PID-Provider

Release notes

1.19.0

• Stores personal eID data as encrypted and signed JWT
• Improves internal handling of blocked eIDs

1.18.0

• Adds /health endpoint for external health check
• Adjusts values for source_document_type in PID
• Removes age_in_years and age_birth_year from PID

1.17.1

• Sets ValidityInfo attributes validFrom and signed in MSO-mDoc to same value

1.17.0

• Adjusts vct value for SD-JWT
• Rounds timestamps for iat and exp in SD-JWT
• Rounds timestamps for ValidityInfo attributes validFrom and validUntil in MSO-mDoc

1.16.1

• Adds missing parameters client_attestation_signing_alg_values_supported and client_attestation_pop_signing_alg_values_supported for client attestation to the OAuth authorization server metadata
• Fixes intermittent "Invalid code verifier" errors in PKCE verification

1.16.0

• Removes validation of the iss claim in the Client Attestation JWT
• Adds Cache-Control and Pragma headers to authorization server responses

1.15.0

• Changes URLs and certificates for root and issuance
• Adjusts birth_place and nationality in PID according to PID-Rulebook 1.3
• Removes trust anchor from SD-JWT VC and MSO mdoc certificate chain in header

1.14.3

• Removes undefined parameters vct and doctype from credential request body
• Fixes structure of credentials in credential response
• Changes the key attestation validation to comparison of JWK thumbprint instead of whole JWK

1.14.1

• Removes the check whether Client Attestation key and DPoP key are the same

1.14.0

• Makes DPoP key-attestation optional
• Adds the server identity to the authorization request
• Renders mDoc birth_date as DATE data type
• Increases length of random secure string to 44 for AuthorizationCode, AccessToken, Redirect Uri, DPoPNonce, CNonce and IssuerState

1.13.0

• Fixes faulty check if expiration time claim in the client attestation JWT is too far in the future
• Removes check for expiration time claim in the client attestation PoP JWT

1.12.0

• Adds a restriction to ensure that number of attested keys does not exceed the maximum batch size
• Fixes the metadata response for jwt accept header

1.11.0

• Supports longer-lived key attestations for DPoP
• Provides signed issuer metadata
• Introduces the source_document_type field to the PID
• Renames the key attestation type to key-attestation+jwt
• Adds a credential error response: unknown_credential_configuration
• Includes examples of eID requests and responses in the documentation
• Updates issuer certificate used to sign the credentials in the documentation

1.10.0

• Adds rejection for eIDs without full birthdate
• Fixes serialization of attested keys as JSON object
• Restructures the api-documentation to improve the navigation

1.9.0

• Adds Key Attestation validation for DPoP JWTs at the token endpoint
• Adjusts metadata for client authentication method
• Removes flow-variant (c1) from paths and metadata
• Includes release dates in the release notes

1.8.0

• Removes all flows except C'
• Sets DE as default nationality if it's not present in eID-data
• Adds support for Key Attestation as proof type
• Updates Wallet Attestation to use OAuth-Client-Attestation and OAuth-Client-Attestation-PoP headers and removes support for client_assertion request parameter
• Adds decoy elements in nationalities for SD-JWT
• Makes SD-JWT credential object claims selectively disclosable

1.7.0

• Changes credential format identifier from vc+sd-jwt to dc+sd-jwt
• Adds an option to use credential_configuration_id in the credential request
• Adds nonce endpoint and removes c_nonce and c_nonce_expires from credential and token responses
• Adds wallet attestations as defined in annex E of OpenID4VCI (draft 15), but still using client_assertion and client_assertion_type request parameters
• Enables non-breaking extensibility for PAR, token requests and credential requests (fixes #375)
• Changes credential response to always return an array

1.6.0

• Provides batch_credential_issuance.batch_size information in Credential Issuer Metadata
• Publishes Verifiable Credential Type metadata under /credentials/pid/1.0 and adapts vct claim in SD-JWT format PIDs accordingly
• Implements basic PID revocation on user request:
  • Provides a revocation web app via /revocation
  • Provides a status list service according to Token Status List (draft-ietf-oauth-status-list-05) via /status
  • Integrates revocation status retrieval information according to Token Status List (draft-ietf-oauth-status-list-05) into PIDs in both, SD-JWT and MSO mdoc formats

1.5.0

• Adapts flow variant B' according to Architecture Proposal for the German eIDAS Implementation – Release V2.2:
  • Accept grant type urn:ietf:params:oauth:grant-type:seed_credential for token request
  • Issue seed credential and initialize PIN retry counter on credential instead of finish authorization request
  • Expect and verify PIN and device key signed nonces as JWTs for seed and final credential issuance
  • Rename nonce to session endpoint and provide its URL in credential issuer metadata
• Adapts both, flow variant B and flow variant B' according to Architecture Proposal for the German eIDAS Implementation – Release V2.2:
  • Use credential format mso_mdoc_authenticated_channel for authenticated channel flows
  • Pass in relying party's ephemeral public key through JSON attribute verifier_pub in credential request

1.4.0

• Adds flow variant B' with PIN management.
• Adds flow variant C''.
• Disables client attestation for all flow variants, except flow variant B'.

1.3.0

• Adds flow variant B' with seed credential, but still without PIN management.

1.2.0

• Adds flow variant B with HMAC authenticated SD-JWT and MSO mdoc credentials.

1.1.0

• Adds flow variant C' with seed credential.
• Adds batch issuance on credential endpoint to flow variant C and C'.
• Disables client attestation for flow variant C.
• Requires DPOP for flow variants C and C'.
• Supports credential format MSO mdoc for flow variants C and C'.

1.0.0

• Published Increment 1 of the PID Issuer for SPRIND Funke EUDI Wallet Prototype.
• A detailed feature description can be found on the flow variant and the credential format pages.