OpenID Connect: OpenID Connect

Definition

From OIDC to EUDI Wallet Protocols

The EUDI Wallet protocol stack can be understood as an evolution of traditional OpenID Connect. In classic OIDC, a relying party (website) redirects the user to an identity provider (like Google or a government eID service), the user authenticates, and the identity provider returns an ID Token containing identity claims. The relying party trusts the identity provider to have verified the user's identity.

EUDI Wallet protocols modify this model in two fundamental ways. First, instead of returning simple self-asserted identity claims, the identity provider issues cryptographically verifiable credentials (via OpenID4VCI) that the user stores in their wallet. Second, the user can later present these credentials to any relying party (via OpenID4VP) without involving the original identity provider, providing privacy through decoupled issuance and presentation.

Self-Issued OpenID Provider v2 (SIOPv2) takes this further by allowing the wallet itself to act as the OpenID Provider. The relying party sends an authentication request, and the wallet responds with an ID Token it has signed itself, accompanied by verifiable credential presentations that prove the identity claims. No centralized identity provider is involved in the authentication transaction.

This evolution preserves the well-understood OIDC interaction patterns (redirect-based flows, JSON-based tokens, discovery metadata) while adding the decentralization and privacy benefits that EUDI Wallets require. Developers familiar with OIDC can use their existing knowledge when implementing EUDI Wallet integrations.

ID Tokens and Verifiable Credentials

The traditional OIDC ID Token is a JWT signed by the identity provider containing claims about the authenticated user (subject identifier, name, email, authentication time, etc.). The relying party trusts these claims because it trusts the identity provider that signed the token. However, ID Tokens are typically short-lived (minutes), non-transferable, and bound to a specific relying party through the "audience" claim.

Verifiable credentials in EUDI Wallets extend this concept with longer validity periods (months to years for identity documents), selective disclosure (revealing only specific claims), device binding (cryptographic proof that the presenter holds the credential), and issuer trust chains (the credential's trustworthiness derives from the issuer's position in the trust framework, not from a direct relationship with the relying party).

In EUDI Wallet flows, the wallet may return both traditional OIDC tokens (for session management) and verifiable credential presentations (for identity proof) in a single response. The relying party can establish a session using the OIDC ID Token while verifying the user's identity claims from the verifiable credentials -- combining the session management benefits of OIDC with the strong identity assurance of verifiable credentials.

Discovery and Metadata

OIDC defines a discovery mechanism (the .well-known/openid-configuration endpoint) where an OpenID Provider publishes its capabilities, supported algorithms, endpoints, and other metadata as a JSON document. EUDI Wallet protocols extend this discovery mechanism for their specific needs.

Credential issuers publish an OpenID4VCI metadata document describing which credential types they issue, supported formats (mDoc, SD-JWT), supported proof types, and their credential endpoint URLs. This allows wallets to automatically discover and interact with any compliant issuer. Similarly, relying parties publish their OpenID4VP requirements, specifying which credentials they accept and what presentation format they expect.

This metadata-driven approach enables the interoperability that eIDAS 2.0 requires. A Polish citizen's wallet can automatically discover a German government service's credential requirements and present the appropriate credentials in the correct format -- all driven by standardized metadata that both parties understand through their shared OIDC heritage.

Related Terms