Entity Configuration of PID/(Q)EAA Providers

The PID/(Q)EAA Providers, as Federation Entity, are required to adhere to the guidelines outlined in Section Configuration of the Federation. Specifically, they MUST provide a well-known endpoint that hosts their Entity Configuration. The Entity Configuration of PID/(Q)EAA Providers MUST contain the parameters defined in the Sections Entity Configuration Leaves and Intermediates and Entity Configurations Common Parameters.

The PID/(Q)EAA Providers MUST provide the following metadata types:

  • federation_entity

  • oauth_authorization_server

  • openid_credential_issuer

In cases where the (Q)EAA Providers authenticate Users using their Wallet Instance, then the metadata for wallet_relying_party MUST be provided in addition to the metadata above. In case a national eID scheme is used by the PID/(Q)EAA Providers for the User authentication, they MAY include a metadata for openid_relying_party within their Entity Configuration. The openid_relying_party metadata MUST be compliant with the current version of SPID/CIE id OIDC Technical Specification.

Metadata for federation_entity

The federation_entity metadata MUST contain the parameters as defined in Section Metadata of federation_entity Leaves.

Metadata for oauth_authorization_server

The oauth_authorization_server metadata MUST contain the following parameters.

Claim

Description

issuer

It MUST contain an HTTPS URL that uniquely identifies the PID/(Q)EAA Provider.

pushed_authorization_request_endpoint

The URL of the pushed authorization request endpoint is where a Wallet Instance MUST submit an authorization request to obtain a request_uri value, which can then be used at the authorization endpoint. See RFC 9126#as_metadata.

authorization_endpoint

URL of the authorization server's authorization endpoint. See RFC 8414#section-2.

token_endpoint

URL of the authorization server's token endpoint. See RFC 8414#section-2.

client_registration_types_supported

Array specifying the registration types supported. The authorization server MUST support automatic. See OID-FED Section 5.1.3.

code_challenge_methods_supported

JSON array containing a list of Proof Key for Code Exchange (PKCE) RFC 7636 code challenge methods supported by the authorization server. The authorization server MUST support S256.

acr_values_supported

See OpenID Connect Discovery 1.0 Section 3. The supported values are:

  • https://www.spid.gov.it/SpidL1

  • https://www.spid.gov.it/SpidL2

  • https://www.spid.gov.it/SpidL3

scopes_supported

JSON array containing a list of the supported scope values. See RFC 8414#section-2.

response_modes_supported

JSON array containing a list of the supported "response_mode" values, as specified in OAuth 2.0 Multiple Response Type Encoding Practices. The supported values MAY be query and form_post.jwt (see [oauth-v2-jarm-03]).

authorization_signing_alg_values_supported

JSON array containing a list of the JWS RFC 7515 supported signing algorithms (alg values). The values MUST be set according to Section Cryptographic Algorithms. See Section 4 of [oauth-v2-jarm-03].

grant_types_supported

JSON array containing a list of the supported grant type values. The authorization server MUST support authorization_code.

token_endpoint_auth_methods_supported

JSON array containing a list of supported client authentication methods. The Token Endpoint MUST support attest_jwt_client_auth as defined in OAUTH-ATTESTATION-CLIENT-AUTH.

token_endpoint_auth_signing_alg_values_supported

JSON array containing a list of the JWS signing algorithms ("alg" values) supported by the token endpoint for the signature on the JWT used to authenticate the client at the Token Endpoint. See RFC 8414#section-2.

request_object_signing_alg_values_supported

JSON array containing a list of the JWS signing algorithms ("alg" values) supported for Request Objects. See [openid-connect-discovery-1_0].

jwks

JSON Web Key Set containing the cryptographic keys for the authorization server. See OID-FED Section 5.2.1 and JWK.

Metadata for openid_credential_issuer

The openid_credential_issuer metadata MUST contain the following claims.

