Background

The OpenID Foundation has extended its OAuth2 and OpenID Connect standards to support the presentation of Verifiable Credentials (VCs) in a secure, interoperable, and privacy-preserving way. This extension, known as OID4VP (OpenID for Verifiable Presentations), provides a protocol for verifiers (also referred to as relying parties) to request specific credentials from a holder (the user), as well as for holders to present such credentials in cryptographically secure formats.

OID4VP is crucial for decentralized identity systems, where individuals maintain control of their Verifiable Credentials while verifiers can confirm the authenticity, validity, and proof of ownership of these credentials.

We have exercises that progressively let you use the REST API, understanding the process better in each step. You can try these after first reading this page to understand the concepts

What is OID4VP?

OID4VP enables:

  1. Credential Queries by Verifiers: Verifiers can specify exactly what credentials or claims they need from a user using a presentation request. This includes the credential type, issuer restrictions, and claim-specific details (e.g., “birth date older than 18”).
  2. Support for Multiple Credential Formats: OID4VP supports various Verifiable Credential formats, enabling interoperability between different ecosystems, issuers, and wallets. Examples include:
  • JSON Web Token (JWT): A widely adopted and transport-friendly format.
  • Selective Disclosure JSON Web Token (SD-JWT): Extensions to the JWT format, allowing for verifiable selective disclosure of individual claims
  • JSON-LD-based Credentials: Including Decentralized Identifiers (DIDs) for decentralized ecosystems.
  • Mdl/Mdoc: Support for IS18013-5 Mdl/Mdocs in CBOR format.

This versatility ensures that developers can leverage OID4VP regardless of the credential technologies used by their system or the credentials held by users.

OID4VP builds on well-known OAuth2 patterns while extending them with privacy-preserving mechanisms such as Selective Disclosure and Holder Binding.

Key Features of OID4VP

1. Support for Multiple Credential Formats

OID4VP is designed to work seamlessly with different Verifiable Credential formats. This is critical to enabling interoperability in decentralized identity ecosystems, where diverse issuers and credential technologies coexist. Supported formats are listed above. Developers can utilize these supported formats depending on the context and capabilities of their ecosystem. For example, an e-commerce platform might prefer JWT-based credentials for performance reasons, while a government digital identity system might adopt JSON-LD for decentralization and interoperability.

2. Credential Queries by Verifiers

OID4VP introduces powerful mechanisms that allow verifiers to define credential queries when forming their presentation requests. A Presentation Request lets verifiers express the exact credentials they need from a holder, including attributes, supported formats, and verification constraints.

Key Capabilities of Credential Queries:

  • Request Specific Credential Types: Verifiers can specify the type of credential they need, e.g., “Government-issued ID” or “Proof of Employment.”
  • Claim Filters: Verifiers can define specific claims or attributes required within the credential. For example, instead of a holder revealing a full credential for age verification, the verifier could request proof that “age > 18.”
  • Issuer Constraints: Requests may restrict the credentials to specific issuers. For example, only trust credentials issued by government or certified institutions.
  • Credential Format Preferences: Verifiers can indicate which credential formats they accept, such as JWT, JSON-LD, etc.

This flexibility in expressing requirements allows relying parties to only request credentials that match their needs while reducing unnecessary data exchanges.

Example: Presentation Request in Action

  • A verifier issues a presentation request specifying:
  1. Required claim: “Citizenship” with the value “CountryX”.
  2. Required credential type: “Government-issued Digital ID”.
  3. Accepted credential formats: JWT and JSON-LD.
  • The holder’s wallet evaluates the request, identifies a matching credential, and prepares a presentation. The wallet ensures the following:
  • Only the requested claim (e.g., “Citizenship”) is disclosed.
  • The credential format conforms to one of the verifier’s supported types.

3. Selective Disclosure

Selective Disclosure is a privacy-preserving feature at the heart of OID4VP. It allows credential holders to present only the specific data required by a verifier, instead of sharing the entire credential. For instance:

  • Sharing “Proof of Age” without revealing the actual date of birth.
  • Proving “Employment with CompanyX” without exposing job title or salary details.

This is enabled through mechanisms like cryptographic proofs (e.g., BBS+ Signatures for JSON-LD credentials or Disclosures in JWT-based credentials), ensuring data authenticity and integrity even with partial disclosures.

4. Holder Binding

Holder Binding ensures that the Verifiable Presentations created are tied to the individual presenting them. Using cryptographic techniques, OID4VP ensures that only the rightful holder of the credential can create and sign a presentation. This prevents malicious actors from using stolen or compromised credentials.

OID4VP in Action: Workflow Overview

OID4VP enables a seamless, secure flow between verifiers, holders, and credential issuers. Here is a simplified explanation:

  1. Verifier’s Presentation Request:
  • The verifier sends a credential query (presentation request) specifying the type and attributes for the desired credentials.
  • The request is passed to the user’s wallet or identity agent.
  1. Holder’s Validation & Selection:
  • The holder reviews the request and matches it with credentials stored in their wallet.
  • The holder determines what data to disclose (using selective disclosure) and prepares a Verifiable Presentation.
  1. Holder’s Response:
  • The holder returns the signed Verifiable Presentation to the verifier.
  1. Verification:
  • The verifier validates the credentials and associated cryptographic proofs.
  • Checks include:
  • Integrity of the data.
  • Authority of the issuer.
  • Binding of the credentials to the holder.

Use Cases of OID4VP

Example 1: Higher Education Enrollment

A university requests proof of prior education credentials during the admission process:

  • The verifier requests specific attributes like degree type and issuing institution.
  • The student shares a Verifiable Credential with matching claims, while withholding sensitive data like GPA or transcript details.

Example 2: Employment Verification

A verifier (potential employer) requests proof of employment:

  • Credential Query: “Employment Proof” with the claim “CompanyName = X”.
  • Holder responds with a Verifiable Presentation showing proof of employment, omitting unrelated details (e.g., previous job history or salary).

Example 3: Travel Authorization

An airline requests credentials to verify visa validity and vaccination status:

  • Credential Query: 1) “COVID-19 Vaccination Record,” 2) “Valid Visa for CountryX.”
  • Holder provides both in a single Verifiable Presentation using selective disclosure to hide unnecessary claims.

Relevant Links and Resources

State ManagerREST