Applying metadata policies to SIOPV2 federations

[patatoid]

In my understanding, siopv2 enables to create federations of self-issued OpenID providers to federate wallets with a base OAuth client. This assumption come from the the idea behind "login with" buttons where the federated server has to be registered to the authorization server through an OAuth client. An id_token can act as a client_id forming the same idea of federation. It helps to have a known public client at each step for the oid4vc flows.

Metadata policies from OpenID federation help to have restrictions on the issued tokens given a trust chain that can be verified against those policies. Using siopv2 to have a known client_id help forming similar provider chains which can also be verified given the client_ids and their provider policies.

It would act as access delegation compared to a verification of the the proof / vp_token against the siopv2 given client_id that would be performed to ensure it matches the credential owner or the verifiable presentation.

This require the addition of a metadata_policy (or so) parameter to siopv2 responses along the given id_token. This help to have both the key and its later use restrictions. Do you think it can be a valuable addition to the specification?

---

[patatoid]

Here is a working version of what I am speaking about (it requires custom configuration):

• the core - [PoC] SIOP provider policies malach-it/boruta_auth#41
• the application layer - [PoC] SIOP provider policies malach-it/boruta-server#98

It helps to send along with the id_token metadata policies that enables for instance to restrict an issuance proof (or presentation vp_token) authorized signatures according to the policy given dids.