October 10, 2019
Using OpenID Connect Self-Issued to Achieve DID Auth

OpenID logoMy co-authors and I recently competed the paper Using OpenID Connect Self-Issued to Achieve DID Auth, which was created as a result of discussions at the eighth Rebooting the Web of Trust workshop. The paper’s abstract is:

Proving control of a DID requires proving ownership of a private key corresponding to a public key for the DID. Of course, this could be done with a new DID-specific protocol. However, standard protocols for proving ownership of a public/private key pair already exist.

This paper describes how to reuse the Self-Issued OpenID Connect (SIOP) specification and related protocol messages to prove control of a DID. It describes both why and how to do this. Related topics, such as release of claims, are also touched upon.

Several people came to the workshop wanting to explore how to use the OpenID Connect Self-Issued OpenID Provider functionality to prove control of a Decentralized Identifier (DID), including myself. The paper describes the approach being taken by a number of groups using DIDs, including Microsoft. The paper’s publication is timely, as the W3C DID Working Group has just formed to create a DID standard. Microsoft is an active member of the working group.

Special thanks to Dmitri Zagidulin for getting the paper over the finish line!

One Response to “Using OpenID Connect Self-Issued to Achieve DID Auth”

  1. Travis Spencer on 01 Mar 2020 at 3:46 am #

    This is a fantastic paper, Mike. Thanks for writing and sharing it. Question though about the authorization request. I assume the duplication of response_type, scope, and client_id; the omission of the request object on the query string; and the differing client ID in the example request object are typos. Is that right? Would the authorization request look something like this?


    where the request object is JWT decoded to this:

    “alg”: “ES256K”,
    “typ”: “JWT”,
    “kid”: “did:example:0xab#veri-key1”
    “iss”: “did:example:0xab”,
    “response_type”: “id_token”,
    “client_id”: “https://rp.example.com/cb”,
    “scope”: “openid did_authn”,
    “nonce”: “n-0S6_WzA2Mj”,
    “registration” : {
    “request_object_signing_alg” : “ES256K”,
    “jwks_uri” : “did:example:0xab”,
    “id_token_signed_response_alg” : [ “ES256K”, “Ed25519”, “RS256” ],

    In any event, thanks again!

Trackback URI | Comments RSS

Leave a Reply

You must be logged in to post a comment.