openid-connect-4-ida-attachments-1_0 October 2024
Lodderstedt, et al. Standards Track [Page]
Workgroup:
eKYC-IDA
Published:
Authors:
T. Lodderstedt
sprind.org
D. Fett
Authlete
M. Haine
Considrd.Consulting Ltd
A. Pulido
Santander
K. Lehmann
1&1 Mail & Media Development & Technology GmbH
K. Koiwai
KDDI Corporation

OpenID Attachments 1.0 draft

Abstract

This document defines a way of representing binary data in the context of a JSON payload. It can be used as an extension of OpenID Connect that defines new attachments relating to the identity of a natural person or in other JSON contexts that have binary data elements . The work and the preceding drafts are the work of the eKYC and Identity Assurance working group of the OpenID Foundation.

Introduction

This document defines an attachment element as a JWT claim for use in various contexts.

Attachment element was inspired by the work done on [OpenID4IDA] and in particular how to include images of various pieces of evidence used as part of an identity assurance process. However, it is anticipated that there are other cases where the ability to embed or refer to non-JSON structured data is useful.

Warning

This document is not an OIDF International Standard. It is distributed for review and comment. It is subject to change without notice and may not be referred to as an International Standard. Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of which they are aware and to provide supporting documentation.

Foreword

The OpenID Foundation (OIDF) promotes, protects and nurtures the OpenID community and technologies. As a non-profit international standardizing body, it is comprised by over 160 participating entities (workgroup participant). The work of preparing implementer drafts and final international standards is carried out through OIDF workgroups in accordance with the OpenID Process. Participants interested in a subject for which a workgroup has been established have the right to be represented in that workgroup. International organizations, governmental and non-governmental, in liaison with OIDF, also take part in the work. OIDF collaborates closely with other standardizing bodies in the related fields.

Final drafts adopted by the Workgroup through consensus are circulated publicly for the public review for 60 days and for the OIDF members for voting. Publication as an OIDF Standard requires approval by at least 50% of the members casting a vote. There is a possibility that some of the elements of this document may be subject to patent rights. OIDF shall not be held responsible for identifying any or all such patent rights.

Notational conventions

The keywords "shall", "shall not", "should", "should not", "may", and "can" in this document are to be interpreted as described in ISO Directive Part 2 [ISODIR2]. These keywords are not used as dictionary terms such that any occurrence of them shall be interpreted as keywords and are not to be interpreted with their natural language meanings.

Table of Contents

1. Scope

This document defines how embedded and external attachments are used.

2. Normative references

See section 9 for normative references.

3. Terms and definitions

No terms and definitions are listed in this document.

4. Attachments

Where evidence is used in identity verification process, specific document artifacts (such as images of that evidence) might need to be presented and, depending on the trust framework, might need to to be stored by the recipient for a period. These artifacts can then, for example, be reviewed during audit or quality control. These artifacts include, but are not limited to:

When using OpenID Connect and requested by the RP, these artifacts can be included as part of an ID token, and in particular part of an [OpenID4IDA] verified_claims element allowing the RP to store these artifacts along with the other verified_claims information.

An attachment is represented by a JSON object. This document allows for two types of representation:

4.1. Embedded attachments

All the information of the document (including the content itself) is provided within a JSON object having the following elements:

desc: Optional. Description of the document. This can be the filename or just an explanation of the content. The used language is not specified, but is usually bound to the jurisdiction of the underlying trust framework of the OP.

content_type: Required. Content (MIME) type of the document. See [RFC6838]. Multipart or message media types are not allowed. Example: "image/png"

content: Required. Base64 encoded representation of the document content. See [RFC4648].

