Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

A Universal System for OpenID Connect Sign-ins with Verifiable Credentials and Cross-Device Flow

Felix Hoops, Florian Matthes

TL;DR

This work tackles the challenge of integrating Self-Sovereign Identity with established IAM systems by delivering a simple, open-source SSI-to-OIDC bridge that enables SSI-based sign-ins for OIDC/OAuth 2.0 services. The architecture nests two OIDC Providers and translates Verifiable Credential-based evidence into standard OIDC tokens, enabling cross-device sign-ins via smartphone wallets and policy-driven claim processing. It defines a policy-driven workflow, a Presentation Exchange-based flow, and a set of conceptual components (Issuer/RP separation, Presentation Definition Generator, VC Verifier, Policy Compliance, and Claim Processor), and implements a working prototype tested with existing software (Hydra) and wallets (e.g., Altme). The study demonstrates feasibility, identifies practical deployment considerations, and outlines remaining gaps—most notably VC-type standardization and ecosystem interoperability—that must be addressed for broader adoption.

Abstract

Self-Sovereign Identity (SSI), as a new and promising identity management paradigm, needs mechanisms that can ease a gradual transition of existing services and developers towards it. Systems that bridge the gap between SSI and established identity and access management have been proposed but still lack adoption. We argue that they are all some combination of too complex, locked into specific ecosystems, have no source code available, or are not sufficiently documented. We propose a comparatively simple system that enables SSI-based sign-ins for services that support the widespread OpenID Connect or OAuth 2.0 protocols. Its handling of claims is highly configurable through a single policy and designed for cross-device authentication flows involving a smartphone identity wallet. For external interfaces, we solely rely on open standards, such as the recent OpenID for Verifiable Credentials standards. We provide our implementation as open-source software intended for prototyping and as a reference. Also, we contribute a detailed technical discussion of our particular sign-in flow. To prove its feasibility, we have successfully tested it with existing software and realistic hardware.

A Universal System for OpenID Connect Sign-ins with Verifiable Credentials and Cross-Device Flow

TL;DR

This work tackles the challenge of integrating Self-Sovereign Identity with established IAM systems by delivering a simple, open-source SSI-to-OIDC bridge that enables SSI-based sign-ins for OIDC/OAuth 2.0 services. The architecture nests two OIDC Providers and translates Verifiable Credential-based evidence into standard OIDC tokens, enabling cross-device sign-ins via smartphone wallets and policy-driven claim processing. It defines a policy-driven workflow, a Presentation Exchange-based flow, and a set of conceptual components (Issuer/RP separation, Presentation Definition Generator, VC Verifier, Policy Compliance, and Claim Processor), and implements a working prototype tested with existing software (Hydra) and wallets (e.g., Altme). The study demonstrates feasibility, identifies practical deployment considerations, and outlines remaining gaps—most notably VC-type standardization and ecosystem interoperability—that must be addressed for broader adoption.

Abstract

Self-Sovereign Identity (SSI), as a new and promising identity management paradigm, needs mechanisms that can ease a gradual transition of existing services and developers towards it. Systems that bridge the gap between SSI and established identity and access management have been proposed but still lack adoption. We argue that they are all some combination of too complex, locked into specific ecosystems, have no source code available, or are not sufficiently documented. We propose a comparatively simple system that enables SSI-based sign-ins for services that support the widespread OpenID Connect or OAuth 2.0 protocols. Its handling of claims is highly configurable through a single policy and designed for cross-device authentication flows involving a smartphone identity wallet. For external interfaces, we solely rely on open standards, such as the recent OpenID for Verifiable Credentials standards. We provide our implementation as open-source software intended for prototyping and as a reference. Also, we contribute a detailed technical discussion of our particular sign-in flow. To prove its feasibility, we have successfully tested it with existing software and realistic hardware.
Paper Structure (29 sections, 8 figures)

This paper contains 29 sections, 8 figures.

Table of Contents

  1. Introduction
  2. Background
  3. Self-Sovereign Identity
  4. OpenID Connect
  5. OpenID for Verifiable Credentials
  6. Related Work
  7. Open Challenges
  8. Fragmented Presentation Protocols
  9. SSI Ecosystem Dependence
  10. High Bridge Complexity
  11. Lack of Concrete Technical References
  12. System Architecture
  13. Deployment Considerations
  14. Login Policy
  15. Conceptual Components
  16. ...and 14 more sections

Figures (8)

  • Figure 1: A component diagram of the SSI-to-OIDC Bridge's conceptual components and its interfaces.
  • Figure 2: An example of a login policy for a service depending on the user's email address.
  • Figure 3: A simplified sign-in procedure using the authorization code flow with our bridge. At the start of the presented sequence, we assume that the user has accessed the web page provided by the OIDC client.
  • Figure 4: QR code contents for starting a credential exchange process with a wallet via SIOPv2 and OID4VP.
  • Figure 5: The credentialSubject key in an Altme Proof of email VC with shortened id field.
  • ...and 3 more figures