OIDC Authorisation endpoint

GET /conformance/v3/auth-mock/authorize

After discovery, the client initiates the Verifiable Credential Issuance flow by requesting access to the required credential from the Authorisation Server. The Authorisation Request Object must be signed with the private key of the client associated with the client_id. The client's public key must be accessible via the jwks_uri parameter in the client's openid-configuration.

Request

Query Parameters

scope stringrequired

REQUIRED. OpenID Connect requests MUST contain the openid scope value. If the openid scope value is not present, the behavior is entirely unspecified.

Examples:

openid

OpenID

Example: openid

response_type stringrequired

REQUIRED. OAuth 2.0 Response Type value that determines the authorisation processing flow to be used, including what parameters are returned from the endpoints used. When using the Authorisation Code Flow, this value is code.

MUST be 'code'

Example: code

client_id URLrequired

OAuth 2.0 Client Identifier valid at the Authorisation Server.

Verifiable Accreditation Issuance: MUST be URL of the issuer requesting the accreditation that was registered with the Accreditation Issuer

Examples:

accreditationIssuance

Accreditation or VC Issuance to Server/Cloud Wallet

Example: https://my-issuer.eu/suffix/xyz

redirect_uri stringrequired

REQUIRED. Redirection URI to which the response will be sent. This URI MUST exactly match one of the Redirection URI values for the Client pre-registered at the OpenID Provider.

Example: https://my-issuer.eu/suffix/xyz/code-cb

state string

RECOMMENDED. Opaque value used to maintain state between the request and the callback. Typically, Cross-Site Request Forgery (CSRF, XSRF) mitigation is done by cryptographically binding the value of this parameter with a browser cookie.

Example: 32f6e80d-bc60-4261-a1c0-c6fe0b15bd9f

nonce string

OPTIONAL. String value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value is passed through unmodified from the Authentication Request to the ID or VP Token. Sufficient entropy MUST be present in the nonce values used to prevent attackers from guessing values.

Example: n-0S6_WzA2Mj

request ^(([A-Za-z0-9\-_])+\.)([A-Za-z0-9\-_]+)(\.([A-Za-z0-9\-_]+))?$

Only for Service Wallets. Authorisation Request Object - The Request Object must be signed with the client's private keys, owned by the requesting client_id. The used private key's public key must be discoverable through client's openid-configuration through jwks_uri parameter.

See the Authorisation Request Object schema.

Example: eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsImtpZCI6Im1jX0pXbHc3ZTZjUnM5NFhTUXMxWGEyeWh3U1FQMm1XellCZ1NRY2lSOTAifQ.eyJzY29wZSI6Im9wZW5pZCIsImNsaWVudF9pZCI6Imh0dHBzOi8vY29uZm9ybWFuY2UtdGVzdC5lYnNpLmV1L2NvbmZvcm1hbmNlL3YzL2NsaWVudC1tb2NrL2RpZDplYnNpOnpnQU1Ya1oyZk00SnNSU2l4alY2QkpoIiwicmVkaXJlY3RfdXJpIjoiaHR0cHM6Ly9jb25mb3JtYW5jZS10ZXN0LmVic2kuZXUvY29uZm9ybWFuY2UvdjMvY2xpZW50LW1vY2svZGlkOmVic2k6emdBTVhrWjJmTTRKc1JTaXhqVjZCSmgvY29kZS1jYiIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwic3RhdGUiOiI0MGQzYzZmNS0wMTY0LTQ3OTctOTg5ZS1kNWY4ZTg2YTAxMmYiLCJjbGllbnRfbWV0YWRhdGEiOnsiandrc191cmkiOiJodHRwczovL2NvbmZvcm1hbmNlLXRlc3QuZWJzaS5ldS9jb25mb3JtYW5jZS92My9jbGllbnQtbW9jay9kaWQ6ZWJzaTp6Z0FNWGtaMmZNNEpzUlNpeGpWNkJKaC9qd2tzIiwiYXV0aG9yaXphdGlvbl9lbmRwb2ludCI6Imh0dHBzOi8vY29uZm9ybWFuY2UtdGVzdC5lYnNpLmV1L2NvbmZvcm1hbmNlL3YzL2NsaWVudC1tb2NrL2RpZDplYnNpOnpnQU1Ya1oyZk00SnNSU2l4alY2QkpoL2F1dGhvcml6ZSJ9LCJhdXRob3JpemF0aW9uX2RldGFpbHMiOlt7InR5cGUiOiJvcGVuaWRfY3JlZGVudGlhbCIsImZvcm1hdCI6Imp3dF92YyIsImxvY2F0aW9ucyI6WyJodHRwczovL2NvbmZvcm1hbmNlLXRlc3QuZWJzaS5ldS9jb25mb3JtYW5jZS92My9pc3N1ZXItbW9jayJdLCJ0eXBlcyI6WyJWZXJpZmlhYmxlQ3JlZGVudGlhbCIsIlZlcmlmaWFibGVBdHRlc3RhdGlvbiIsIlZlcmlmaWFibGVBdXRob3Jpc2F0aW9uVG9PbmJvYXJkIl19XSwiYXVkIjoiaHR0cHM6Ly9jb25mb3JtYW5jZS10ZXN0LmVic2kuZXUvY29uZm9ybWFuY2UvdjMvYXV0aC1tb2NrIiwiaXNzIjoiaHR0cHM6Ly9jb25mb3JtYW5jZS10ZXN0LmVic2kuZXUvY29uZm9ybWFuY2UvdjMvY2xpZW50LW1vY2svZGlkOmVic2k6emdBTVhrWjJmTTRKc1JTaXhqVjZCSmgifQ.bdBxZTbo5_THLdcLndNVf3ZGSBDTKqGnyK-E14Ah94lqjIk16DjSGNvibSaoGFeNGGknXttEvoZUSiEMh5ke7A

authorization_details string

Only for Holder Wallets. OID authorisation details data model.

