AuthenticationRequestParameters

CSC: OPTIONAL To restrict access to the authorization server of a remote service, this specification introduces the additional account_token parameter to be used when calling the oauth2/authorize endpoint. This parameter contains a secure token designed to authenticate the authorization request based on an Account ID that SHALL be uniquely assigned by the signature application to the signing user or to the user’s application account

OAuth 2.0 JAR: If signed, the Authorization Request Object SHOULD contain the Claims iss (issuer) and aud (audience) as members with their semantics being the same as defined in the JWT (RFC7519) specification. The value of aud should be the value of the authorization server (AS) issuer, as defined in RFC 8414.

RFC9396: The request parameter authorization_details contains, in JSON notation, an array of objects. Each JSON object contains the data to specify the authorization requirements for a certain type of resource. The type of resource or access requirement is determined by the AuthorizationDetails.type field.

OIDC: OPTIONAL. This parameter is used to request that specific Claims be returned. The value is a JSON object listing the requested Claims.

CSC: OPTIONAL Arbitrary data from the signature application. It can be used to handle a transaction identifier or other application-specific data that may be useful for debugging purposes

OID4VP 1.0: REQUIRED. As in OIDC OIDC: REQUIRED. OAuth 2.0 Client Identifier valid at the Authorization Server.

Reads the OpenIdConstants.ClientIdScheme by extracting the prefix from clientId

Reads the clientId and removes the prefix of the clientIdSchemeExtracted. OpenID4VP states that the full clientId must be used for presentations and anything else.

OIDC SIOPv2: OPTIONAL. This parameter is used by the RP to provide information about itself to a Self-Issued OP that would normally be provided to an OP during Dynamic RP Registration. It MUST not be present if the RP uses OpenID Federation 1.0 Automatic Registration to pass its metadata.

RFC7636: A challenge derived from the code verifier that is sent in the authorization request, to be verified against later.

RFC7636: A method that was used to derive code challenge.

CSC: REQUIRED-"credential" The identifier associated to the credential to authorize. This parameter value may contain characters that are reserved, unsafe or forbidden in URLs and therefore SHALL be url-encoded by the signature application

OID4VP 1.0: A JSON object containing a DCQL query as defined in Section 6. Either a dcqlQuery or a scope parameter representing a DCQL Query MUST be present in the Authorization Request, but not both.

CSC: OPTIONAL A free form description of the authorization transaction in the lang language. The maximum size of the string is 500 characters

DCAPI: REQUIRED when signed requests defined in Appendix A.3.2 are used with the Digital Credentials API (DC API). An array of strings, each string representing an Origin of the Verifier that is making the request. The Wallet MUST compare values in this parameter to the Origin to detect replay of the request from a malicious Verifier. If the Origin does not match any of the entries in expected_origins, the Wallet MUST return an error. This error SHOULD be an invalid_request error. This parameter is not for use in unsigned requests and therefore a Wallet MUST ignore this parameter if it is present in an unsigned request.

CSC: REQUIRED-"credential" String containing the OID of the hash algorithm used to generate the hashes

CSC: REQUIRED-"credential" One or more base64url-encoded hash values to be signed

OIDC: OPTIONAL. ID Token previously issued by the Authorization Server being passed as a hint about the End-User's current or past authenticated session with the Client. If the End-User identified by the ID Token is logged in or is logged in by the request, then the Authorization Server returns a positive response; otherwise, it SHOULD return an error, such as login_required.

OIDC SIOPv2: OPTIONAL. Space-separated string that specifies the types of ID Token the RP wants to obtain, with the values appearing in order of preference. The allowed individual values are subject_signed_id_token and attester_signed_id_token. The default value is attester_signed_id_token. The RP determines the type if ID Token returned based on the comparison of the iss and sub claims values. In order to preserve compatibility with existing OpenID Connect deployments, the OP MAY return an ID Token that does not fulfill the requirements as expressed in this parameter. So the RP SHOULD be prepared to reliably handle such an outcome.

OPTIONAL. Time at which the request was issued.

OAuth 2.0 JAR: If signed, the Authorization Request Object SHOULD contain the Claims iss (issuer) and aud (audience) as members with their semantics being the same as defined in the JWT (RFC7519) specification. The value of aud should be the value of the authorization server (AS) issuer, as defined in RFC 8414.