The following example shows embedded attachments within a UserInfo endpoint response. The actual contents of the attached documents are truncated:

{
  "sub": "248289761001",
  "email": "janedoe@example.com",
  "attachments": [
    {
      "desc": "Front of id document",
      "content_type": "image/png",
      "content": "Wkd0bWFtVnlhWFI2Wlc0Mk16VER2RFUyY0RRMWFUbDBNelJ1TlRjd31dzdaM1pTQXJaWGRsTXpNZ2RETmxDZwo="
    },
    {
      "desc": "Back of id document",
      "content_type": "image/png",
      "content": "iVBORw0KGgoAAAANSUhEUgAAAAIAAAACCAYAAABytg0kAADSFsjdkhjwhAABJRU5ErkJggg=="
    }
  ]
}

Note: Due to their size, embedded attachments are not always appropriate when embedding in objects such as access tokens or ID Tokens.

4.2. External attachments

External attachments are similar to distributed claims as defined in [OpenID]. The reference to the external document is provided in a JSON object with the following elements:

desc: Optional. Description of the document. This can be the filename or just an explanation of the content. The used language is not specified, but is usually bound to the jurisdiction of the underlying trust framework or the OP.

url: Required. OAuth 2.0 [RFC6749] protected resource endpoint from which the attachment can be retrieved. Providers shall protect this endpoint, ensuring that the attachment cannot be retrieved by unauthorized parties (typically by requiring an access token as described below). The endpoint URL shall return the attachment whose cryptographic hash matches the value given in the digest element. The content MIME type of the attachment shall be indicated in a content-type HTTP response header, as per [RFC6838]. Multipart or message media types shall not be used.

access_token: Optional. Access token as type string enabling retrieval of the attachment from the given url. The attachment shall be requested using the OAuth 2.0 Bearer Token Usage [RFC6750] protocol and the OP shall support this method, unless another token type or method has been negotiated with the client. Use of other token types is outside the scope of this document. If the access_token element is not available, RPs shall use the access token issued by the OP in the token response and when requesting the attachment the RP shall use the same method as when accessing the UserInfo endpoint. If the value of this element is null, no access token is used to request the attachment and the RP shall not use the access token issued by the token response. In this case the OP shall incorporate other effective methods to protect the attachment and inform/instruct the RP accordingly.

exp: Optional. The "exp" (expiration time) claim identifies the expiration time on or after which the external attachment will not be available from the resource endpoint defined in the url element (e.g. the access_token will expire or the document will removed at that time). Implementers may provide for some small leeway, usually no more than a few minutes, to account for clock skew. Its value shall be a number containing a NumericDate value as per as per [RFC7519].

digest: Required. JSON object containing details of a cryptographic hash of the document content taken over the bytes of the payload (and not, e.g., the representation in the HTTP response). The JSON object has the following elements:

  • alg: Required. Specifies the algorithm used for the calculation of the cryptographic hash. The algorithm has been negotiated previously between RP and OP during client registration or management.
  • value: Required. Base64-encoded [RFC4648] bytes of the cryptographic hash.

Access tokens for external attachments should be bound to the specific resource being requested so that the access token may not be used to retrieve additional external attachments or resources. For example, the value of url could be tied to the access token as audience. This enhances security by enabling the resource server to check whether the audience of a presented access token matches the accessed URL and reject the access when they do not match. The same idea is described in Resource Indicators for OAuth 2.0 [RFC8707], which defines the resource request parameter whereby to specify one or more resources which should be tied to an access token being issued.

The following example shows external attachments:

{
  "verified_claims": {
    "verification": {
      "trust_framework":"eidas",
      "assurance_level": "substantial",
      "evidence": [
        {
          "type": "document",
          "method": "pipp",
          "time": "2012-04-22T11:30Z",
          "document_details": {
            "type": "idcard",
            "issuer": {
              "name": "Stadt Augsburg",
              "country": "DE"
            },
            "document_number": "53554554",
            "date_of_issuance": "2010-03-23",
            "date_of_expiry": "2020-03-22"
          },
          "attachments": [
            {
              "desc": "Front of id document",
              "digest": {
                "alg": "sha-256",
                "value": "qC1zE5AfxylOFLrCnOIURXJUvnZwSFe5uUj8t6hdQVM="
              },
              "url": "https://example.com/attachments/pGL9yz4hZQ",
              "access_token": "ksj3n283dke",
              "exp": 1676552089
            },
            {
              "desc": "Back of id document",
              "digest": {
                "alg": "sha-256",
                "value": "2QcDeLJ/qeXJn4nP+v3nijMgxOBCT9WJaV0LjRS4aT8="
              },
              "url": "https://example.com/attachments/4Ag8IpOf95"
            },
            {
              "desc": "Signed document",
              "digest": {
                "alg": "sha-256",
                "value": "i3O7U79LiyKmmesIgULKT2Q8LAxNO0CpwJVcbepaYf8="
              },
              "url": "https://example.com/attachments/4Ag8IpOf95",
              "access_token": null,
              "exp": 1676552189
            }
          ]
        }
      ]
    },
    "claims": {
      "given_name": "Max",
      "family_name": "Mustermann",
      "birthdate": "1956-01-28"
    }
  }
}

4.3. External attachment validation

Clients shall validate each external attachment they wish to rely on in the following manner:

  1. Ensure that the object includes the required elements: url, digest.
  2. Ensure that at the time of the request the time is before the time represented by the exp element.
  3. Ensure that the URL defined in the url element uses the https scheme.
  4. Ensure that the digest element contains both alg and value keys.
  5. Retrieve the attachment from the url element in the object.
  6. Ensure that the content MIME type of the attachment is indicated in a content-type HTTP response header
  7. Ensure that the MIME type is not multipart (see Section 5.1 of [RFC2046])
  8. Ensure that the MIME type is not a "message" media type (see [RFC5322])
  9. Ensure the returned attachment has a cryptographic hash digest that matches the value given in the digest object's value and algorithm defined in the value of the alg element.

If any of these requirements are not met, do not use the content of the attachment, discard it and do not rely upon it.

5. Privacy considerations

As attachments will most likely contain more personal information than was requested by the RP with specific claim names, an OP shall ensure that the end-user is well aware of when and what kind of attachments are about to be transferred to the RP. If possible or applicable, the OP should allow the end-user to review the content of these attachments before giving consent to the transaction.

6. Client registration and management

If external attachments are used in the context of an OpenID Provider that uses either [OpenID-Registration] or [RFC7592] the following additional properties should be available as part of any client registration or client management interactions:

digest_algorithm: String value representing the chosen digest algorithm (for external attachments). The value shall be one of the digest algorithms supported by the OP as advertised in the OP metadata. If this property is not set, sha-256 will be used by default.

7. OP metadata

If attachments are used in [OpenID] implementations, an additional element of OP Metadata is required to advertise its capabilities with respect to supported attachments in its openid-configuration (see [OpenID-Discovery]):

attachments_supported: Required when OP supports attachments. JSON array containing all attachment types supported by the OP. Possible values are external and embedded. When present, this array shall have at least one member. If omitted, the OP does not support attachments.

digest_algorithms_supported: Required when OP supports external attachments. JSON array containing all supported digest algorithms which can be used as alg property within the digest object of external attachments. If the OP supports external attachments, at least the algorithm sha-256 shall be supported by the OP as well. The list of possible digest/hash algorithm names is maintained by IANA in [hash_name_registry] (established by [RFC6920]).

This is an example openid-configuration snippet:

{
...
  "attachments_supported": [
    "external",
    "embedded"
  ],
    "digest_algorithms_supported": [
    "sha-256"
  ],
...
}

8. Examples

This section contains JSON snippets showing examples of evidences and attachments described in this document.

8.1. Example requests

This section shows examples of requests for verified_claims.

