Entity Configuration of PID/(Q)EAA Providers¶
The PID/(Q)EAA Providers, as Federation Entity, are required to adhere to the guidelines outlined in Section Configuration of the Federation. Specifically, they MUST provide a well-known endpoint that hosts their Entity Configuration. The Entity Configuration of PID/(Q)EAA Providers MUST contain the parameters defined in the Sections Entity Configuration Leaves and Intermediates and Entity Configurations Common Parameters.
The PID/(Q)EAA Providers MUST provide the following metadata types:
federation_entity
oauth_authorization_server
openid_credential_issuer
In cases where the (Q)EAA Providers authenticate Users using their Wallet Instance, then the metadata for wallet_relying_party MUST be provided in addition to the metadata above. In case a national eID scheme is used by the PID/(Q)EAA Providers for the User authentication, they MAY include a metadata for openid_relying_party within their Entity Configuration. The openid_relying_party metadata MUST be compliant with the current version of SPID/CIE id OIDC Technical Specification.
Metadata for federation_entity¶
The federation_entity metadata MUST contain the parameters as defined in Section Metadata of federation_entity Leaves.
Metadata for openid_credential_issuer¶
The openid_credential_issuer metadata MUST contain the following claims.
Claim |
Description |
---|---|
credential_issuer |
The PID/(Q)EAA Provider identifier. It MUST be a case sensitive URL using HTTPS scheme as defined in OpenID4VCI Sections 11.2.1 and 11.2.3. |
credential_endpoint |
URL of the credential endpoint. See OpenID4VCI Section 11.2.3. |
revocation_endpoint |
URL of the revocation endpoint. See RFC 8414#section-2. |
status_attestation_endpoint |
It MUST be an HTTPs URL indicating the endpoint where the Wallet Instances can request Status Attestations. See Section Credential Lifecycle for more details. |
notification_endpoint |
It MUST be an HTTPs URL indicating the notification endpoint. See Section 11.2.3 of [OpenID4VCI]. |
authorization_servers |
OPTIONAL. Array of strings, where each string is an identifier of the OAuth 2.0 Authorization Server (as defined in [RFC 8414]) the PID/(Q)EAA Provider relies on for authorization. If this parameter is omitted, the entity providing the PID/(Q)EAA Provider is also acting as the Authorization Server. |
display |
See OpenID4VCI Section 11.2.3. Array of objects containing display language properties. The parameters that MUST be included are:
|
credential_configurations_supported |
JSON object that outlines the details of the Credential supported by the PID/(Q)EAA Provider. It includes a list of name/value pairs, where each name uniquely identifies a specific supported Credential. This identifier is utilized to inform the Wallet Instance which Credential can be provided by the PID/(Q)EAA Provider. The associated value within the object MUST contain metadata specific to that Credential, as defined following. See OpenID4VCI Sections 11.2.3 and A.3.2.
|
jwks |
JSON Web Key Set document, passed by value, containing the protocol specific keys for the Credential Issuer. See OID-FED Section 5.2.1 and JWK. |
Metadata for wallet_relying_party¶
The wallet_relying_party metadata MUST contain the parameters as defined in Section Metadata for wallet_relying_party.