Claim

Description

credential_issuer

The PID/(Q)EAA Provider identifier. It MUST be a case sensitive URL using HTTPS scheme as defined in OpenID4VCI Sections 11.2.1 and 11.2.3.

credential_endpoint

URL of the credential endpoint. See OpenID4VCI Section 11.2.3.

revocation_endpoint

URL of the revocation endpoint. See RFC 8414#section-2.

status_attestation_endpoint

It MUST be an HTTPs URL indicating the endpoint where the Wallet Instances can request Status Attestations. See Section Credential Lifecycle for more details.

notification_endpoint

It MUST be an HTTPs URL indicating the notification endpoint. See Section 11.2.3 of [OpenID4VCI].

authorization_servers

OPTIONAL. Array of strings, where each string is an identifier of the OAuth 2.0 Authorization Server (as defined in [RFC 8414]) the PID/(Q)EAA Provider relies on for authorization. If this parameter is omitted, the entity providing the PID/(Q)EAA Provider is also acting as the Authorization Server.

display

See OpenID4VCI Section 11.2.3. Array of objects containing display language properties. The parameters that MUST be included are:

  • name: String value of a display name for the PID/(Q)EAA Provider.

  • locale: String value that identifies the language of this object represented as a language tag taken from values defined in BCP47 RFC 5646. There MUST be only one object for each language identifier.

credential_configurations_supported

JSON object that outlines the details of the Credential supported by the PID/(Q)EAA Provider. It includes a list of name/value pairs, where each name uniquely identifies a specific supported Credential. This identifier is utilized to inform the Wallet Instance which Credential can be provided by the PID/(Q)EAA Provider. The associated value within the object MUST contain metadata specific to that Credential, as defined following. See OpenID4VCI Sections 11.2.3 and A.3.2.

  • format: String identifying the format of this Credential. The PID/(Q)EAA MUST support the value string "vc+sd-jwt". See OpenID4VCI Section A.3.1.

  • scope: JSON String identifying the supported scope value. The Wallet Instance MUST use this value in the Pushed Authorization Request. Scope values MUST be the entire set or a subset of the scope values in the scopes_supported parameter of the Authorization Server. [See OpenID4VCI Section 11.2.3].

  • cryptographic_binding_methods_supported: JSON Array of case sensitive strings that identify the representation of the cryptographic key material that the issued Credential is bound to. The PID/(Q)EAA Provider MUST support the value "jwk".

  • credential_signing_alg_values_supported: JSON Array of case sensitive strings that identify the algorithms that the PID/(Q)EAA Provider MUST support to sign the issued Credential. See Section Cryptographic Algorithms for more details.

  • proof_types_supported: JSON object which provide detailed information about the key proof(s) supported by the PID/(Q)EAA Provider. It consists of a list of name/value pairs, where each name uniquely identifies a supported proof type. The PID/(Q)EAA Provider MUST support at least "jwt" as defined in OpenID4VCI Section 7.2. The value associated with each name/value pair is a JSON object containing metadata related to the key proof. The PID/(Q)EAA Provider MUST support at least the parameter proof_signing_alg_values_supported which MUST be a JSON Array of case sensitive strings that identify the supported algorithms (see Section Cryptographic Algorithms for more details about the supported algorithms).

  • display: Array of objects containing display language properties. The parameters that MUST be included are:

    • name: String value of a display name for the Credential.

    • locale: String value that identifies the language of this object represented as a language tag taken from values defined in BCP47 RFC 5646. There MUST be only one object for each language identifier.

  • vct: As defined in [SD-JWT-VC Credential Format].

  • claims: JSON object comprising a collection of name/value pairs, where each name represents a claim related to the subject described in the Credential. The value associated with each name MAY be either another nested object or an array of objects. To provide detailed information about the claim, the innermost value MUST contain at least the following parameters. See OpenID4VCI Section A.3.2.

    • value_type: String value determining the type of value of the claim. The values that MUST be supported by the PID/(Q)EAA Provider are String and Boolean.

    • display: Array of objects containing display language properties. The parameters that MUST be included are:

      • name: String value of a display name for the claim.

      • locale: String value that identifies the language of this object represented as a language tag taken from values defined in BCP47 RFC 5646. There MUST be only one object for each language identifier.

jwks

JSON Web Key Set document, passed by value, containing the protocol specific keys for the Credential Issuer. See OID-FED Section 5.2.1 and JWK.