8.1.1. Verification of claims by trust framework with a document and attachments

{
  "userinfo": {
    "verified_claims": {
      "verification": {
        "trust_framework": {
          "value": "de_aml"
        },
        "evidence": [
          {
            "type": {
              "value": "document"
            },
            "method": {
              "value": "pipp"
            },
            "document_details": {
              "type": {
                "values": [
                  "idcard",
                  "passport"
                ]
              }
            },
            "attachments": null
          }
        ]
      },
      "claims": {
        "given_name": null,
        "family_name": null,
        "birthdate": null
      }
    }
  }
}
8.1.1.1. Attachments

RPs can explicitly request to receive attachments along with the verified claims:

{
  "userinfo": {
    "verified_claims": {
      "verification": {
        "trust_framework": null,
        "attachments": null
      },
      "claims": {
        "given_name": null,
        "family_name": null,
        "birthdate": null
      }
    }
  }
}

As with other claims, the attachment claim can be marked as essential in the request as well.

8.2. Example responses

This section shows examples of responses containing verified_claims.

Note: examples of embedded attachments contain truncated values.

8.2.1. Document with external attachments

{
  "verified_claims": {
    "verification": {
      "trust_framework": "de_aml",
      "time": "2012-04-23T18:25Z",
      "verification_process": "f24c6f-6d3f-4ec5-973e-b0d8506f3bc7",
      "evidence": [
        {
          "type": "document",
          "method": "pipp",
          "time": "2012-04-22T11:30Z",
          "document_details": {
            "type": "idcard",
            "issuer": {
              "name": "Stadt Augsburg",
              "country": "DE"
            },
            "document_number": "53554554",
            "date_of_issuance": "2010-03-23",
            "date_of_expiry": "2020-03-22"
          },
          "attachments": [
            {
              "desc": "Front of id document",
              "digest" : {
                "alg": "sha-256",
                "value": "n4bQgYhMfWWaL+qgxVrQFaO/TxsrC4Is0V1sFbDwCgg="
              },
              "url": "https://example.com/attachments/pGL9yz4hZQ"
            },
            {
              "desc": "Back of id document",
              "digest" : {
                "alg": "sha-256",
                "value": "/WGgOvT3fYcPwh4F5+gGeAlcktgIz7O1wnnuBMdKyhM="
              },
              "url": "https://example.com/attachments/4Ag8IpOf95"
            }
          ]
        }
      ]
    },
    "claims": {
      "given_name": "Max",
      "family_name": "Meier",
      "birthdate": "1956-01-28",
      "place_of_birth": {
        "country": "DE",
        "locality": "Musterstadt"
      },
      "nationalities": [
        "DE"
      ],
      "address": {
        "locality": "Maxstadt",
        "postal_code": "12344",
        "country": "DE",
        "street_address": "An der Weide 22"
      }
    }
  }
}

8.2.2. Utility statement with attachments

{
  "verified_claims": {
    "verification": {
      "trust_framework": "de_aml",
      "time": "2012-04-23T18:25Z",
      "verification_process": "513645-e44b-4951-942c-7091cf7d891d",
      "evidence": [
        {
          "type": "document",
          "check_details": [
            {
              "check_method": "vpip"
            }
          ],
          "time": "2021-04-09T14:12Z",
          "document_details": {
            "type": "utility_statement",
            "date_of_issuance": "2013-01-31",
            "issuer": {
                "name": "Stadtwerke Musterstadt",
                "country": "DE",
                "region": "Niedersachsen",
                "street_address": "Energiestrasse 33"
            }
          },
          "attachments": [
            {
              "desc": "scan of bill",
              "content_type": "application/pdf",
              "content": "iVBORw0KGgoAAAANSUhEUgAAAAIAAAACCAYAAABytg0kAADSFsjdkhjwhAABJRU5ErkJggg=="
            }
          ]
        }
      ]
    },
    "claims": {
      "given_name": "Max",
      "family_name": "Meier",
      "birthdate": "1956-01-28",
      "place_of_birth": {
        "country": "DE",
        "locality": "Musterstadt"
      },
      "nationalities": [
        "DE"
      ],
      "address": {
        "locality": "Maxstadt",
        "postal_code": "12344",
        "country": "DE",
        "street_address": "An der Weide 22"
      }
    }
  }
}