Note:

authorization_details

must be a stringified JSON array.

See "OID4VCI Authorisation Details" schema for more information.

Example: [{"type":"openid_credential","format":"jwt_vc","locations":["http://localhost:3000/conformance/v3/issuer-mock"],"types":["VerifiableCredential","VerifiableAttestation","CTWalletCrossAuthorisedInTime"]}]

client_metadata string

Only for Holder Wallets. Client Metadata including a link to an

authorization_endpoint

(optional).

Note:

client_metadata

must a stringified JSON object.

See "Client Metadata" schema for more information.

Example: {"authorization_endpoint":"openid:"}

issuer_state string

REQUIRED if Credential Offering contained

issuer_state

Example: eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsImtpZCI6Ink2UTFUTWN4am4zU1ZDT0dNUm9mZHA0M1owU0tGMVROSTkwcG5CWldSZkkifQ.eyJjbGllbnRfaWQiOiJkaWQ6a2V5OnoyZG16RDgxY2dQeDhWa2k3SmJ1dU1tRllyV1BnWW95dHlrVVozZXlxaHQxajlLYnB0SnZwaHdHaXh6azJiM1l4ZnNxRzZwRFNYTFhia0g1Y01HYjhBZDFWSkp5ZWkxWWhEQjRDb2RNNW5DaDJxUGU4TFhNQVU2OWdjdTZmUmI2TExvYmQxRmZjOXdSQlU0NXBIWWNKUUVnamg4blZVdmR3NUhqWGgzNEJ3NUpQNzR0N1ciLCJjcmVkZW50aWFsX3R5cGVzIjpbIlZlcmlmaWFibGVDcmVkZW50aWFsIiwiVmVyaWZpYWJsZUF0dGVzdGF0aW9uIiwiQ1RXYWxsZXRDcm9zc0luVGltZSJdLCJpYXQiOjE2ODI0OTY3MTIsImV4cCI6MTY4MjQ5NzAxMiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDozMDAwL2NvbmZvcm1hbmNlL3YzL2lzc3Vlci1tb2NrIiwiYXVkIjoiaHR0cDovL2xvY2FsaG9zdDozMDAwL2NvbmZvcm1hbmNlL3YzL2F1dGgtbW9jayIsInN1YiI6ImRpZDprZXk6ejJkbXpEODFjZ1B4OFZraTdKYnV1TW1GWXJXUGdZb3l0eWtVWjNleXFodDFqOUticHRKdnBod0dpeHprMmIzWXhmc3FHNnBEU1hMWGJrSDVjTUdiOEFkMVZKSnllaTFZaERCNENvZE01bkNoMnFQZThMWE1BVTY5Z2N1NmZSYjZMTG9iZDFGZmM5d1JCVTQ1cEhZY0pRRWdqaDhuVlV2ZHc1SGpYaDM0Qnc1SlA3NHQ3VyJ9.QzNioxnUbdxhdnYoAzNiati7-Lg5Kkg0mEAf1OHRvXyjxn1Z-_kuvcVdOmIpsF_o55l4NMy2hmz5yLIFs9zVEA

code_challenge string

Only for Holder Wallets. In format of

BASE64URL-ENCODE(SHA256(code_verifier as UTF-8 string))

code_verifier

is client generated secure random, which will be used with token endpoint. It is between 43 and 128 characters long, and contains characters A-Z, a-z, 0-9, hyphen, period, underscore, and tilde. Please see RFC 7636

Example: yKZeDTMFPu8YSwqdlIVkQBifcwmtUgnqzjP-hvV0qdI

code_challenge_method string

Only for Holder Wallets. MUST be "S256".

Example: S256

Responses

Authorisation Server responds with one of the three responses:

ID Token Request
VP Token Request
Error codes for authorisation endpoint

All responses are in the "Location" header parameter and are application/x-www-form-urlencoded

Response Headers

Location string
application/x-www-form-urlencoded ID Token Request

Authorisation Endpoint Error

application/problem+json

Schema
invalidRedirectURI

Schema

type uri

Default value: about:blank

An absolute URI that identifies the problem type. When dereferenced, it SHOULD provide human-readable documentation for the problem type.

title string

A short summary of the problem type.

status int32

Possible values: >= 400 and <= 600

The HTTP status code generated by the origin server for this occurrence of the problem.

detail string

A human readable explanation specific to this occurrence of the problem.

instance uri

An absolute URI that identifies the specific occurrence of the problem. It may or may not yield further information if dereferenced.

{
  "detail": "[\"redirect_uri must be a URL address\"]",
  "status": 400,
  "title": "Bad Request",
  "type": "about:blank"
}

Internal Error

application/problem+json

Schema
Internal Server Error