OpenID for Verifiable Credential Issuance (OID4VCI) is a protocol specification that enables standardized issuance of verifiable credentials between issuers and wallet holders. This protocol implements a secure flow for requesting and receiving digital credentials while ensuring interoperability across the European Digital Identity Wallet ecosystem.
The standard defines two main issuance flows:
- Authorization Code Flow - For interactive credential issuance requiring user authentication
- Pre-authorized Code Flow - For non-interactive issuance using pre-authorized codes
Key capabilities include:
- Credential Offer mechanism to initiate issuance
- Discovery of issuer capabilities and configurations
- Authorization flows for secure access
- Credential Request/Response protocols
- Support for multiple credential formats including:
jwt_vc_json (W3C Verifiable Credentials)
vc+sd-jwt (IETF SD-JWT Verifiable Credentials)
mso_mdoc (ISO Mobile Driving License format)
Technical Details:
- Purpose and Scope:
- Standardize credential issuance between Issuers and Wallet Holders
- Enable interoperability across European Wallet Ecosystem
- Support multiple credential formats and authentication methods
- Key Technical Specifications:
- Uses
openid-credential-offer URI scheme
- Implements OAuth 2.0 authorization flows
- Supports PKCE (Proof Key for Code Exchange)
- Requires Pushed Authorization Requests
- Implements
/.well-known endpoints for discovery
- Implementation Requirements:
- Must support both authorization flows
- Must implement credential offer and discovery endpoints
- Must support specified credential formats
- Must implement security features like nonce and state parameters
- Security Considerations:
- Mandatory PKCE implementation
- Support for DID Authentication
- Transaction binding through
tx_code
- Short-lived authorization codes
- Secure credential state management
- Interoperability Features:
- Standardized credential offer format
- Common discovery mechanisms
- Consistent authorization flows
- Support for multiple credential formats
- Standardized error responses
- Current Adoption Status:
- Implemented by multiple European Digital Identity Wallet providers
- Adopted by various credential issuers
- Part of the European Union Digital Identity framework