Example of a (Q)EAA Provider Entity Configuration¶
Below is a non-normative example of an Entity Configuration of a (Q)EAA Provider containing a metadata for
federation_entity
oauth_authorization_server
openid_credential_issuer
wallet_relying_party
{
"iat": 1718207217,
"exp": 1749743216,
"iss": "https://eaa-provider.example.org",
"sub": "https://eaa-provider.example.org",
"authority_hints": [
"https://trust-anchor.example.org"
],
"jwks": {
"keys": [
{
"kid": "FANFS3YnC9tjiCaivhWLVUJ3AxwGGz_98uRFaqMEEs",
"kty": "EC",
"crv": "P-256",
"x": "jE2RpcQbFQxKpMqehahgZv6smmXD0i/LTP2QRzMADk4",
"y": "qkMx5iqt5PhPu5tfctS6HsP+FmLgrxfrzUV2GwMQuh8"
}
]
},
"metadata": {
"federation_entity": {
"homepage_uri": "https://eaa-provider.example.org/",
"organization_name": "Organization Name",
"contacts": [
"informazioni@example.it",
"protocollo@pec.example.it"
],
"tos_uri": "https://eaa-provider.example.org/public/info_policy.html",
"policy_uri": "https://eaa-provider.example.org/public/privacy_policy.html",
"logo_uri": "https://eaa-provider.example.org/public/logo.svg"
},
"oauth_authorization_server": {
"issuer": "https://eaa-provider.example.org",
"pushed_authorization_request_endpoint": "https://eaa-provider.example.org/as/par",
"authorization_endpoint": "https://eaa-provider.example.org/authorize",
"token_endpoint": "https://eaa-provider.example.org/token",
"client_registration_types_supported": [
"automatic"
],
"code_challenge_methods_supported": [
"S256"
],
"acr_values_supported": [
"https://www.spid.gov.it/SpidL2",
"https://www.spid.gov.it/SpidL3"
],
"scopes_supported": [
"EuropeanDisabilityCard",
"MDL"
],
"response_modes_supported": [
"form_post.jwt",
"query"
],
"authorization_signing_alg_values_supported": [
"ES256",
"ES384",
"ES512"
],
"grant_types_supported": [
"authorization_code"
],
"token_endpoint_auth_methods_supported": [
"attest_jwt_client_auth"
],
"token_endpoint_auth_signing_alg_values_supported": [
"ES256",
"ES384",
"ES512"
],
"request_object_signing_alg_values_supported": [
"ES256",
"ES384",
"ES512"
],
"jwks": {
"keys": [
{
"kid": "f10aca0992694b3581f6f699bfc8a2c6cc687725",
"kty": "EC",
"crv": "P-256",
"x": "jE2RpcQbFQxKpMqehahgZv6smmXD0i/LTP2QRzMADk4",
"y": "qkMx5iqt5PhPu5tfctS6HsP+FmLgrxfrzUV2GwMQuh8"
}
]
}
},
"openid_credential_issuer": {
"credential_issuer": "https://eaa-provider.example.org",
"credential_endpoint": "https://eaa-provider.example.org/credential",
"revocation_endpoint": "https://eaa-provider.example.org/revoke",
"status_attestation_endpoint": "https://eaa-provider.example.org/status",
"notification_endpoint": "https://eaa-provider.example.org/notification",
"display": [
{
"name": "EAA Provider",
"locale": "it-IT"
},
{
"name": "EAA Provider",
"locale": "en-US"
}
],
"credential_configurations_supported": {
"EuropeanDisabilityCard": {
"format": "vc+sd-jwt",
"scope": "EuropeanDisabilityCard",
"cryptographic_binding_methods_supported": [
"jwk"
],
"credential_signing_alg_values_supported": [
"ES256",
"ES384",
"ES512"
],
"proof_types_supported": {
"jwt": {
"proof_signing_alg_values_supported": [
"ES256",
"ES384",
"ES512"
]
}
},
"display": [
{
"name": "Carta della disabilità europea",
"locale": "it-IT"
},
{
"name": "European Disability Card",
"locale": "en-US"