Metadata for wallet_relying_party

The wallet_relying_party metadata MUST contain the parameters as defined in Section Metadata for wallet_relying_party.

Example of a (Q)EAA Provider Entity Configuration

Below is a non-normative example of an Entity Configuration of a (Q)EAA Provider containing a metadata for

  • federation_entity

  • oauth_authorization_server

  • openid_credential_issuer

  • wallet_relying_party

{
    "iat": 1718207217,
    "exp": 1749743216,
    "iss": "https://eaa-provider.example.org",
    "sub": "https://eaa-provider.example.org",
    "authority_hints": [
        "https://trust-anchor.example.org"
    ],
    "jwks": {
        "keys": [
            {
                "kid": "FANFS3YnC9tjiCaivhWLVUJ3AxwGGz_98uRFaqMEEs",
                "kty": "EC",
                "crv": "P-256",
                "x": "jE2RpcQbFQxKpMqehahgZv6smmXD0i/LTP2QRzMADk4",
                "y": "qkMx5iqt5PhPu5tfctS6HsP+FmLgrxfrzUV2GwMQuh8"
            }
        ]
    },
    "metadata": {
        "federation_entity": {
            "homepage_uri": "https://eaa-provider.example.org/",
            "organization_name": "Organization Name",
            "contacts": [
                "informazioni@example.it",
                "protocollo@pec.example.it"
            ],
            "tos_uri": "https://eaa-provider.example.org/public/info_policy.html",
            "policy_uri": "https://eaa-provider.example.org/public/privacy_policy.html",
            "logo_uri": "https://eaa-provider.example.org/public/logo.svg"
        },
        "oauth_authorization_server": {
            "issuer": "https://eaa-provider.example.org",
            "pushed_authorization_request_endpoint": "https://eaa-provider.example.org/as/par",
            "authorization_endpoint": "https://eaa-provider.example.org/authorize",
            "token_endpoint": "https://eaa-provider.example.org/token",
            "client_registration_types_supported": [
                "automatic"
            ],
            "code_challenge_methods_supported": [
                "S256"
            ],
            "acr_values_supported": [
                "https://www.spid.gov.it/SpidL2",
                "https://www.spid.gov.it/SpidL3"
            ],
            "scopes_supported": [
                "EuropeanDisabilityCard",
                "MDL"
            ],
            "response_modes_supported": [
                "form_post.jwt",
                "query"
            ],
            "authorization_signing_alg_values_supported": [
                "ES256",
                "ES384",
                "ES512"
            ],
            "grant_types_supported": [
                "authorization_code"
            ],
            "token_endpoint_auth_methods_supported": [
                "attest_jwt_client_auth"
            ],
            "token_endpoint_auth_signing_alg_values_supported": [
                "ES256",
                "ES384",
                "ES512"
            ],
            "request_object_signing_alg_values_supported": [
                "ES256",
                "ES384",
                "ES512"
            ],
            "jwks": {
                "keys": [
                    {
                        "kid": "f10aca0992694b3581f6f699bfc8a2c6cc687725",
                        "kty": "EC",
                        "crv": "P-256",
                        "x": "jE2RpcQbFQxKpMqehahgZv6smmXD0i/LTP2QRzMADk4",
                        "y": "qkMx5iqt5PhPu5tfctS6HsP+FmLgrxfrzUV2GwMQuh8"
                    }
                ]
            }
        },
        "openid_credential_issuer": {
            "credential_issuer": "https://eaa-provider.example.org",
            "credential_endpoint": "https://eaa-provider.example.org/credential",
            "revocation_endpoint": "https://eaa-provider.example.org/revoke",
            "status_attestation_endpoint": "https://eaa-provider.example.org/status",
            "notification_endpoint": "https://eaa-provider.example.org/notification",
            "display": [
                {
                    "name": "EAA Provider",
                    "locale": "it-IT"
                },
                {
                    "name": "EAA Provider",
                    "locale": "en-US"
                }
            ],
            "credential_configurations_supported": {
                "EuropeanDisabilityCard": {
                    "format": "vc+sd-jwt",
                    "scope": "EuropeanDisabilityCard",
                    "cryptographic_binding_methods_supported": [
                        "jwk"
                    ],
                    "credential_signing_alg_values_supported": [
                        "ES256",
                        "ES384",
                        "ES512"
                    ],
                    "proof_types_supported": {
                        "jwt": {
                            "proof_signing_alg_values_supported": [
                                "ES256",
                                "ES384",
                                "ES512"
                            ]
                        }
                    },
                    "display": [
                        {
                            "name": "Carta della disabilità europea",
                            "locale": "it-IT"
                        },
                        {
                            "name": "European Disability Card",
                            "locale": "en-US"
                        }
                    ],
                    "vct": "EuropeanDisabilityCard",
                    "claims": {
                        "document_number": {
                            "value_type": "string",
                            "display": [
                                {
                                    "name": "Numero Documento",
                                    "locale": "it-IT"
                                },
                                {
                                    "name": "Document Number",
                                    "locale": "en-US"
                                }
                            ]
                        },
                        "given_name": {
                            "value_type": "string",
                            "display": [
                                {
                                    "name": "Nome",
                                    "locale": "it-IT"
                                },
                                {
