Skip to main content
European CommissionEBSI European Blockchain
Get Help

How to configure discovery metadata

Last updated on

Context

This document provides essential information for configuring Credential Issuer Metadata, Authorisation Server Metadata and Organisational and Holder Wallets Metadata. The purpose of this page is to guide Wallet Providers through the configuration process of various metadata types necessary for the proper functioning of digital wallets within the ecosystem.

This configuration is applicable to different types of wallets, including Organisational Wallets and Holder Wallets. Each type has specific metadata requirements that must be met to ensure compliance and functionality.

Introduction

Discovery metadata refers to the information that helps different entities (like credential issuers, holders, and verifiers) discover and interact with each other in a standardized way. Proper configuration of discovery metadata is crucial for ensuring interoperability, security, and seamless operation of digital wallets. It enables Wallet Providers to correctly issue, authorize, and manage credentials.

This sequence diagram illustrates the steps involved in retrieving discovery metadata for both Organisational and Holder Wallets.

Organisational Wallets

Organisational Wallets are digital wallets managed by organizations to issue and manage credentials. These wallets are affected by the configuration of:

  • Credential Issuer Metadata
  • Authorisation Server Metadata
  • Service Wallet Metadata

The Server-based Client's Entity Identifiers must always be in the format of an HTTPS URL. The metadata can be retrieved by concatenating the Entity Identifier client_id with /.well-known/x-y-z. Ensure any terminating / is removed before concatenation.

Credential Issuer Metadata

location

Configuration location: /.well-known/openid-credential-issuer

This location refers to a specific and standard URL path in OpenID connect where the metadata is published.

Visit OpenID for Verifiable Credential Issuance specifications for further details on Credential Issuer Metadata

FieldRequirementNotes
authorization_serverOPTIONALIdentifier of the OAuth 2.0 Authorisation Server (as defined in RFC 8414) the Credential Issuer relies on for authorisation. If this element is omitted, the entity providing the Credential Issuer is also acting as the AS, i.e. the Credential Issuer's identifier is used as the OAuth 2.0 Issuer value to obtain the Authorisation Server metadata as per RFC 8414.
credential_issuerREQUIREDThe Credential Issuer's identifier.
credential_endpointREQUIREDURL of the Credential Issuer's Credential Endpoint. This URL MUST use the https scheme and MAY contain port, path and query parameter components.
deferred_credential_endpointREQUIREDURL of the Credential Issuer's Deferred Credential Endpoint. This URL MUST use the https scheme and MAY contain port, path and query parameter components.
displayOPTIONALA JSON array containing a list of JSON objects, each of them representing display properties of a Credential Issuer for a certain language.
display[]
.name		OPTIONALString value of a display name for the Credential Issuer.
display[]
.locale		OPTIONALString value that identifies the language of this object represented as a language tag taken from values defined in BCP47 RFC 5646. There MUST be only one object with the same language identifier.
credentials_supportedREQUIREDA JSON array containing a list of JSON objects, each of them representing metadata about a separate credential type that the Credential Issuer can issue.
credentials_supported[]
.format		REQUIREDA JSON string identifying the format of this credential, e.g. jwt_vc.
credentials_supported[]
.types		REQUIREDA JSON array designating the types a certain credential type supports according to VC_DATA, Section 4.3.
credentials_supported[]
.trust_framework		OPTIONALA JSON object defining the Trust Framework details.
credentials_supported[]
.trust_framework
.name		REQUIREDA JSON string defining the Trust Framework name the credential will be issued under.
credentials_supported[]
.trust_framework
.type		REQUIREDA JSON string designating the behaviour and properties bound to the type. Types may include extra properties.
credentials_supported[]
.trust_framework
.uri		OPTIONALA JSON string belonging to type with value of Accreditation, pointing towards the Verifiable Accreditation, which will be the basis for the issuance of the Verifiable Credential.
credentials_supported[]
.display		OPTIONALA JSON array of objects, where each object contains display properties of a certain claim in the Credential for a certain language.
credentials_supported[]
.display[]
.name		OPTIONALA JSON string value of a display name for the claim
credentials_supported[]
.display[]
.locale		OPTIONALString value that identifies the language of this object represented as a language tag taken from values defined in BCP47 RFC 5646. There MUST be only one object with the same language identifier.

