1F/ Open ID for SSI 101 (aka SJOP w/Demo)

From IIW

OpenID for SSI

Session Convener: Torsten & Kristina

Notes-taker(s): Hannah Sutor

Tags / links to resources / technology discussed, related to this session:


Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Want to leverage well known advantages of OpenID Connect - Simplicity and Security

Existing libraries - HTTPs and a little bit of JSON

Great for mobile applications, no firewall hassles

Not about legacy transformation - it’s about supporting SSI applications natively

Self-Issued OP v2 - users can control their own authentication methods, key material

Important: To be as broad and flexible as possible when it comes to the rest of the SSI stack Goal: To be flexible, allow any credential format, mechanism, etc

OpenID connect has a decentralized/federated architecture since the beginning -> not used only by the “big guys”

Important for the design to be as flexible and general as possible when it comes to integrating SSi into OID

Selling points are both self-hosted OPs and edge-based OIPs (e.g.,, smart cars) -> could be used in Linkedin for “checkmarked” certificates or working experiences

Key management is different between the standard model and SIOP: in the latter, the user manages their own key, and the website trusts such an identifier. It does not have any mentions of credentials yet, it is just a way for a user to IDENTIFY themselves

Credentials enter the picture with SIOP v2 + OpenID Connect 4 Verifiable Presentations -> The RP needs to verify any details, like the revocation status, which means that the verifier (or RP) has to have knowledge of the tech stack underlying the credential used in the flow

Use Cases

Why should I move to this model vs the model we have none?

  • Completely hosted locally on your device - not dependent on third party hosting
  • Authentication as edge
  • In one translation, I can present credentials from multiple issuers
    • I as a user, I already proved I work for company X, now LinkedIn can consume that and verify me

Self-Issued OP Model Instead of having trust in a third party, we have our trust in the cryptographically verifiable identifier. Opens up for verification via DID

Are DIDs replacing authorization tokens?

No. ID token and Access tokens are inherently different. DIDs are an identifier which just sends out identity token.


  • Format Agnostic
  • Passing `presentation_defiition` PE object by value or by reference
  • Support for trust schemes -
  • Dynamic SIOP discovery and invocation via HTTPS URLs (enables use of app/universal links and web wallets)
  • Leverages all OpenID Connect flows. Can be locally hosted, cloud components, or cloud-based
  • Cross device flow enabled - “I’m starting here, but I’m presenting a credential that’s on my phone”
  • Leverages OpenID connect metadata for verifiers and wallet management

Demo Extending existing wallet. Built on top of Indy SDK to come up with most incremental solution

  • Use Wallet to log into NextCloud
  • Goal: all members in consortium can use wallet for logging into NextCloud
  • QR code contain SIOP request
  • Wallet shows you where data is being sent. Data is sent directly from Wallet to verifier using HTTPS

Goal: Interoperability.