8.2.3. Vouch with embedded attachments

{
  "verified_claims": {
    "verification": {
      "trust_framework": "uk_diatf",
      "assurance_level": "high",
      "assurance_process": {
          "policy": "gpg45",
          "procedure": "h1b"
      },
      "time": "2020-09-23T14:12Z",
      "verification_process": "99476DA2-ACDC-5N13-10WC-26B415B52",
      "evidence": [
        {
          "type": "vouch",
          "check_details": [
            {
              "check_method": "vpip"
            },
            {
              "check_method": "pvr"
            }
          ],
          "time": "2020-02-23T07:52Z",
          "attestation": {
            "type": "written_attestation",
            "reference_number": "6485-1619-3976-6671",
            "date_of_issuance": "2020-02-13",
            "voucher": {
                "given_name": "Peter",
                "family_name": "Crowe",
                "occupation": "Executive Principal",
                "organization": "Kristin School"
            }
          },
          "attachments": [
            {
              "desc": "scan of vouch",
              "content_type": "application/pdf",
              "content": "d16d2552e35582810e5a40e523716504525b6016ae96844ddc533163059b3067=="
            }
          ]
        }
      ]
    },
    "claims": {
      "given_name": "Megan",
      "family_name": "Howard",
      "birthdate": "2000-01-31",
      "place_of_birth": {
        "country": "NZL"
      },
      "address": {
        "locality": "Croydon",
        "country": "UK",
        "street_address": "69 Kidderminster Road"
      }
    }
  }
}

9. Normative References

[ISODIR2]
ISO/IEC, "ISO/IEC Directives, Part 2 - Principles and rules for the structure and drafting of ISO and IEC documents", <https://www.iso.org/sites/directives/current/part2/index.xhtml>.
[OpenID-Discovery]
Sakimura, N., Bradley, J., Jones, M., and E. Jay, "OpenID Connect Discovery 1.0 incorporating errata set 1", , <https://openid.net/specs/openid-connect-discovery-1_0.html>.
[OpenID-Registration]
Sakimura, N., Bradley, J., and M. Jones, "OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 1", , <https://openid.net/specs/openid-connect-registration-1_0.html>.
[RFC6750]
Jones, M. and D. Hardt, "The OAuth 2.0 Authorization Framework: Bearer Token Usage", RFC 6750, DOI 10.17487/RFC6750, , <https://www.rfc-editor.org/info/rfc6750>.
[RFC6838]
Freed, N., Klensin, J., and T. Hansen, "Media Type Specifications and Registration Procedures", BCP 13, RFC 6838, DOI 10.17487/RFC6838, , <https://www.rfc-editor.org/info/rfc6838>.
[RFC7519]
Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token (JWT)", RFC 7519, DOI 10.17487/RFC7519, , <https://www.rfc-editor.org/info/rfc7519>.
[hash_name_registry]
IANA, "Named Information Hash Algorithm Registry", , <https://www.iana.org/assignments/named-information/>.