Example Credential Issuer Metadata

{
  "authorization_server": "https://api-conformance.ebsi.eu/conformance/v3/auth-mock",
  "credential_issuer": "https://api-conformance.ebsi.eu/conformance/v3/issuer-mock",
  "credential_endpoint": "https://api-conformance.ebsi.eu/conformance/v3/issuer-mock/credential",
  "deferred_credential_endpoint": "https://api-conformance.ebsi.eu/conformance/v3/issuer-mock/deferred_credential",
  "credentials_supported": [
    {
      "format": "jwt_vc",
      "types": [
        "VerifiableCredential",
        "VerifiableAttestation",
        "VerifiableAuthorisationToOnboard"
      ],
      "trust_framework": {
        "name": "ebsi",
        "type": "Accreditation",
        "uri": "TIR link towards accreditation"
      },
      "display": [
        {
          "name": "Verifiable Authorisation to onboard",
          "locale": "en-GB"
        }
      ]
    },
    {
      "format": "jwt_vc",
      "types": [
        "VerifiableCredential",
        "VerifiableAttestation",
        "VerifiableAccreditation",
        "VerifiableAccreditationToAttest"
      ],
      "trust_framework": {
        "name": "ebsi",
        "type": "Accreditation",
        "accreditation_uri": "TIR link towards accreditation"
      },
      "display": [
        {
          "name": "Verifiable Accreditation to attest",
          "locale": "en-GB"
        }
      ]
    }
  ]
}

Authorisation Server Metadata

location

Configuration location: /.well-known/openid-configuration

Visit OpenID for Verifiable Presentation specifications for further details on openID configuration enpoint.

FieldRequirementNotes
issuerOPTIONALAuthorisation Server's issuer identifier URL
authorization_endpointOPTIONALURL of the Authorisation Server's authorisation endpoint
token_endpointOPTIONALURL of the Authorisation Server's token endpoint
userinfo_endpointOPTIONALURL of the Authorisation Server's UserInfo endpoint
presentation_definition_endpointOPTIONALURL of the Authorisation Server's Presentation Definitions endpoint
jwks_uriOPTIONALURL of the Authorisation Server's JWK Set document
scopes_supportedOPTIONALA JSON array containing a list of the OAuth 2.0 "scope" values that this Authorisation Server supports
response_types_supportedOPTIONALA JSON array containing a list of the OAuth 2.0 "response_type" values that this Authorisation Server supports
response_modes_supportedOPTIONALA JSON array containing a list of the OAuth 2.0 "response_mode" values that this Authorisation Server supports
grant_types_supportedOPTIONALA JSON array containing a list of the OAuth 2.0 "grant type" values that this Authorisation Server supports
subject_types_supportedOPTIONALA JSON array containing a list of the Subject Identifier types that this OP supports
id_token_signing_alg_values_supportedOPTIONALA JSON array containing a list of the JWS "alg" values supported by the OP for the ID Token
request_object_signing_alg_values_supportedOPTIONALA JSON array containing a list of the JWS "alg" values supported by the OP for Request Objects
request_parameter_supportedOPTIONALA Boolean value specifying whether the OP supports use of the "request" parameter
request_uri_parameter_supportedOPTIONALA Boolean value specifying whether the OP supports use of the "request_uri" parameter
token_endpoint_auth_methods_supportedOPTIONALA JSON array containing a list of client authentication methods supported by this token endpoint
vp_formats_supportedREQUIREDA JSON Object containing a list of key value pairs, where the key is a string identifying a Credential format supported by the Wallet
vp_formats_supported
.jwt_vp		OPTIONALA JSON Object, defining support for Verifiable Presentations in JWT format
vp_formats_supported
.jwt_vp
.alg_values_supported		OPTIONALA JSON Array of case sensitive strings that identify the cryptographic suites that are supported
vp_formats_supported
.jwt_vc		OPTIONALA JSON Object, defining support for Verifiable Credentials in JWT format
vp_formats_supported
.jwt_vc
.alg_values_supported		OPTIONALA JSON Array of case sensitive strings that identify the cryptographic suites that are supported
subject_syntax_types_supportedOPTIONALA JSON Array of supported DID methods and their possible sub types
subject_trust_frameworks_supportedOPTIONALA JSON Array of supported Trust Frameworks
id_token_types_supportedOPTIONALA JSON array of strings containing the list of ID Token types supported by the OP

Example Authorisation Server Metadata

{
  "issuer": "https://api-conformance.ebsi.eu/conformance/v3/auth-mock",
  "authorization_endpoint": "https://api-conformance.ebsi.eu/conformance/v3/auth-mock/authorize",
  "token_endpoint": "https://api-conformance.ebsi.eu/conformance/v3/auth-mock/token",
  "jwks_uri": "https://api-conformance.ebsi.eu/conformance/v3/auth-mock/jwks",
  "scopes_supported": ["openid"],
  "response_types_supported": ["code", "vp_token", "id_token"],
  "response_modes_supported": ["query"],
  "grant_types_supported": ["authorization_code"],
  "subject_types_supported": ["public"],
  "id_token_signing_alg_values_supported": ["ES256"],
  "request_object_signing_alg_values_supported": ["ES256"],
  "request_parameter_supported": true,
  "request_uri_parameter_supported": true,
  "token_endpoint_auth_methods_supported": ["private_key_jwt"],
  "vp_formats_supported": {
    "jwt_vp": {
      "alg_values_supported": ["ES256"]
    },
    "jwt_vc": {
      "alg_values_supported": ["ES256"]
    }
  },
  "subject_syntax_types_supported": ["did:key", "did:ebsi"],
  "subject_trust_frameworks_supported": ["ebsi"],
  "id_token_types_supported": [
    "subject_signed_id_token",
    "attester_signed_id_token"
  ]
}

