OpenID4VCI/OpenID4VP: Gaps, delta e note di miglioramento vs eidas-it-wallet-docs #530
Description
OpenID4VCI and OpenID4VP Implementation Gaps vs eIDAS IT-Wallet Specification
Branch: dev
Spec reference: eid-it-wallet-docs
This issue documents gaps, deltas, and improvement notes between the OpenID4VCI (Credential Issuance) and OpenID4VP (Credential Presentation) implementations in this repository and the specifications defined in eidas-it-wallet-docs (Italian eID Wallet Technical Specification).
Summary
| Area | Status | Notes |
|---|---|---|
| OpenID4VCI | Partial compliance | Core flow supported; several MAY/SHOULD features missing |
| OpenID4VP (Remote) | Partial compliance | DCQL flow implemented; revocation check and some HAIP aspects pending |
| OpenID4VP (Proximity) | Out of scope | ISO 18013-5 proximity (QR/NFC/BLE) is wallet/client-side; SATOSA is server-side |
OpenID4VCI (Credential Issuance)
Gaps and deltas
| Feature | Spec requirement | Implementation status | Notes |
|---|---|---|---|
| Deferred Credential Endpoint | MAY (Section 4); SHOULD for delayed issuance | Code exists but disabled in default config | deferred_credential endpoint commented out in openid4vci_frontend.yaml; base_credential_endpoint.py has # todo: manage deferred |
| Notification Endpoint | REQUIRED for wallet-to-issuer feedback (Section 11) | Code exists but disabled in default config | notification endpoint commented out |
| Revocation Endpoint | Exposed in metadata; spec references OpenID4VCI revocation | Not implemented | Metadata advertises /revoke; no handler exists |
| Batch Credential Issuance | MAY (Section 4); batch_credential_issuance, batch_size |
Not implemented | No proofs array support; single credential only |
| Refresh Token flow | RECOMMENDED for deferred/re-issuance | Implemented | DPoP-bound RT; RT flow for token refresh works |
| Re-Issuance Flow | MAY; status list 0x03 UPDATE / 0x0B ATTRIBUTE_UPDATE |
Not implemented | No automatic re-issuance based on status list |
| code_verifier length | 43–128 chars (RFC 7636) | Not explicitly validated | Consider adding validation |
| request_uri entropy | 128 bits min, ≤512 ASCII chars | Not explicitly enforced | Could add validation |
| PAR OAuth-Client-Attestation-PoP | MUST validate per OAUTH-ATTESTATION-CLIENT-AUTH | Implemented when wallet_attestation_required=true |
✓ |
| DPoP at credential endpoint | MUST when dpop_required |
Implemented | ✓ |
| key_attestation in proof | MUST verify WUA when present (Step 16) | Implemented via _verify_key_attestation |
✓ |
OpenID4VP (Credential Presentation – Remote Flow)
Gaps and deltas
| Feature | Spec requirement | Implementation status | Notes |
|---|---|---|---|
| Credential revocation check | MUST verify revocation (remote-flow.rst) | TODO | vp.py: check_revocation() empty; vp_sd_jwt_vc.py: # TODO: implement revocation check |
| Status list verification | For mdoc: SHOULD check revocation via status list | Implemented for mdoc | vp_mdoc_cbor.py uses StatusListTokenHelper |
| SD-JWT revocation | Same for SD-JWT VC | Not implemented | vp_sd_jwt_vc.py has TODO |
| request_uri mix-up | request_uri MUST be from attested request_uris |
Verify against trust chain | Implementation should align with WP_081 |
| response_uri mix-up | response_uri MUST be from attested response_uris |
Verify against trust chain | Implementation should align with WP_091a |
| transaction_data | Optional; binding for high-sensitivity use cases | Unclear | Check if transaction_data / transaction_data_hashes supported |
| Wallet metadata POST | When request_uri_method=post |
Implemented in request endpoint | ✓ |
| Error responses | Standard error codes per spec | Implemented | ✓ |
Improvements
- Implement SD-JWT VC revocation (status list / other mechanisms) in
vp_sd_jwt_vc.py. - Ensure request_uri and response_uri are validated against attested metadata from trust chain.
- Document and test transaction_data support if present.
- Complete revocation checks in shared
vp.py/ parsers.
OpenID4VP (Proximity Flow)
Scope note
Proximity-specific behaviors (QR, NFC, BLE, DeviceEngagement, SessionEstablishment, SessionData) are therefore out of scope for this server-side codebase. They belong in wallet/client and verifier device implementations.
Relevant for server-side
- mdoc format – Supported in remote OpenID4VP; SessionTranscript checks apply to remote flow only.