                                    "name": "Name",
                                    "locale": "en-US"
                                }
                            ]
                        },
                        "family_name": {
                            "value_type": "string",
                            "display": [
                                {
                                    "name": "Cognome",
                                    "locale": "it-IT"
                                },
                                {
                                    "name": "Family Name",
                                    "locale": "en-US"
                                }
                            ]
                        },
                        "birth_date": {
                            "value_type": "string",
                            "display": [
                                {
                                    "name": "Data di Nascita (YYYY-MM-GG)",
                                    "locale": "it-IT"
                                },
                                {
                                    "name": "Date of Birth (YYYY-MM-GG)",
                                    "locale": "en-US"
                                }
                            ]
                        },
                        "tax_id_code": {
                            "value_type": "string",
                            "display": [
                                {
                                    "name": "Codice Fiscale",
                                    "locale": "it-IT"
                                },
                                {
                                    "name": "Tax Id Number",
                                    "locale": "en-US"
                                }
                            ]
                        },
                        "expiry_date": {
                            "value_type": "string",
                            "display": [
                                {
                                    "name": "Data di Scadenza (YYYY-MM-GG)",
                                    "locale": "it-IT"
                                },
                                {
                                    "name": "Expiration Date (YYYY-MM-GG)",
                                    "locale": "en-US"
                                }
                            ]
                        },
                        "constant_attendance_allowance": {
                            "value_type": "boolean",
                            "display": [
                                {
                                    "name": "Diritto accompagnatore",
                                    "locale": "it-IT"
                                },
                                {
                                    "name": "Constant attendance allowance",
                                    "locale": "en-US"
                                }
                            ]
                        },
                        "portrait": {
                            "value_type": "string",
                            "display": [
                                {
                                    "name": "Foto codificata in base64",
                                    "locale": "it-IT"
                                },
                                {
                                    "name": "Portrait base64 encoded",
                                    "locale": "en-US"
                                }
                            ]
                        },
                        "link_qr_code": {
                            "value_type": "string",
                            "display": [
                                {
                                    "name": "Link QR Code",
                                    "locale": "it-IT"
                                },
                                {
                                    "name": "Link QR Code",
                                    "locale": "en-US"
                                }
                            ]
                        }
                    }
                },
                "MDL": {
                    "format": "vc+sd-jwt",
                    "scope": "MDL",
                    "cryptographic_binding_methods_supported": [
                        "jwk"
                    ],
                    "credential_signing_alg_values_supported": [
                        "ES256",
                        "ES384",
                        "ES512"
                    ],
                    "proof_types_supported": {
                        "jwt": {
                            "proof_signing_alg_values_supported": [
                                "ES256",
                                "ES384",
                                "ES512"
                            ]
                        }
                    },
                    "display": [
                        {
                            "name": "Patente di guida",
                            "locale": "it-IT"
                        },
                        {
                            "name": "Mobile Driver's License",
                            "locale": "en-US"
                        }
                    ],
                    "vct": "MDL",
                    "claims": {
                        "given_name": {
                            "value_type": "string",
                            "display": [
                                {
                                    "name": "Nome",
                                    "locale": "it-IT"
                                },
                                {
                                    "name": "First Name",
                                    "locale": "en-US"
                                }
                            ]
                        },
                        "family_name": {
                            "value_type": "string",
                            "display": [
                                {
                                    "name": "Cognome",
                                    "locale": "it-IT"
                                },
                                {
                                    "name": "Family Name",
                                    "locale": "en-US"
                                }
                            ]
