v0.6.0 (dev)

Upgrading

  • The neither value for session_type_return_url in the verification server configuration is no longer supported; use same_device (the default) with a return_url_template instead.

  • The pid_issuance section of the Wallet configuration has been paired down as follows:

    • The pid_issuer_url field is now just called url.

    • The value at the digid/client_id path has been moved to client_id.

    • The object contained in digid_http_config has been removed.

  • The pid_issuer configuration has had its digid.http_config section renamed to digid.client_settings. Within this section, the base_url field has been renamed to oidc_identifier, which contains the same value.

  • The supported client identifier prefix (in the context of OpenID4VP, so a “client” here is a relying-party, a verifier) has changed from x509_san_dns to x509_hash. That means our wallet app expects x509_hash client ids. In our issuer server, the client_id field, which is part of a usecase needs to be updated (in our code that means the demo_issuer). For example:

    "client_id": "x509_hash:YYIN_SgqjFj2044q1fpvpa0rxqrXEG0U1xdm2Hw_ohM",

    The value of x509_hash is the base64url-encoded value of the SHA-256 hash of the DER-encoded X.509 certificate.

New features

  • The Wallet Provider will now block recovery codes during PIN recovery or PID renewal when the newly disclosed recovery code does not match with stored recovery code. This is suspicious because it is already checked by the NL Wallet app as well.

  • Users can delete non-PID cards from their wallet, via the card detail screen.

  • When a card is deleted, the wallet now stores this in its history.

  • Allow incoming BLE connection through ‘Present QR’ screen. The BLE server is now started when this screen is displayed and a remote verifier can connect to trigger navigation to the disclosure flow.

  • Parse the ISO 18013-5 “close proximity” DeviceRequest and present it in the disclosure screen so the user can share the specified credentials.

  • If the RP’s DCQL request contains a Trusted Authorities Query of type Authority Key Identifier, both the verification_server and the wallet will now respect this, allowing the RP to request attestations signed by specific issuer keys.

Interoperability improvements

  • The verification server now enforces HAIP 1.0 compliance for same-device flows: a redirect_uri is always returned to the wallet after a successful disclosure. See the Upgrading section for the required configuration change.

  • Sections of both the wallet and issuer code have been updated to be compliant with OpenID4VCI 1.0:

    • The issuer now provides a nonce endpoint, which replaces the c_nonce value in the TokenResponse.

    • The PID issuance flow has been changed to use the Authorization Code flow, instead of a hybrid implementation of the Authorization Code and Pre-authorized Code flow.