}
],
"vct": "EuropeanDisabilityCard",
"claims": {
"document_number": {
"value_type": "string",
"display": [
{
"name": "Numero Documento",
"locale": "it-IT"
},
{
"name": "Document Number",
"locale": "en-US"
}
]
},
"given_name": {
"value_type": "string",
"display": [
{
"name": "Nome",
"locale": "it-IT"
},
{
"name": "Name",
"locale": "en-US"
}
]
},
"family_name": {
"value_type": "string",
"display": [
{
"name": "Cognome",
"locale": "it-IT"
},
{
"name": "Family Name",
"locale": "en-US"
}
]
},
"birth_date": {
"value_type": "string",
"display": [
{
"name": "Data di Nascita (YYYY-MM-GG)",
"locale": "it-IT"
},
{
"name": "Date of Birth (YYYY-MM-GG)",
"locale": "en-US"
}
]
},
"tax_id_code": {
"value_type": "string",
"display": [
{
"name": "Codice Fiscale",
"locale": "it-IT"
},
{
"name": "Tax Id Number",
"locale": "en-US"
}
]
},
"expiry_date": {
"value_type": "string",
"display": [
{
"name": "Data di Scadenza (YYYY-MM-GG)",
"locale": "it-IT"
},
{
"name": "Expiration Date (YYYY-MM-GG)",
"locale": "en-US"
}
]
},
"constant_attendance_allowance": {
"value_type": "boolean",
"display": [
{
"name": "Diritto accompagnatore",
"locale": "it-IT"
},
{
"name": "Constant attendance allowance",
"locale": "en-US"
}
]
},
"portrait": {
"value_type": "string",
"display": [
{
"name": "Foto codificata in base64",
"locale": "it-IT"
},
{
"name": "Portrait base64 encoded",
"locale": "en-US"
}
]
},
"link_qr_code": {
"value_type": "string",
"display": [
{
"name": "Link QR Code",
"locale": "it-IT"
},
{
"name": "Link QR Code",
"locale": "en-US"
}
]
}
}
},
"MDL": {
"format": "vc+sd-jwt",
"scope": "MDL",
"cryptographic_binding_methods_supported": [
"jwk"
],
"credential_signing_alg_values_supported": [
"ES256",
"ES384",
"ES512"
],
"proof_types_supported": {
"jwt": {
"proof_signing_alg_values_supported": [
"ES256",
"ES384",
"ES512"
]
}
},
"display": [
{
"name": "Patente di guida",
"locale": "it-IT"
},
{
"name": "Mobile Driver's License",
"locale": "en-US"
}
],
"vct": "MDL",
"claims": {
"given_name": {
"value_type": "string",
"display": [
{
"name": "Nome",
"locale": "it-IT"
},
{
"name": "First Name",
"locale": "en-US"
}
]
},
"family_name": {
"value_type": "string",
"display": [
{
"name": "Cognome",
"locale": "it-IT"
},
{
"name": "Family Name",
"locale": "en-US"
}
]
},
"birth_date": {
"value_type": "string",
"display": [
{
"name": "Data di nascita (YYYY-MM-GG)",
"locale": "it-IT"
},
{
"name": "Date of Birth (YYYY-MM-GG)",
"locale": "en-US"
}
]
},
"place_of_birth": {
"value_type": "string",
"display": [
{
"name": "Luogo di Nascita",
"locale": "it-IT"
},
{
"name": "Place of Birth",
"locale": "en-US"
}
]
},
"issue_date": {
"value_type": "string",
"display": [
{
"name": "Data di rilascio (YYYY-MM-GG)",
"locale": "it-IT"
},
{
"name": "Issue Date (YYYY-MM-GG)",
"locale": "en-US"
}
]
},
"expiry_date": {
"value_type": "string",
"display": [
{
"name": "Data di scadenza (YYYY-MM-GG)",
"locale": "it-IT"
},
{
"name": "Expiry Date (YYYY-MM-GG)",
"locale": "en-US"
}
]
},
"issuing_country": {
"value_type": "string",
"display": [
{
"name": "Paese di rilascio",
"locale": "it-IT"
},
{
"name": "Issuing Country",
"locale": "en-US"
}
]
},
"issuing_authority": {
"value_type": "string",
"display": [
{
"name": "Autorità di rilascio",
