23.2. Entity Configuration of Credential Issuers¶
The Credential Issuers, as Federation Entity, are required to adhere to the guidelines outlined in Section Configuration of the Federation. Specifically, they MUST provide a well-known endpoint that hosts their Entity Configuration. The Entity Configuration of Credential Issuers MUST contain the parameters defined in the Sections Entity Configuration Leaves and Intermediates and Entity Configurations Common Parameters.
The Credential Issuers MUST provide the following metadata types:
federation_entity
oauth_authorization_server
openid_credential_issuer
In cases where the (Q)EAA Providers authenticate Users using their Wallet Instance, then the metadata for openid_credential_verifier MUST be provided in addition to the metadata above. In case a national eID scheme is used by the Credential Issuers for the User authentication, they MAY include a metadata for openid_relying_party within their Entity Configuration. The openid_relying_party metadata MUST be compliant with the current version of SPID/CIE-OpenID-Connect-Specifications.
The federation_entity metadata MUST contain the parameters as defined in Section Metadata of federation_entity Leaves.
The openid_credential_verifier metadata MUST contain the parameters as defined in Section Metadata for openid_credential_verifier.
23.2.2. Metadata for openid_credential_issuer¶
The openid_credential_issuer metadata MUST contain the following claims.
Claim |
Description |
|---|---|
credential_issuer |
The Credential Issuer identifier. It MUST be a case sensitive URL using HTTPS scheme as defined in OpenID4VCI Sections 11.2.1 and 11.2.3. |
credential_endpoint |
URL of the credential endpoint. See OpenID4VCI Section 11.2.3. |
nonce_endpoint |
URL of the Nonce Endpoint, as defined in Section 7 of OpenID4VCI. |
revocation_endpoint |
URL of the revocation endpoint. See RFC 8414#section-2. |
deferred_credential_endpoint |
URL of the deferred credential endpoint, as defined in Section 11.2.3 of OpenID4VCI. |
status_attestation_endpoint |
It MUST be an HTTPs URL indicating the endpoint where the Wallet Instances can request Status Assertions. See Section Digital Credential Lifecycle for more details. |
notification_endpoint |
It MUST be an HTTPs URL indicating the notification endpoint. See Section 11.2.3 of [OpenID4VCI]. |
authorization_servers |
OPTIONAL. Array of strings, where each string is an identifier of the OAuth 2.0 Authorization Server (as defined in [RFC 8414]) the Credential Issuer relies on for authorization. If this parameter is omitted, the entity providing the Credential Issuer is also acting as the Authorization Server. |
display |
See OpenID4VCI Section 11.2.3. Array of objects containing display language properties. The parameters that MUST be included are:
|
credential_configurations_supported |
JSON object that outlines the details of the Credential supported by the Credential Issuer. It includes a list of name/value pairs, where each name uniquely identifies a specific supported Credential. This identifier is utilized to inform the Wallet Instance which Credential can be provided by the Credential Issuer. The associated value within the object MUST contain metadata specific to that Credential, as defined following. See OpenID4VCI Sections 11.2.3 and A.3.2.
