdPRjV6aW13UVZ1Zi0wN3cwIiwiZGF0ZV9vZl9iaXJ0aCIsIjE5OTAtMDEtMDEiXQ~WyJkQWN0Y05MVlFyVVpnN2tMeGJEYkVRdF9jS09mRVVKZ3EyZjBzVlZiNEQwIiwicG9ydHJhaXQiLCJQR3JvT2dFcnROYU84RnVubm54amJ3Q3dic1NwanZhNDZyd3VqdVA4dGxnQVl2YjhHLXF0RG9oVHl2Qjd1NkVqZENXN0ltYlhVWFJFbzkzWTBZZjUzZyJd~\"\n}\n```\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003eThe SD-JWT included decodes to the following:\u003c/summary\u003e\n\n```json\n{\n \"sub\": \"did:key:zDnaeYT7ppX4FyS5gvoqrfCiL6gLbovn5JC4YzXxuA2upopkf\",\n \"nbf\": 1733821744,\n \"iss\": \"did:key:zDnaedpZZ9p3vWCeAfP69NDpehSen4cSUaBd3GBXzMK7FvwRB\",\n \"exp\": 1733821804,\n \"iat\": 1733821744,\n \"jti\": \"urn:uuid:0c180d9f-072d-420e-ba5d-4d9e0d1ceb1e\",\n \"vct\": \"AtomicAttribute2023\",\n \"status\": {\n \"id\": \"https://wallet.a-sit.at/backend/credentials/status/1#1\",\n \"type\": \"RevocationList2020Status\",\n \"revocationListIndex\": 1,\n \"revocationListCredential\": \"https://wallet.a-sit.at/backend/credentials/status/1\"\n },\n \"_sd_alg\": \"sha-256\",\n \"cnf\": {\n \"jwk\": {\n \"crv\": \"P-256\",\n \"kid\": \"did:key:zDnaeYT7ppX4FyS5gvoqrfCiL6gLbovn5JC4YzXxuA2upopkf\",\n \"kty\": \"EC\",\n \"x\": \"dykAto2hUpo939e_B3htcCHCcV8sv5ND_D8Y_A-vT-A\",\n \"y\": \"WsZHk6x7Otmr7XNX6OFOyBvJNaLX_DAU1YzaLZvMosg\"\n }\n },\n \"_sd\": [\n \"3oZjcxc-WN-bt1tiBSjlwrRAmF48jR13_xU2jwKYOGM\",\n \"SApHmF2T7yKk60jlSnAolWa0Fibyc-fpvCVFPI7CO40\",\n \"HPZrhzSBz5SfmnlBziyC3W_rfEqhnHwa3pCmFc77S_s\",\n \"uyzapqp7MZFEcZU_yjbrQqnfqHTOZnv360mWEHwj34M\"\n ]\n}\n```\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003ewith the following claims appended:\u003c/summary\u003e\n\n```json\n[\"pCLTywt54g8YRXc0ZFnfTXSNqHdwbJTfmJ3ytJb_Nf0\",\"given_name\",\"Susanne\"]\n```\n\n```json\n[\"Wzgd6b4Ah8XgspLJ3R172ks5uB-eksbj3WFNQpNvJ0A\",\"family_name\",\"Meier\"]\n```\n\n```json\n[\"xCxiqfTS3W6E-mmyQQ0mQfmTAb7OF5zimwQVuf-07w0\",\"date_of_birth\",\"1990-01-01\"]\n```\n\u003c/details\u003e\n\n\n\n## Dataflow for OpenID4VP\n\nWe'll present a presentation process according to [OID4VP](https://openid.net/specs/openid-4-verifiable-presentations-1_0.html), with all terms taken from there.\n\n\u003cdetails\u003e\n\u003csummary\u003eThe verifier creates a URL to be displayed to the wallet, containing a reference to the authentication request itself:\u003c/summary\u003e\n\n```\nhttps://example.com/wallet/9ecf4d9d-e0a7-488c-960f-448299bfc004\n ?client_id=https%3A%2F%2Fexample.com%2Frp%2F2cb7cb49-305e-4e7a-a235-d3fc2f426db3\n \u0026request_uri=https%3A%2F%2Fwww.example.com%2Frequest%2Fd4a5305d-1ade-40c0-8db4-d8ec458b0750\n```\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003eThe authentication request is signed as a JWS and contains the following header and payload:\u003c/summary\u003e\n\n```json\n{\n \"kid\": \"did:key:zDnaeY1pcEbr4eV4oDgYbbHKERhUdRsh6UJ7114rvkmBve9ps\",\n \"typ\": \"oauth-authz-req+jwt\",\n \"alg\": \"ES256\",\n \"jwk\": {\n \"crv\": \"P-256\",\n \"kid\": \"did:key:zDnaeY1pcEbr4eV4oDgYbbHKERhUdRsh6UJ7114rvkmBve9ps\",\n \"kty\": \"EC\",\n \"x\": \"cK4D5_nqSbOut9t80PpEn1evjm39TxvlyAWZTGH72dA\",\n \"y\": \"L91dVJYKkfhIe6VTXxtoIxqYNKyuSKeiTTZ5Rde4owI\"\n }\n}\n```\n\n```json\n{\n \"response_type\": \"vp_token\",\n \"client_id\": \"https://example.com/rp/f924b863-10e0-4740-8bea-7026742c734c\",\n \"scope\": \"openid profile AtomicAttribute2023 AtomicAttribute2023 