OAuth2 Flows and Wallets

Nuts supports a custom OAuth2 flows for acquiring an access token: the service-to-service flow.

Service-to-Service flow

Credentials that are presented during this flow are subject to legal organizations (e.g. registered care organizations).

This flow uses a custom grant type called vp_token-bearer. Presentation requests always and only target organization wallets. User claims can be passed as tokens. If and how the user claims correspond to the organization attestations is done by the authorization step.

The flow is secured with DPoP (optional). See "Security controls" for a detailed description.

Security controls

The following security controls are used by the OAuth2 flows:

VP-Secured Authorization Request (Nuts RFC021) provides integrity protection and authenticity for the request.
Demonstrating Proof of Possession (DPoP, RFC9449) provides authenticity of the client using the access token. This mitigates a MITM stealing access tokens. Usage is optional, to be enabled by the client.

OAuth2 Scopes and Presentation Definition Mapping

AuthN using Verifiable Credentials

Credential Trust

OAuth2 Flows and Wallets

Access Policy (TODO)

OAuth2 Flows and Wallets

Service-to-Service flow

Security controls

No Comments