|
jwks |
JSON Web Key Set document, passed by value, containing the protocol specific keys for the Credential Issuer. See OID-FED Section 5.2.1 and JWK. |
trust_frameworks_supported |
|
evidence_supported |
JSON array containing all types of identity evidence supported by the Credential Issuer. See OIDC-IDA Section 8. The supported value is |
status_assertion_endpoint |
URL of the Status Assertion Endpoint. See OAUTH-STATUS-ASSERTION Section 11.1. |
credential_hash_alg_supported |
The supported algorithm used by the Wallet Instance to hash the Digital Credential for which the Status Assertion is requested. It is RECOMMENDED to use sha-256. See OAUTH-STATUS-ASSERTION Section 11.1. |
23.2.3. Example of a (Q)EAA Provider Entity Configuration¶
Below is a non-normative example of an Entity Configuration of a (Q)EAA Provider containing a metadata for
federation_entity
oauth_authorization_server
openid_credential_issuer
openid_credential_verifier
{
"iat": 1718207217,
"exp": 1749743216,
"iss": "https://eaa-provider.example.org",
"sub": "https://eaa-provider.example.org",
"authority_hints": [
"https://trust-anchor.example.org"
],
"jwks": {
"keys": [
{
"kid": "FANFS3YnC9tjiCaivhWLVUJ3AxwGGz_98uRFaqMEEs",
"kty": "EC",
"crv": "P-256",
"x": "jE2RpcQbFQxKpMqehahgZv6smmXD0i/LTP2QRzMADk4",
"y": "qkMx5iqt5PhPu5tfctS6HsP+FmLgrxfrzUV2GwMQuh8"
}
]
},
"metadata": {
"federation_entity": {
"homepage_uri": "https://eaa-provider.example.org/",
"organization_name": "Organization Name",
"contacts": [
"informazioni@example.it",
"protocollo@pec.example.it"
],
"tos_uri": "https://eaa-provider.example.org/public/info_policy.html",
"policy_uri": "https://eaa-provider.example.org/public/privacy_policy.html",
"logo_uri": "https://eaa-provider.example.org/public/logo.svg"
},
"oauth_authorization_server": {
"issuer": "https://eaa-provider.example.org",
"pushed_authorization_request_endpoint": "https://eaa-provider.example.org/as/par",
"authorization_endpoint": "https://eaa-provider.example.org/authorize",
"token_endpoint": "https://eaa-provider.example.org/token",
"client_registration_types_supported": [
"automatic"
],
"code_challenge_methods_supported": [
"S256"
],
"acr_values_supported": [
"https://trust-registry.eid-wallet.example.it/loa/substantial",
"https://trust-registry.eid-wallet.example.it/loa/high"
],
"scopes_supported": [
"EuropeanDisabilityCard",
"mDL"
],
"response_modes_supported": [
"form_post.jwt",
"query"
],
"response_types_supported": [
"code"
],
"authorization_signing_alg_values_supported": [
"ES256",
"ES384",
"ES512"
],
"grant_types_supported": [
"authorization_code"
],
"token_endpoint_auth_methods_supported": [
"attest_jwt_client_auth"
],
"token_endpoint_auth_signing_alg_values_supported": [
"ES256",
"ES384",
"ES512"
],
"request_object_signing_alg_values_supported": [
"ES256",
"ES384",
"ES512"
],
"jwks": {
"keys": [
{
"kid": "f10aca0992694b3581f6f699bfc8a2c6cc687725",
"kty": "EC",
"crv": "P-256",
"x": "jE2RpcQbFQxKpMqehahgZv6smmXD0i/LTP2QRzMADk4",
"y": "qkMx5iqt5PhPu5tfctS6HsP+FmLgrxfrzUV2GwMQuh8"
}
]
}
},
"openid_credential_issuer": {
"credential_issuer": "https://eaa-provider.example.org",
