OAuth 2.0 integration
The credential issuance service acts as an OAuth 2.0 resource server. However, it requires an authorization server, which can issue access tokens as defined in RFC6749. In OID4VCI extensions to existing OAuth 2.0 mechanisms are defined to support some features, such as the pre-authorized flow described in Issuance. For the credential issuance service to work, some of these have to be implemented by the customer's OAuth 2.0 authorization server.
To see an overview of the extensions of OAuth 2.0 by OID4VCI see section 3.2 OAuth 2.0.
Pre-authorized code
Part of the OID4VCI extensions are the introduction of a new Grant Type "Pre-Authorized code" to the existing OAuth 2.0 Grant Types. This Grant Type is used to facilitate flows where the authentication is performed before the issuance flow.
The Grant Type is identified by urn:ietf:params:oauth:grant-type:pre-authorized_code, and is
defined as a short-lived one time use token, which can be exchanged for an access token through the
token request endpoint.
For more information on how the credential issuance service receives and uses the Pre-authorized code see section 5. Application starts issuance of issuing verifiable credentials.
Token Request
RFC6749 defines an endpoint for issuing an access token in exchange for an authorization code which the client has obtained.
Section 6 of OID4VCI extends this endpoint to handle the newly defined Pre-Authorized code by defining the following parameters.
pre-authorized_code: The code authorizing certain credentials to be issued. Required if thegrant_typeisurn:ietf:params:oauth:grant-type:pre-authorized_code.tx_code: A transaction code enabling two-factor. This parameter is optional if thegrant_typeisurn:ietf:params:oauth:grant-type:pre-authorized_code.