"locale": "it-IT"
},
{
"name": "Issuing Authority",
"locale": "en-US"
}
]
},
"document_number": {
"value_type": "string",
"display": [
{
"name": "Numero di documento",
"locale": "it-IT"
},
{
"name": "Document Number",
"locale": "en-US"
}
]
},
"portrait": {
"value_type": "string",
"display": [
{
"name": "Foto codificata in base64",
"locale": "it-IT"
},
{
"name": "Portrait base64 encoded",
"locale": "en-US"
}
]
},
"driving_privileges": {
"value_type": "string",
"display": [
{
"name": "Elenco delle categorie di abilitazione separate da spazio",
"locale": "it-IT"
},
{
"name": "Driving Privileges separated by space",
"locale": "en-US"
}
]
},
"restrictions_conditions": {
"value_type": "string",
"display": [
{
"name": "Annotazioni/Restrizioni valide per tutte le categorie separate da spazio",
"locale": "it-IT"
},
{
"name": "Restriction/Condition for all driving privileges separated by space ",
"locale": "en-US"
}
]
},
"driving_privileges_details": {
"value_type": "string",
"display": [
{
"name": "Dettagli delle categorie di abilitazione",
"locale": "it-IT"
},
{
"name": "Driving privilege details",
"locale": "en-US"
}
]
}
}
}
},
"jwks": {
"keys": [
{
"kid": "f10aca0992694b3581f6f699bfc8a2c6cc687725",
"kty": "EC",
"crv": "P-256",
"x": "jE2RpcQbFQxKpMqehahgZv6smmXD0i/LTP2QRzMADk4",
"y": "qkMx5iqt5PhPu5tfctS6HsP+FmLgrxfrzUV2GwMQuh8"
}
]
}
},
"wallet_relying_party": {
"application_type": "web",
"client_id": "https://eaa-provider.example.org",
"client_name": "Organization Name",
"contacts": [
"informazioni@example.it",
"protocollo@pec.example.it"
],
"request_uris": [
"https://eaa-provider.example.org/request_uri"
],
"response_uris": [
"https://eaa-provider.example.org/response_uri"
],
"default_acr_values": [
"https://www.spid.gov.it/SpidL2",
"https://www.spid.gov.it/SpidL3"
],
"request_object_signing_alg_values_supported": [
"ES256",
"ES384",
"ES512"
],
"authorization_signed_response_alg": [
"ES256",
"ES384",
"ES512"
],
"authorization_encrypted_response_alg": [
"RSA-OAEP-256"
],
"authorization_encrypted_response_enc": [
"A128CBC-HS256",
"A192CBC-HS384",
"A256CBC-HS512",
"A128GCM",
"A192GCM",
"A256GCM"
],
"vp_formats": {
"vc+sd-jwt": {
"sd-jwt_alg_values": [
"ES256",
"ES384",
"ES512"
]
}
},
"presentation_definitions_supported": [
{
"id": "d76c51b7-ea90-49bb-8368-6b3d194fc131",
"input_descriptors": [
{
"id": "PersonIdentificationData",
"format": {
"vc+sd-jwt": {
"alg": [
"ES256",
"ES384",
"ES512"
]
},
"constraints": {
"limit_disclosure": "required",
"fields": [
{
"filter": {
"const": "PersonIdentificationData",
"type": "string"
},
"path": [
"$.vct"
]
},
{
"filter": {
"type": "object"
},
"path": [
"$.cnf.jwk"
]
},
{
"path": [
"$.unique_id"
]
},
{
"path": [
"$.tax_id_code"
]
}
]
}
}
},
{
"id": "WalletAttestation",
"format": {
"jwt": {
"alg": [
"ES256",
"ES384",
"ES512"
]
},
"constraints": {
"limit_disclosure": "required",
"fields": [
{
"filter": {
"type": "string"
},
"path": [
"$.iss"
]
},
{
"filter": {
"type": "object"
},
"path": [
"$.cnf.jwk"
]
}
]
}
}
}
]
}
],
"jwks": {
"keys": [
{
"kid": "f10aca0992694b3581f6f699bfc8a2c6cc687725",
"kty": "EC",
"crv": "P-256",
"x": "jE2RpcQbFQxKpMqehahgZv6smmXD0i/LTP2QRzMADk4",
"y": "qkMx5iqt5PhPu5tfctS6HsP+FmLgrxfrzUV2GwMQuh8"
}
]
}
}
}
}