"credential_endpoint": "https://eaa-provider.example.org/credential",
"nonce_endpoint": "https://eaa-provider.example.org/nonce-endpoint",
"deferred_credential_endpoint": "https://eaa-provider.example.org/deferred-credential",
"revocation_endpoint": "https://eaa-provider.example.org/revoke",
"status_attestation_endpoint": "https://eaa-provider.example.org/status",
"notification_endpoint": "https://eaa-provider.example.org/notification",
"display": [
{
"name": "EAA Provider",
"locale": "it-IT"
},
{
"name": "EAA Provider",
"locale": "en-US"
}
],
"credential_configurations_supported": {
"dc_sd_jwt_EuropeanDisabilityCard": {
"format": "dc+sd-jwt",
"scope": "EuropeanDisabilityCard",
"cryptographic_binding_methods_supported": [
"jwk"
],
"credential_signing_alg_values_supported": [
"ES256",
"ES384",
"ES512"
],
"proof_types_supported": {
"jwt": {
"proof_signing_alg_values_supported": [
"ES256",
"ES384",
"ES512"
]
}
},
"display": [
{
"name": "Carta della disabilità europea",
"locale": "it-IT"
},
{
"name": "European Disability Card",
"locale": "en-US"
}
],
"vct": "https://trust-registry.eid-wallet.example.it/v1.0/EuropeanDisabilityCard",
"claims": [
{
"path": ["document_number"],
"display": [
{
"name": "Numero Documento",
"locale": "it-IT"
},
{
"name": "Document Number",
"locale": "en-US"
}
]
},
{
"path": ["given_name"],
"display": [
{
"name": "Nome",
"locale": "it-IT"
},
{
"name": "Name",
"locale": "en-US"
}
]
},
{
"path": ["family_name"],
"display": [
{
"name": "Cognome",
"locale": "it-IT"
},
{
"name": "Family Name",
"locale": "en-US"
}
]
},
{
"path": ["birth_date"],
"display": [
{
"name": "Data di Nascita (YYYY-MM-GG)",
"locale": "it-IT"
},
{
"name": "Date of Birth (YYYY-MM-GG)",
"locale": "en-US"
}
]
},
{
"path": ["personal_administrative_number"],
"display": [
{
"name": "Codice Fiscale",
"locale": "it-IT"
},
{
"name": "Tax Identification Number",
"locale": "en-US"
}
]
},
{
"path": ["expiry_date"],
"display": [
{
"name": "Data di Scadenza (YYYY-MM-GG)",
"locale": "it-IT"
},
{
"name": "Expiration Date (YYYY-MM-GG)",
"locale": "en-US"
}
]
},
{
"path": ["constant_attendance_allowance"],
"display": [
{
"name": "Diritto accompagnatore",
"locale": "it-IT"
},
{
"name": "Constant attendance allowance",
"locale": "en-US"
}
]
},
{
"path": ["portrait"],
"display": [
{
"name": "Foto codificata in base64",
"locale": "it-IT"
},
{
"name": "Portrait base64 encoded",
"locale": "en-US"
}
]
},
{
"path": ["link_qr_code"],
"display": [
{
"name": "Link QR Code",
"locale": "it-IT"
},
{
"name": "Link QR Code",
"locale": "en-US"
}
]
}
]
},
"dc_sd_jwt_mDL": {
"format": "dc+sd-jwt",
"scope": "mDL",
"cryptographic_binding_methods_supported": [
"jwk"
],
"credential_signing_alg_values_supported": [
"ES256",
"ES384",
"ES512"
],
"proof_types_supported": {
"jwt": {
"proof_signing_alg_values_supported": [
"ES256",
"ES384",
"ES512"
]
}
},
"display": [
{
"name": "Patente di guida",
"locale": "it-IT"
},
{
"name": "Mobile Driver's License",
"locale": "en-US"
}
],
"vct": "https://trust-registry.eid-wallet.example.it/v1.0/mDL",
"claims": [
{
"path": ["given_name"],
"display": [
{