                        },
                        "birth_date": {
                            "value_type": "string",
                            "display": [
                                {
                                    "name": "Data di nascita (YYYY-MM-GG)",
                                    "locale": "it-IT"
                                },
                                {
                                    "name": "Date of Birth (YYYY-MM-GG)",
                                    "locale": "en-US"
                                }
                            ]
                        },
                        "place_of_birth": {
                            "value_type": "string",
                            "display": [
                                {
                                    "name": "Luogo di Nascita",
                                    "locale": "it-IT"
                                },
                                {
                                    "name": "Place of Birth",
                                    "locale": "en-US"
                                }
                            ]
                        },
                        "issue_date": {
                            "value_type": "string",
                            "display": [
                                {
                                    "name": "Data di rilascio (YYYY-MM-GG)",
                                    "locale": "it-IT"
                                },
                                {
                                    "name": "Issue Date (YYYY-MM-GG)",
                                    "locale": "en-US"
                                }
                            ]
                        },
                        "expiry_date": {
                            "value_type": "string",
                            "display": [
                                {
                                    "name": "Data di scadenza (YYYY-MM-GG)",
                                    "locale": "it-IT"
                                },
                                {
                                    "name": "Expiry Date (YYYY-MM-GG)",
                                    "locale": "en-US"
                                }
                            ]
                        },
                        "issuing_country": {
                            "value_type": "string",
                            "display": [
                                {
                                    "name": "Paese di rilascio",
                                    "locale": "it-IT"
                                },
                                {
                                    "name": "Issuing Country",
                                    "locale": "en-US"
                                }
                            ]
                        },
                        "issuing_authority": {
                            "value_type": "string",
                            "display": [
                                {
                                    "name": "Autorità di rilascio",
                                    "locale": "it-IT"
                                },
                                {
                                    "name": "Issuing Authority",
                                    "locale": "en-US"
                                }
                            ]
                        },
                        "document_number": {
                            "value_type": "string",
                            "display": [
                                {
                                    "name": "Numero di documento",
                                    "locale": "it-IT"
                                },
                                {
                                    "name": "Document Number",
                                    "locale": "en-US"
                                }
                            ]
                        },
                        "portrait": {
                            "value_type": "string",
                            "display": [
                                {
                                    "name": "Foto codificata in base64",
                                    "locale": "it-IT"
                                },
                                {
                                    "name": "Portrait base64 encoded",
                                    "locale": "en-US"
                                }
                            ]
                        },
                        "driving_privileges": {
                            "value_type": "string",
                            "display": [
                                {
                                    "name": "Elenco delle categorie di abilitazione separate da spazio",
                                    "locale": "it-IT"
                                },
                                {
                                    "name": "Driving Privileges separated by space",
                                    "locale": "en-US"
                                }
                            ]
                        },
                        "restrictions_conditions": {
                            "value_type": "string",
                            "display": [
                                {
                                    "name": "Annotazioni/Restrizioni valide per tutte le categorie separate da spazio",
                                    "locale": "it-IT"
                                },
                                {
                                    "name": "Restriction/Condition for all driving privileges separated by space ",
                                    "locale": "en-US"
                                }
                            ]
                        },
                        "driving_privileges_details": {
                            "value_type": "string",
                            "display": [
                                {
                                    "name": "Dettagli delle categorie di abilitazione",
                                    "locale": "it-IT"
                                },
                                {
                                    "name": "Driving privilege details",
                                    "locale": "en-US"