OID4VP: OPTIONAL. String value identifying a certain processing context at the Credential Issuer. A value for this parameter is typically passed in a Credential Offer from the Credential Issuer to the Wallet. This request parameter is used to pass the issuer_state value back to the Credential Issuer, see CredentialOfferGrantsAuthCode.issuerState.

CSC: Optional Request a preferred language according to RFC 5646

OID4VP 1.0: REQUIRED. OIDC: OPTIONAL. String value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value is passed through unmodified from the Authentication Request to the ID Token. Sufficient entropy MUST be present in the nonce values used to prevent attackers from guessing values.

CSC: Required-"credential" The number of signatures to authorize

OID4VP: A string containing a Presentation Definition JSON object. This parameter MUST be present when presentationDefinitionUrl parameter, or a scope value representing a Presentation Definition is not present.

OID4VP: A string containing an HTTPS URL pointing to a resource where a Presentation Definition JSON object can be retrieved. This parameter MUST be present when presentationDefinition parameter, or a scope value representing a Presentation Definition is not present.

OIDC: REQUIRED. Redirection URI to which the response will be sent. This URI MUST exactly match one of the Redirection URI values for the Client pre-registered at the OpenID Provider, with the matching performed as described in Section 6.2.1 of RFC3986 (Simple String Comparison).

Reads the redirectUrl, or the clientIdWithoutPrefix if clientIdSchemeExtracted is OpenIdConstants.ClientIdScheme.RedirectUri.

RFC8707: In requests to the authorization server, a client MAY indicate the protected resource (a.k.a. resource server, application, API, etc.) to which it is requesting access. Its value MUST be an absolute URI, as specified by Section 4.3 of (RFC3986).

OID4VP 1.0: REQUIRED (Defined as in OAuth2.0 Responses)

OIDC: REQUIRED. OAuth 2.0 Response Type value that determines the authorization processing flow to be used, including what parameters are returned from the endpoints used. When using the Authorization Code Flow, this value is code.

OID4VP: OPTIONAL. The Response URI to which the Wallet MUST send the Authorization Response using an HTTPS POST request as defined by the Response Mode direct_post. The Response URI receives all Authorization Response parameters as defined by the respective Response Type. When the response_uri parameter is present, the redirect_uri Authorization Request parameter MUST NOT be present. If the redirect_uri Authorization Request parameter is present when the Response Mode is direct_post, the Wallet MUST return an invalid_request Authorization Response error.

OID4VP 1.0: OPTIONAL OIDC: REQUIRED. OpenID Connect requests MUST contain the openid scope value. If the openid scope value is not present, the behavior is entirely unspecified. Other scope values MAY be present. Scope values used that are not understood by an implementation SHOULD be ignored. e.g. profile or com.example.healthCardCredential

CSC: Required-"credential" This parameter contains the symbolic identifier determining the kind of signature to be created

OID4VP 1.0: OPTIONAL. OIDC: RECOMMENDED. Opaque value used to maintain state between the request and the callback. Typically, Cross-Site Request Forgery (CSRF, XSRF) mitigation is done by cryptographically binding the value of this parameter with a browser cookie.

OID4VP 1.0: OPTIONAL. Non-empty array of strings, where each string is a base64url-encoded JSON object that contains a typed parameter set with details about the transaction that the Verifier is requesting the End-User to authorize. The Wallet MUST return an error if a request contains even one unrecognized transaction data type or transaction data not conforming to the respective type definition.

OID4VP: OPTIONAL. String containing an opaque End-User hint that the Wallet MAY use in subsequent callbacks to optimize the End-User's experience. This is RECOMMENDED in Dynamic Credential Requests.

OID4VP 1.0: OPTIONAL. A non-empty array of attestations about the Verifier relevant to the Credential Request. These attestations MAY include Verifier metadata, policies, trust status, or authorizations. Attestations are intended to support authorization decisions, inform Wallet policy enforcement, or enrich the End-User consent dialog

OID4VP: OPTIONAL. String containing the Wallet's identifier. The Credential Issuer can use the discovery process defined in SIOPv2 to determine the Wallet's capabilities and endpoints, using the wallet_issuer value as the Issuer Identifier referred to in SIOPv2. This is RECOMMENDED in Dynamic Credential Requests.

OpenID4VP: When received in RequestObjectParameters.walletNonce, the Verifier MUST use it as the walletNonce value in the signed authorization request object. Value can be a base64url-encoded, fresh, cryptographically random number with sufficient entropy.