"name": "Nome",
"locale": "it-IT"
},
{
"name": "First Name",
"locale": "en-US"
}
]
},
{
"path": ["family_name"],
"display": [
{
"name": "Cognome",
"locale": "it-IT"
},
{
"name": "Family Name",
"locale": "en-US"
}
]
},
{
"path": ["birth_date"],
"display": [
{
"name": "Data di nascita (YYYY-MM-GG)",
"locale": "it-IT"
},
{
"name": "Date of Birth (YYYY-MM-GG)",
"locale": "en-US"
}
]
},
{
"path": ["place_of_birth"],
"display": [
{
"name": "Luogo di Nascita",
"locale": "it-IT"
},
{
"name": "Place of Birth",
"locale": "en-US"
}
]
},
{
"path": ["issue_date"],
"display": [
{
"name": "Data di rilascio (YYYY-MM-GG)",
"locale": "it-IT"
},
{
"name": "Issue Date (YYYY-MM-GG)",
"locale": "en-US"
}
]
},
{
"path": ["expiry_date"],
"display": [
{
"name": "Data di scadenza (YYYY-MM-GG)",
"locale": "it-IT"
},
{
"name": "Expiry Date (YYYY-MM-GG)",
"locale": "en-US"
}
]
},
{
"path": ["issuing_country"],
"display": [
{
"name": "Paese di rilascio",
"locale": "it-IT"
},
{
"name": "Issuing Country",
"locale": "en-US"
}
]
},
{
"path": ["issuing_authority"],
"display": [
{
"name": "Autorità di rilascio",
"locale": "it-IT"
},
{
"name": "Issuing Authority",
"locale": "en-US"
}
]
},
{
"path": ["document_number"],
"display": [
{
"name": "Numero di documento",
"locale": "it-IT"
},
{
"name": "Document Number",
"locale": "en-US"
}
]
},
{
"path": ["portrait"],
"display": [
{
"name": "Foto codificata in base64",
"locale": "it-IT"
},
{
"name": "Portrait base64 encoded",
"locale": "en-US"
}
]
},
{
"path": ["driving_privileges"],
"display": [
{
"name": "Elenco delle categorie di abilitazione separate da spazio",
"locale": "it-IT"
},
{
"name": "Driving Privileges separated by space",
"locale": "en-US"
}
]
},
{
"path": ["restrictions_conditions"],
"display": [
{
"name": "Annotazioni/Restrizioni valide per tutte le categorie separate da spazio",
"locale": "it-IT"
},
{
"name": "Restriction/Condition for all driving privileges separated by space ",
"locale": "en-US"
}
]
},
{
"path": ["driving_privileges_details"],
"display": [
{
"name": "Dettagli delle categorie di abilitazione",
"locale": "it-IT"
},
{
"name": "Driving privilege details",
"locale": "en-US"
}
]
}
]
},
"mso_mdoc_mDL": {
"format": "mso_mdoc",
"scope": "mDL",
"doctype": "org.iso.18013.5.1.mDL",
"cryptographic_binding_methods_supported": [
"cose_key"
],
"credential_signing_alg_values_supported": [
"ES256",
"ES384",
"ES512"
],
"display": [
{
"name": "Patente di guida",
"locale": "it-IT"
},
{
"name": "Mobile Driver's License",
"locale": "en-US"
}
],
"claims": [
{
"path": ["org.iso.18013.5.1", "given_name"],
"display": [
{
"name": "Nome",
"locale": "it-IT"
},
{
"name": "First Name",
"locale": "en-US"
}
]
},
{
"path": ["org.iso.18013.5.1", "family_name"],
"display": [
{
"name": "Cognome",
"locale": "it-IT"
},
{
"name": "Family Name",
"locale": "en-US"
}
]
},
{
"path": ["org.iso.18013.5.1", "birth_date"],
"display": [
{
"name": "Data di nascita (YYYY-MM-GG)",
"locale": "it-IT"
},
{
"name": "Date of Birth (YYYY-MM-GG)",
"locale": "en-US"
}
]
},
{
"path": ["org.iso.18013.5.1", "birth_place"],
"display": [
{
"name": "Luogo di Nascita",
"locale": "it-IT"