at.a-sit.wallet.atomic-attribute-2023\",\n \"state\": \"2add0b20-feaf-43e2-a368-92748e7b0860\",\n \"nonce\": \"776acc4f-1606-4112-b799-69c74064499e\",\n \"client_metadata\": {\n \"redirect_uris\": [\n \"https://example.com/rp/f924b863-10e0-4740-8bea-7026742c734c\"\n ],\n \"jwks\": {\n \"keys\": [\n {\n \"crv\": \"P-256\",\n \"kty\": \"EC\",\n \"x\": \"cK4D5_nqSbOut9t80PpEn1evjm39TxvlyAWZTGH72dA\",\n \"y\": \"L91dVJYKkfhIe6VTXxtoIxqYNKyuSKeiTTZ5Rde4owI\"\n }\n ]\n },\n \"subject_syntax_types_supported\": [\n \"urn:ietf:params:oauth:jwk-thumbprint\",\n \"did:key\",\n \"jwk\"\n ],\n \"vp_formats\": {\n \"jwt_vp\": {\n \"alg\": [\n \"ES256\"\n ]\n },\n \"vc+sd-jwt\": {\n \"alg\": [\n \"ES256\"\n ]\n },\n \"mso_mdoc\": {\n \"alg\": [\n \"ES256\"\n ]\n }\n }\n },\n \"id_token_type\": \"subject_signed_id_token\",\n \"presentation_definition\": {\n \"id\": \"cc94b105-48c1-41a4-b6c1-40043ed65a96\",\n \"input_descriptors\": [\n {\n \"type\": \"at.asitplus.dif.DifInputDescriptor\",\n \"id\": \"a8cb5330-b9da-4ed7-9f5c-d9a388834257\",\n \"format\": {\n \"vc+sd-jwt\": {\n \"alg\": [\n \"ES256\"\n ]\n }\n },\n \"constraints\": {\n \"fields\": [\n {\n \"optional\": false,\n \"path\": [\n \"$[\\\"given_name\\\"]\"\n ]\n },\n {\n \"optional\": false,\n \"path\": [\n \"$[\\\"family_name\\\"]\"\n ]\n },\n {\n \"path\": [\n \"$.vct\"\n ],\n \"filter\": {\n \"type\": \"string\",\n \"pattern\": \"AtomicAttribute2023\"\n }\n }\n ]\n }\n }\n ]\n },\n \"client_id_scheme\": \"redirect_uri\",\n \"response_mode\": \"direct_post\",\n \"response_uri\": \"https://example.com/rp/response/830f5637-4885-43fe-a2c3-f155a8a073ac\",\n \"aud\": \"https://self-issued.me/v2\",\n \"iss\": \"https://self-issued.me/v2\"\n}\n}\n```\n\u003c/details\u003e\n\nThe wallet sends back the response as a POST to `https://example.com/rp/response/830f5637-4885-43fe-a2c3-f155a8a073ac` with the parameters `presentation_submission`, `vp_token` and `state` set.\n\n\u003cdetails\u003e\n\u003csummary\u003e\nThe value for the presentation submission is:\n\u003c/summary\u003e\n\n```json\n{\n \"id\": \"6d30b07d-d589-4bef-85e0-4feef73e012b\",\n \"definition_id\": \"cc94b105-48c1-41a4-b6c1-40043ed65a96\",\n \"descriptor_map\": [\n {\n \"id\": \"a8cb5330-b9da-4ed7-9f5c-d9a388834257\",\n \"format\": \"vc+sd-jwt\",\n \"path\": \"$\"\n }\n ]\n}\n```\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003eThe value for the VP token is an SD-JWT, with header and payload:\u003c/summary\u003e\n\n```json\n{\n \"kid\": \"did:key:zDnaemxTpFAmVZVdKvraBmLd2aDUqrmYRKJcDQnD8Zg7B2rKu\",\n \"typ\": \"vc+sd-jwt\",\n \"alg\": \"ES256\"\n}\n```\n\n```json\n{\n \"sub\": \"did:key:zDnaeqVE5wWY9jD862tRpMu4DFpR4vfzBQihTCwZ8bZRP3Jdn\",\n \"nbf\": 1733823057,\n \"iss\": \"did:key:zDnaemxTpFAmVZVdKvraBmLd2aDUqrmYRKJcDQnD8Zg7B2rKu\",\n \"exp\": 1733823117,\n \"iat\": 1733823057,\n \"jti\": \"urn:uuid:4b51b38b-9604-4e7e-8775-2b794184b5df\",\n \"vct\": \"AtomicAttribute2023\",\n \"status\": {\n \"id\": \"https://wallet.a-sit.at/backend/credentials/status/1#1\",\n \"type\": \"RevocationList2020Status\",\n \"revocationListIndex\": 1,\n \"revocationListCredential\": \"https://wallet.a-sit.at/backend/credentials/status/1\"\n },\n \"_sd_alg\": \"sha-256\",\n \"cnf\": {\n \"jwk\": {\n \"crv\": \"P-256\",\n \"kty\": \"EC\",\n \"x\": \"dEnr0EF1Bh7G4r_dFSuCrAvyqaeMXd9D6WVu-yDBhmk\",\n \"y\": \"j3y-WVyrs5XIePFQ_PVQjDuQxp4TGV1F4EyrJlz8LMc\"\n }\n },\n \"_sd\": [\n \"VOfQfO9t-aUWwtcU498-SMJ0rzZpZdHObmzHuYZ7Eeg\",\n \"1ehcufQBrCsqdSIR6ZH7X5JDt63Ygk7NJYM66gjzeAw\",\n \"wyuZnInA1l1Tqsz44D8MUOfB7gWhJZkja_bMoyuoX9Q\",\n \"L5Hnmjie5TH4MvTCDIiQkX47YsKszi4AP75iuku8AY8\"\n ]\n}\n```\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003eWith the following claims appended:\u003c/summary\u003e\n\n```json\n[\"1jvI5VgkgvP8zTr7wCCjKoFhAuyM5YdTP8EQUSrGSwk\",\"given_name\",\"Susanne\"]\n```\n\n```json\n[\"RPEnzDNDIVcCBK0GsLgbM7JAU-zjE5xozTHnAZxcCdY\",\"family_name\",\"Meier\"]\n```\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003eAs well as a key binding (the JWT is decoded):\u003c/summary\u003e\n\n```json\n{\n \"typ\": \"kb+jwt\",\n \"alg\": \"ES256\",\n \"jwk\": {\n \"crv\": \"P-256\",\n \"kid\": \"did:key:zDnaeqVE5wWY9jD862tRpMu4DFpR4vfzBQihTCwZ8bZRP3Jdn\",\n \"kty\": \"EC\",\n \"x\": \"dEnr0EF1Bh7G4r_dFSuCrAvyqaeMXd9D6WVu-yDBhmk\",\n \"y\": \"j3y-WVyrs5XIePFQ_PVQjDuQxp4TGV1F4EyrJlz8LMc\"\n }\n}\n```\n\n```json\n{\n \"iat\": 1733823057,\n \"aud\": \"https://example.com/rp/f924b863-10e0-4740-8bea-7026742c734c\",\n \"nonce\": \"776acc4f-1606-4112-b799-69c74064499e\",\n \"sd_hash\": \"ruXlGvBJ1rR0OHCyCPEuRkuxlQ6CcCe6KEdH-tw8DPU\"\n}\n```\n\u003c/details\u003e\n\n## Contributing\nExternal contributions are greatly appreciated! Be sure to observe the contribution guidelines (see [CONTRIBUTING.md](CONTRIBUTING.md)).\nIn particular, external contributions to this project are subject to the A-SIT Plus Contributor License Agreement (see also [CONTRIBUTING.md](CONTRIBUTING.md)).\n\n\n\n## Contributing\nExternal contributions are greatly appreciated! Be sure to observe the contribution guidelines (see [CONTRIBUTING.md](CONTRIBUTING.md)).\nIn particular, external contributions to this project are subject to the A-SIT Plus Contributor License Agreement (see also [CONTRIBUTING.md](CONTRIBUTING.md)).\n\n\n\n\u003cbr\u003e\n\n---\n\n| ![eu.svg](eu.svg)\u003cbr\u003e\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; | This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 959072. |\n|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------:|:--------------------------------------------------------------------------------------------------------------------------------------------|\n\n---\n\n| ![eu.svg](eu.svg) \u003cbr\u003e Co\u0026#8209;Funded\u0026nbsp;by\u0026nbsp;the\u003cbr\u003eEuropean\u0026nbsp;Union | This project has received funding from the European Union’s \u003ca href=\"https://digital-strategy.ec.europa.eu/en/activities/digital-programme\"\u003eDigital Europe Programme (DIGITAL)\u003c/a\u003e, Project 101102655 — POTENTIAL. |\n|:------------------------------------------------------------------------------:|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n\n---\n\n\u003cp align=\"center\"\u003e\nThe Apache License does not apply to the logos, (including the A-SIT logo) and the project/module name(s), as these are the sole property of\nA-SIT/A-SIT Plus GmbH and may not be used in derivative works without explicit permission!\n\u003c/p\u003e\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fa-sit-plus%2Fvck","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fa-sit-plus%2Fvck","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fa-sit-plus%2Fvck/lists"}