OpenID 4 Verifiable Credential Issuance

Nuts supports using OpenID 4 Verifiable Credential Issuance (OpenID4VCI) to issue credentials directly from an issuer to a holder. By supporting this protocol we aim to improve compliance with industry standards and products and remove credentials from the network DAG.

Note

This functionality is experimental and subject to change. We encourage developers to test it out and provide feedback.

We currently only support the issuer initiated, pre-authorized code flow, without PIN (since the issuance is server-to-server, without user involvement).

Further support leads from what Nuts supports, meaning:

  • Only did:nuts DIDs are supported

  • Only JSON-LD credentials are supported

We aim to support other flows and features in future:

  • Authorization code and dynamic credential requests, when we want to support flows in which the holder requests issuance of a credential

  • Client authentication, depending on evolving security requirements.

Enabling

By default, the feature is disabled.

To enable issuing and receiving credentials over OpenID4VCI, set vcr.oidc4vci.enabled to true. To receive credentials over OpenID4VCI for a DID, you also have to register your wallet metadata URL on its DID document. You do so by registering a service of type oidc4vci-wallet-metadata with the serviceEndpoint pointing to the wallet metadata URL, e.g.: https://example.com/identity/<did>/.well-known/openid-credential-wallet (make sure to replace example.com and <did> with the correct values). The rest of the URL is dictated by the Nuts node.