Service Wallet Metadata

Service Wallet is a decoupled construct, having a composite relationship with an Issuer or a Verifier, with purpose of requesting, signing and managing Verifiable Credentials. These share the same client_id as the main functionality (verification or issuance), but expose own configuration through client_metadata in Authorisation Request.

The configuration contains all fields from Holder Wallet Metadata, and the following extension.

FieldRequirementNotes
jwks_uriREQUIREDURL of the Authorisation Server's JWK Set document. Must start with client_id.

Example Service Wallet Metadata

{
  "authorization_endpoint": "openid:",
  "jwks_uri": "https://my-issuer.rocks/jwks"
}

Holder Wallet Metadata

Holder Wallets are used by individuals to store and present their credentials. Proper configuration of Holder Wallet Metadata ensures that these wallets can securely interact with Credential Issuers and Authorisation Servers.

Holder Wallets are non-reachable, and they can use the client_metadata field in the initial Authorisation Request to deliver the configuration, the default configuration will be used if not explicitly provided. All provided fields in client_metadata will fully replace the default properties.

FieldRequirementNotesDefault Property
authorization_endpointOPTIONALURL of the Authorisation Server’s authorisation endpoint"openid:"
scopes_supportedOPTIONALA JSON array containing a list of the OAuth 2.0 “scope” values that this Authorisation Server supports["openid"]
response_types_supportedOPTIONALA JSON array containing a list of the OAuth 2.0 “response_type” values that this Authorisation Server supports["vp_token", "id_token"]
subject_types_supportedOPTIONALA JSON array containing a list of the Subject Identifier types that this OP supports["public"]
id_token_signing_alg_values_supportedOPTIONALA JSON array containing a list of the JWS “alg” values supported by the OP for the ID Token["ES256"]
request_object_signing_alg_values_supportedOPTIONALA JSON array containing a list of the JWS “alg” values supported by the OP for Request Objects["ES256"]
vp_formats_supportedREQUIREDA JSON Object containing a list of key value pairs, where the key is a string identifying a Credential format supported by the Wallet"jwt_vp": { "alg_values_supported": ["ES256"] }

"jwt_vc": { "alg_values_supported": ["ES256"] }
vp_formats_supported
.jwt_vp		OPTIONALA JSON Object, defining support for Verifiable Presentations in JWT format{ "alg_values_supported": ["ES256"] }
vp_formats_supported
.jwt_vp
.alg_values_supported		OPTIONALA JSON Array of case sensitive strings that identify the cryptographic suites that are supported["ES256"]
vp_formats_supported
.jwt_vc		OPTIONALA JSON Object, defining support for Verifiable Credentials in JWT format{ "alg_values_supported": ["ES256"] }
vp_formats_supported
.jwt_vc
.alg_values_supported		OPTIONALA JSON Array of case sensitive strings that identify the cryptographic suites that are supported["ES256"]
subject_syntax_types_supportedOPTIONALA JSON Array of supported DID methods and their possible sub types.["urn:ietf:params:oauth:jwk-thumbprint", "did:key :jwk_jcs-pub"]
id_token_types_supportedOPTIONALA JSON array of strings containing the list of ID Token types supported by the OP["subject_signed_id_token"]

Default Properties Example for Holder Wallet Metadata

{
  "authorization_endpoint": "openid:",
  "response_types_supported": ["vp_token", "id_token"],
  "vp_formats_supported": {
    "jwt_vp": {
      "alg_values_supported": ["ES256"]
    },
    "jwt_vc": {
      "alg_values_supported": ["ES256"]
    }
  },
  "scopes_supported": ["openid"],
  "subject_types_supported": ["public"],
  "id_token_signing_alg_values_supported": ["ES256"],
  "request_object_signing_alg_values_supported": ["ES256"],
  "subject_syntax_types_supported": [
    "urn:ietf:params:oauth:jwk-thumbprint",
    "did:key:jwk_jcs-pub"
  ],
  "id_token_types_supported": ["subject_signed_id_token"]
}