10. Informative References

[OpenID]
Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., and C. Mortimore, "OpenID Connect Core 1.0 incorporating errata set 1", , <http://openid.net/specs/openid-connect-core-1_0.html>.
[OpenID4IDA]
Lodderstedt, T., Fett, D., Haine, M., Pulido, A., Lehmann, K., and K. Koiwai, "OpenID Connect for Identity Assurance 1.0", , <http://openid.net/specs/openid-connect-4-identity-assurance-1_0.html>.
[RFC2046]
Freed, N. and N. Borenstein, "Multipurpose Internet Mail Extensions (MIME) Part Two: Media Types", RFC 2046, DOI 10.17487/RFC2046, , <https://www.rfc-editor.org/info/rfc2046>.
[RFC4648]
Josefsson, S., "The Base16, Base32, and Base64 Data Encodings", , <https://datatracker.ietf.org/doc/html/rfc4648>.
[RFC5322]
Resnick, P., Ed., "Internet Message Format", RFC 5322, DOI 10.17487/RFC5322, , <https://www.rfc-editor.org/info/rfc5322>.
[RFC6749]
Hardt, D., "The OAuth 2.0 Authorization Framework", , <https://datatracker.ietf.org/doc/html/rfc6749>.
[RFC6920]
Farrell, S., Kutscher, D., Dannewitz, C., Ohlman, B., Keranen, A., and P. Hallam-Baker, "Naming Things with Hashes", RFC 6920, DOI 10.17487/RFC6920, , <https://www.rfc-editor.org/info/rfc6920>.
[RFC7592]
Richer, J., Ed., Jones, M., Bradley, J., and M. Machulak, "OAuth 2.0 Dynamic Client Registration Management Protocol", RFC 7592, DOI 10.17487/RFC7592, , <https://www.rfc-editor.org/info/rfc7592>.
[RFC8707]
Campbell, B., Bradley, J., and H. Tschofenig, "Resource Indicators for OAuth 2.0", RFC 8707, DOI 10.17487/RFC8707, , <https://www.rfc-editor.org/info/rfc8707>.

Appendix A. Acknowledgements

The following people at yes.com and partner companies contributed to the concept described in the initial contribution to this document: Karsten Buch, Lukas Stiebig, Sven Manz, Waldemar Zimpfer, Willi Wiedergold, Fabian Hoffmann, Daniel Keijsers, Ralf Wagner, Sebastian Ebling, Peter Eisenhofer.

We would like to thank Julian White, Bjorn Hjelm, Stephane Mouy, Alberto Pulido, Joseph Heenan, Vladimir Dzhuvinov, Azusa Kikuchi, Naohiro Fujie, Takahiko Kawasaki, Sebastian Ebling, Marcos Sanz, Tom Jones, Mike Pegman, Michael B. Jones, Jeff Lombardo, Taylor Ongaro, Peter Bainbridge-Clayton, Adrian Field, George Fletcher, Tim Cappalli, Michael Palage, Sascha Preibisch, Giuseppe De Marco, Nick Mothershaw, Hodari McClain, Nat Sakimura and Dima Postnikov for their valuable feedback and contributions that helped to evolve this document.

Appendix B. Notices

Copyright (c) 2024 The OpenID Foundation.

The OpenID Foundation (OIDF) grants to any Contributor, developer, implementer, or other interested party a non-exclusive, royalty free, worldwide copyright license to reproduce, prepare derivative works from, distribute, perform and display, this Implementers Draft or Final Specification solely for the purposes of (i) developing specifications, and (ii) implementing Implementers Drafts and Final Specifications based on such documents, provided that attribution be made to the OIDF as the source of the material, but that such attribution does not indicate an endorsement by the OIDF.

The technology described in this document was made available from contributions from various sources, including members of the OpenID Foundation and others. Although the OpenID Foundation has taken steps to help ensure that the technology is available for distribution, it takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any independent effort to identify any such rights. The OpenID Foundation and the contributors to this document make no (and hereby expressly disclaim any) warranties (express, implied, or otherwise), including implied warranties of merchantability, non-infringement, fitness for a particular purpose, or title, related to this document, and the entire risk as to implementing this document is assumed by the implementer. The OpenID Intellectual Property Rights policy requires contributors to offer a patent promise not to assert certain patent claims against other contributors and against implementers. The OpenID Foundation invites any interested party to bring to its attention any copyrights, patents, patent applications, or other proprietary rights that may cover technology that may be required to practice this document.

Appendix C. Document History

[[ To be removed from the final specification ]]

-00 (WG document)

Authors' Addresses

Torsten Lodderstedt
sprind.org
Daniel Fett
Authlete
Mark Haine
Considrd.Consulting Ltd
Alberto Pulido
Santander
Kai Lehmann
1&1 Mail & Media Development & Technology GmbH
Kosuke Koiwai
KDDI Corporation