},
{
"name": "Place of Birth",
"locale": "en-US"
}
]
},
{
"path": ["org.iso.18013.5.1", "issue_date"],
"display": [
{
"name": "Data di rilascio (YYYY-MM-GG)",
"locale": "it-IT"
},
{
"name": "Issue Date (YYYY-MM-GG)",
"locale": "en-US"
}
]
},
{
"path": ["org.iso.18013.5.1", "expiry_date"],
"display": [
{
"name": "Data di scadenza (YYYY-MM-GG)",
"locale": "it-IT"
},
{
"name": "Expiry Date (YYYY-MM-GG)",
"locale": "en-US"
}
]
},
{
"path": ["org.iso.18013.5.1", "issuing_country"],
"display": [
{
"name": "Paese di rilascio",
"locale": "it-IT"
},
{
"name": "Issuing Country",
"locale": "en-US"
}
]
},
{
"path": ["org.iso.18013.5.1", "issuing_authority"],
"display": [
{
"name": "Autorità di rilascio",
"locale": "it-IT"
},
{
"name": "Issuing Authority",
"locale": "en-US"
}
]
},
{
"path": ["org.iso.18013.5.1", "document_number"],
"display": [
{
"name": "Numero di documento",
"locale": "it-IT"
},
{
"name": "Document Number",
"locale": "en-US"
}
]
},
{
"path": ["org.iso.18013.5.1", "portrait"],
"display": [
{
"name": "Foto codificata in base64",
"locale": "it-IT"
},
{
"name": "Portrait base64 encoded",
"locale": "en-US"
}
]
},
{
"path": ["org.iso.18013.5.1", "driving_privileges"],
"display": [
{
"name": "Elenco delle categorie di abilitazione e relativi dettagli su restrizioni/condizioni",
"locale": "it-IT"
},
{
"name": "Driving Privileges and related restrictions/conditions details",
"locale": "en-US"
}
]
},
{
"path": ["org.iso.18013.5.1", "un_distinguishing_sign"],
"display": [
{
"name": "Codice identificativo della Nazione",
"locale": "it-IT"
},
{
"name": "Distinguishing sign of the issuing country",
"locale": "en-US"
}
]
}
]
}
},
"jwks": {
"keys": [
{
"kid": "f10aca0992694b3581f6f699bfc8a2c6cc687725",
"kty": "EC",
"crv": "P-256",
"x": "jE2RpcQbFQxKpMqehahgZv6smmXD0i/LTP2QRzMADk4",
"y": "qkMx5iqt5PhPu5tfctS6HsP+FmLgrxfrzUV2GwMQuh8"
}
]
},
"trust_frameworks_supported": [
"it_cie",
"it_wallet",
"eudi_wallet"
],
"evidence_supported": [
"vouch"
]
},
"openid_credential_verifier": {
"application_type": "web",
"client_id": "https://eaa-provider.example.org",
"client_name": "Organization Name",
"contacts": [
"informazioni@example.it",
"protocollo@pec.example.it"
],
"request_uris": [
"https://eaa-provider.example.org/request_uri"
],
"response_uris": [
"https://eaa-provider.example.org/response_uri"
],
"default_acr_values": [
"https://trust-registry.eid-wallet.example.it/loa/substantial",
"https://trust-registry.eid-wallet.example.it/loa/high"
],
"request_object_signing_alg_values_supported": [
"ES256",
"ES384",
"ES512"
],
"authorization_signed_response_alg": [
"ES256",
"ES384",
"ES512"
],
"authorization_encrypted_response_alg": [
"RSA-OAEP-256"
],
"authorization_encrypted_response_enc": [
"A128CBC-HS256",
"A192CBC-HS384",
"A256CBC-HS512",
"A128GCM",
"A192GCM",
"A256GCM"
],
"vp_formats": {
"dc+sd-jwt": {
"sd-jwt_alg_values": [
"ES256",
"ES384",
"ES512"
]
}
},
"jwks": {
"keys": [
{
"kid": "f10aca0992694b3581f6f699bfc8a2c6cc687725",
"kty": "EC",
"crv": "P-256",
"x": "jE2RpcQbFQxKpMqehahgZv6smmXD0i/LTP2QRzMADk4",
"y": "qkMx5iqt5PhPu5tfctS6HsP+FmLgrxfrzUV2GwMQuh8"
}
]
}
}
}
}