interID -- An Ecosystem-agnostic Verifier-as-a-Service with OpenID Connect Bridge
Hakan Yildiz, Axel Küpper
TL;DR
The paper tackles the fragmentation barrier in Self-Sovereign Identity by introducing an OpenID Connect bridge layered over the ecosystem-agnostic interID platform. It delivers a multi-tenant SaaS solution, leveraging Keycloak for identity and access management, and introduces scope-to-proof-template mappings to translate OIDC scopes into ecosystem-specific verification requests. The approach achieves PKCE-enabled, standardized authentication with ID Tokens containing verified credential attributes, while providing adapters for Aries/Indy, EBSI, and EUDI verifiers. A rigorous threat model extends RFC 6819 to SSI-specific and multi-tenant attack vectors, supported by a production-oriented implementation and a reference RP example that demonstrates near-OSS-like integration effort. The work aims to accelerate mainstream SSI adoption by aligning SSI authentication with familiar OIDC workflows, reducing integration costs, and enabling regulatory compliance through configuration rather than bespoke development.
Abstract
Self-Sovereign Identity (SSI) enables user-controlled, cryptographically verifiable credentials. As EU regulations mandate EUDI Wallet acceptance by 2027, SSI adoption becomes a compliance necessity. However, each SSI Verifier exposes different APIs with distinct request parameters, response formats, and claim structures, requiring custom wrappers and dedicated infrastructure, contrasting with OpenID Connect (OIDC) where standardized protocols enable seamless integration. interID is an ecosystem-agnostic platform unifying credential verification across Hyperledger Aries/Indy, EBSI, and EUDI ecosystems. We extend interID with an OIDC bridge providing Verifier-as-a-Service, enabling SSI verification through standard OIDC flows. Organizations receive ID Tokens with verified credential attributes without implementing Verifier-specific logic or deploying infrastructure. The multi-tenant architecture leverages Keycloak with strict tenant isolation. Key innovations include PKCE support, scope-to-proof-template mappings translating OIDC scopes into ecosystem-specific verification requests, and a security analysis identifying novel attack surfaces at the intersection of OIDC, SSI, and multi-tenant architectures, threats covered by neither RFC 6819 nor existing SSI analyses alone. Our evaluation demonstrates security equivalence to production identity providers through threat modeling identifying 11 attack vectors, including seven beyond RFC 6819's scope. Integration analysis shows organizations can adopt SSI authentication with comparable effort to adding traditional federated providers. By combining familiar OIDC patterns with SaaS deployment, our work lowers integration and operational barriers, enabling regulatory compliance through configuration rather than custom development.