                                }
                            ]
                        }
                    }
                }
            },
            "jwks": {
                "keys": [
                    {
                        "kid": "f10aca0992694b3581f6f699bfc8a2c6cc687725",
                        "kty": "EC",
                        "crv": "P-256",
                        "x": "jE2RpcQbFQxKpMqehahgZv6smmXD0i/LTP2QRzMADk4",
                        "y": "qkMx5iqt5PhPu5tfctS6HsP+FmLgrxfrzUV2GwMQuh8"
                    }
                ]
            }
        },
        "wallet_relying_party": {
            "application_type": "web",
            "client_id": "https://eaa-provider.example.org",
            "client_name": "Organization Name",
            "contacts": [
                "informazioni@example.it",
                "protocollo@pec.example.it"
            ],
            "request_uris": [
                "https://eaa-provider.example.org/request_uri"
            ],
            "response_uris": [
                "https://eaa-provider.example.org/response_uri"
            ],
            "default_acr_values": [
                "https://www.spid.gov.it/SpidL2",
                "https://www.spid.gov.it/SpidL3"
            ],
            "request_object_signing_alg_values_supported": [
                "ES256",
                "ES384",
                "ES512"
            ],
            "authorization_signed_response_alg": [
                "ES256",
                "ES384",
                "ES512"
            ],
            "authorization_encrypted_response_alg": [
                "RSA-OAEP-256"
            ],
            "authorization_encrypted_response_enc": [
                "A128CBC-HS256",
                "A192CBC-HS384",
                "A256CBC-HS512",
                "A128GCM",
                "A192GCM",
                "A256GCM"
            ],
            "vp_formats": {
                "vc+sd-jwt": {
                    "sd-jwt_alg_values": [
                        "ES256",
                        "ES384",
                        "ES512"
                    ]
                }
            },
            "presentation_definitions_supported": [
                {
                    "id": "d76c51b7-ea90-49bb-8368-6b3d194fc131",
                    "input_descriptors": [
                        {
                            "id": "PersonIdentificationData",
                            "format": {
                                "vc+sd-jwt": {
                                    "alg": [
                                        "ES256",
                                        "ES384",
                                        "ES512"
                                    ]
                                },
                                "constraints": {
                                    "limit_disclosure": "required",
                                    "fields": [
                                        {
                                            "filter": {
                                                "const": "PersonIdentificationData",
                                                "type": "string"
                                            },
                                            "path": [
                                                "$.vct"
                                            ]
                                        },
                                        {
                                            "filter": {
                                                "type": "object"
                                            },
                                            "path": [
                                                "$.cnf.jwk"
                                            ]
                                        },
                                        {
                                            "path": [
                                                "$.unique_id"
                                            ]
                                        },
                                        {
                                            "path": [
                                                "$.tax_id_code"
                                            ]
                                        }
                                    ]
                                }
                            }
                        },      
                        {
                            "id": "WalletAttestation",
                            "format": {
                                "jwt": {
                                    "alg": [
                                        "ES256",
                                        "ES384",
                                        "ES512"
                                    ]
                                },
                                "constraints": {
                                    "limit_disclosure": "required",
                                    "fields": [
                                        {
                                            "filter": {
                                                "type": "string"
                                            },
                                            "path": [
                                                "$.iss"
                                            ]
                                        },
                                        {
                                            "filter": {
                                                "type": "object"
                                            },
                                            "path": [
                                                "$.cnf.jwk"
                                            ]
                                        }
                                    ]
                                }
                            }
                        }
                    ]
                } 
            ],
            "jwks": {
                "keys": [
                    {
                        "kid": "f10aca0992694b3581f6f699bfc8a2c6cc687725",
                        "kty": "EC",
                        "crv": "P-256",
                        "x": "jE2RpcQbFQxKpMqehahgZv6smmXD0i/LTP2QRzMADk4",
                        "y": "qkMx5iqt5PhPu5tfctS6HsP+FmLgrxfrzUV2GwMQuh8"
                    }
                ]
            }
        }
    }
}