IssuerMetadata
To be serialized into /.well-known/openid-credential-issuer
Constructors
Properties
OIDC Discovery: REQUIRED. URL of the OP's OAuth 2.0 Authorization Endpoint (OpenID.Core).
OID4VCI: OPTIONAL. Array of strings, where each string is an identifier of the OAuth 2.0 Authorization Server (as defined in RFC8414) the Credential Issuer relies on for authorization. If this parameter is omitted, the entity providing the Credential Issuer is also acting as the Authorization Server, i.e., the Credential Issuer's identifier is used to obtain the Authorization Server metadata.
OID4VCI: OPTIONAL. URL of the Credential Issuer's Batch Credential Endpoint, as defined in Section 8. This URL MUST use the https
scheme and MAY contain port, path, and query parameter components. If omitted, the Credential Issuer does not support the Batch Credential Endpoint.
OID4VP: OPTIONAL. Array of JSON Strings containing the values of the Client Identifier schemes that the Wallet supports. The values defined by this specification are pre-registered
, redirect_uri
, entity_id
, did
. If omitted, the default value is pre-registered.
OID4VCI: REQUIRED. URL of the Credential Issuer's Credential Endpoint. This URL MUST use the https scheme and MAY contain port, path and query parameter components.
OID4VCI: REQUIRED. The Credential Issuer's identifier.
OID4VCI: OPTIONAL. Object containing information about whether the Credential Issuer supports encryption of the Credential and Batch Credential Response on top of TLS.
OID4VCI: OPTIONAL. URL of the Credential Issuer's Deferred Credential Endpoint, as defined in Section 9. This URL MUST use the https
scheme and MAY contain port, path, and query parameter components. If omitted, the Credential Issuer does not support the Deferred Credential Endpoint.
OID4VCI: OPTIONAL. An array of objects, where each object contains display properties of a Credential Issuer for a certain language.
OIDC Discovery: REQUIRED. A JSON array containing a list of the JWS signing algorithms (alg
values) supported by the OP for the ID Token to encode the Claims in a JWT (RFC7519). Valid values include RS256
, ES256
, ES256K
, and EdDSA
.
OIDC SIOPv2: OPTIONAL. A JSON array of strings containing the list of ID Token types supported by the OP, the default value is attester_signed_id_token
(the id token is issued by the party operating the OP, i.e. this is the classical id token as defined in OpenID.Core), may also include subject_signed_id_token
(Self-Issued ID Token, i.e. the id token is signed with key material under the end-user's control).
OIDC Discovery: REQUIRED. URL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier. If Issuer discovery is supported (see Section 2), this value MUST be identical to the issuer value returned by WebFinger. This also MUST be identical to the iss
Claim value in ID Tokens issued from this Issuer.
OIDC Discovery: REQUIRED. URL of the OP's JSON Web Key Set document. This contains the signing key(s) the RP uses to validate signatures from the OP. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs to encrypt requests to the Server.
OID4VCI: OPTIONAL. URL of the Credential Issuer's Notification Endpoint, as defined in Section 10. This URL MUST use the https
scheme and MAY contain port, path, and query parameter components. If omitted, the Credential Issuer does not support the Notification Endpoint.
OID4VP: OPTIONAL. Boolean value specifying whether the Wallet supports the transfer of presentation_definition
by reference, with true indicating support. If omitted, the default value is true.
OIDC SIOPv2: REQUIRED. A JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for Request Objects, which are described in Section 6.1 of OpenID.Core. Valid values include none
, RS256
, ES256
, ES256K
, and EdDSA
.
OIDC Discovery: REQUIRED. JSON array containing a list of the OAuth 2.0 response_type
values that this OP supports. Dynamic OpenID Providers MUST support the code
, id_token
, and the token id_token
Response Type values. OIDC SIOPv2: MUST be id_token
.
OIDC SIOPv2: REQUIRED. A JSON array of strings representing supported scopes. MUST support the openid
scope value.
OIDC SIOPv2: REQUIRED. A JSON array of strings representing URI scheme identifiers and optionally method names of supported Subject Syntax Types. Valid values include urn:ietf:params:oauth:jwk-thumbprint
, did:example
and others.
OIDC Discovery: REQUIRED. JSON array containing a list of the Subject Identifier types that this OP supports. Valid types include pairwise
and public
.
OID4VCI: REQUIRED. Object that describes specifics of the Credential that the Credential Issuer supports issuance of. This object contains a list of name/value pairs, where each name is a unique identifier of the supported Credential being described.
OID4VCI: OPTIONAL. Boolean value specifying whether the Credential Issuer supports returning AuthorizationDetails.credentialIdentifiers in the Token Response parameter, with true
indicating support. If omitted, the default value is false
.
OIDC Discovery: URL of the OP's OAuth 2.0 Token Endpoint (OpenID.Core). This is REQUIRED unless only the Implicit Flow is used.
OID4VP: REQUIRED. An object containing a list of key value pairs, where the key is a string identifying a Credential format supported by the Wallet. Valid Credential format identifier values are defined in Annex E of OpenID.VCI. Other values may be used when defined in the profiles of this specification.