Abstract
Self-Sovereign Identity is a new identity management model allowing users to decide what personal information to share with third-party services. Rather than classical identity management models (e.g., centralized and federated identity), it allows users to control which data to share with third parties. This approach helps to overcome the challenges of traditional identity management models. Remembering usernames and passwords at each website or allowing Identity Providers to monitor, process, and share the user's activity makes these traditional approaches inconvenient and unreliable. Therefore, a login leveraging SSI looks encouraging.
OIDC is an interoperable authorization protocol based on OAuth 2.0, and it allows secure user authentication. As OIDC continues to serve as a standard for traditional identity and access management systems, it is also emerging for authenticating users with verifiable credentials. OpenID Connect for Verifiable Credentials (OID4VC), an extension to OIDC, is designed to facilitate the implementation of such a system. OID4VC consists of five different specifications. From these, two specifications are relevant for an SSI-based login system: OpenID Connect for Verifiable Presentations (OID4VP) and Self-Issued OpenID Provider (SIOPv2). Combining OID4VP and SIOPv2 helps to build an SSI-to-OIDC bridge to fill the gap in SSI-based logins.
The bridge comes in handy in simple logins but has limitations when accessing a specific resource after login flow. Currently, after the initial login and authentication, OIDC does not support incremental authorization by presenting verifiable credentials to access a resource.
The thesis proposes finding solutions to enable incremental authorization in SSI-based logins under the SSI-to-OIDC bridge. Several approaches can exist, such as establishing a wallet connection using the DIDComm protocol or building a software module that requests additional verifiable credentials that use the OIDC bridge's functionality. Initially, a comprehensive study will be performed to identify and compare various strategies, followed by the implementation of the most optimal solution. This work will deliver practical insights and implementation details to researchers and software engineers.
Research Questions:
1. What are established ways of requesting and receiving on-demand authorization data from users?
2. Which stakeholders are involved in an on-demand authorization?
3. What aspects can be used to characterize an on-demand authorization procedure?
4. How can incremental authorization work on top of an OIDC sign-in that uses Verifiable Credentials as its ground truth?
| Name | Type | Size | Last Modification | Last Editor |
|---|---|---|---|---|
| Ilayda Cansin Koc - Kick-off Presentation.pdf | 1016 KB | 23.04.2024 |