2024 IEEE International Conference on Decentralized Applications and Infrastructures (DAPPS)
A Middleware Architecture for Self-Sovereign
2024 IEEE International Conference on Decentralized Applications and Infrastructures (DAPPS) | 979-8-3503-6295-4/24/$31.00 ©2024 IEEE | DOI: 10.1109/DAPPS61106.2024.00019
Identity Authentication and Authorization
Felix Hoops
Department of Computer Science
Technical University of Munich
Munich, Germany
[email protected]
[email protected]
Abstract—In the evolving digital identity landscape, the con-
cept of Self-Sovereign Identity (SSI) has emerged as a paradigm
shift, empowering individuals with the ownership and control of
their personal information. This paper introduces a middleware
architecture that leverages the principles of SSI, enabling applica-
tion clients to authenticate and authorize users holding Verifiable
Credentials via the OpenID Connect protocol. This architecture
simplifies adoption for new and existing service providers by
letting them build on established standards with proven tools.
To further simplify configuration, we introduce a tailored login
policy language based on JSON. We validate our architecture by
implementing it and testing it with different services.
Index Terms—Self-Sovereign Identity, Identity and Access
Management, Verifiable Credentials, OpenID Connect, OAuth
I. I NTRODUCTION
The Internet, as we know it today, is dominated by a few
large identity providers (IdPs) that offer single-sign-on (SSO)
services. These IdPs have become the gatekeepers of user
identities, controlling access to numerous online services and
applications. This centralized approach to identity manage-
ment presents several challenges, including privacy concerns,
lack of control over personal data, and the risk of effectively
being a single point of failure for large parts of the Internet.
In response to these challenges, the concept of Self-
Sovereign Identity (SSI) [1] has emerged. SSI is a paradigm
shift in identity management that empowers individuals to
own and control their digital identities. Instead of relying on
centralized identity providers, users can create, manage, and
use their digital identities independently, enhancing privacy
and security. Actors in SSI are identified by cryptographic
key material, and a user’s attributes are attested to and signed
by IdPs, now also known as issuers, in the form of Verifiable
Credentials (VCs).
A drastic change in identity management paradigm poses
significant challenges to IdPs and service providers. The latter
group is considerably larger. For instance, a limited number of
universities issue diplomas. At the same time, comparatively,
many third parties, such as corporate HR departments, rely on
these diplomas as just one part of their business processes.
While identity management is the core business of an IdP,
service providers have limited resources to devote to that. Yet,
transitioning to SSI requires substantial changes in how these
979-8-3503-6295-4/24/$31.00 ©2024 IEEE
DOI 10.1109/DAPPS61106.2024.00019
Authorized licensed use limited to: BRAC UNIVERSITY. Downloaded on April 08,2025 at 19:38:05 UTC from IEEE Xplore. Restrictions apply.
Florian Matthes
Department of Computer Science
Technical University of Munich
Munich, Germany
existing services authenticate and authorize users. Simultane-
ously, the complexity barrier for building new services is also
rising when building for SSI compared to traditional identity
management systems.
As a first step, we provide an overview of existing work
on SSI middleware for service providers, also known as
relying parties (RPs). We then contribute a new middleware
architecture that enables application clients to authenticate
and authorize users who hold VCs via the OpenID Connect
(OIDC) [2] protocol. In contrast to existing work, our contri-
bution is lean and fully configurable by just one single policy,
and we also present a detailed reference of this integration on
a protocol level. To evaluate our design, we implemented it
and published it as open-source software1 . We also describe
the initial testing done to validate our implementation.
II. BACKGROUND
In this section, we provide an overview of the concept
of Self-Sovereign Identity, introduce OpenID Connect with
an emphasis on the core standard, and finally explore the
newest additions to OpenID Connect that go beyond the
core specification to provide some support for Self-Sovereign
Identity.
A. Self-Sovereign Identity
SSI is a decentralized identity management paradigm that
aims to return a higher degree of privacy and control to
individual end-users [1] by letting them hold their own user
data. As of writing, SSI has gained momentum in research and
policy communities, but large-scale adoption is yet to come.
Key to the technical implementation of SSI are the W3C
Verifiable Credential (VC) [3] and W3C Decentralized Iden-
tifier (DID) [4] standards. The VC standard defines a format
for expressing claims, enabling the creation of digitally signed
statements about subjects such as individuals, organizations, or
machines. These credentials can be cryptographically verified.
Complementing VCs, the W3C DID standard establishes a
pattern for creating and managing globally unique decen-
tralized identifiers that represent the subjects and issuers of
VCs. The actual implementation is up to each specific DID
1 https://github.com/GAIA-X4PLC-AAD/ssi-to-oidc-bridge
79
method, allowing for great flexibility. Usually, these work
by leveraging asymmetric encryption keys, similar to how
blockchain accounts work.
For end-users, the entry into any SSI ecosystem likely
begins with a smartphone wallet application. SSI wallets are
comparable to crypto wallets in that they store private key
material. However, their keys represent DIDs. In addition, SSI
wallets also provide means to store VCs, display VCs, and
implement protocols to present and receive VCs.
Presenting a VC happens in the form of a Verifiable Presen-
tation (VP) that contains at least one VC and a challenge and
is signed by the holder to prevent replay attacks. A relying
party (RP) can cryptographically verify the VP and its VC(s)
without interacting with the issuer. If designated in a VC, the
issuer will also query a status list to ensure the VC is not
revoked.
B. OpenID Connect
OpenID Connect (OIDC) [2] is an open standard designed
for secure user authentication and authorization. It is built on
top of the OAuth 2.0 [5] authorization framework, providing
an additional layer of identity verification. OIDC facilitates the
exchange of user information between the identity provider
(IdP) and the relying party (RP) in a secure and standardized
manner. The OIDC protocol introduces a set of standardized
identity flows adapted from OAuth 2.0, such as the Autho-
rization Code Flow, Implicit Flow, and Hybrid Flow, allowing
clients operated by an RP to request and obtain identity
information about users. To limit what information a client
gets, OpenID Connect defines a set of scopes that determine
the user attributes transmitted to the client during the sign-
in process. Ultimately, the client ends up receiving tokens. An
id_token is used for identity data, such as an email address.
An access_token encodes information relevant to access
control, such as membership in a user group.
One of the strengths of OpenID Connect is its ability to
support single sign-on (SSO) scenarios, enabling users to log
in once and access multiple services without the need for
separate authentications.
C. OpenID for Verifiable Credentials
Recently, OpenID Connect has been expanded by OpenID
for Verifiable Credentials (OID4VC) [6]. Originally, OID4VC
was a family of three specifications:
OpenID for Verifiable Credential Issuance (OID4VCI)
defines an API for VC issuance from a server to a wallet.
It essentially covers the download of a signed credential.
OpenID for Verifiable Presentations (OID4VP) specifies
how a wallet can present a VP to a server based on an
OAuth 2.0 flow [7].
Self-Issued OpenID Provider v2 (SIOPv2) enables SSI
wallets to act as OIDC Providers [8].
Since then, more have been added2 , but considering our
focus on sign-ins, OID4VP and SIOPv2 are the relevant
2 https://openid.net/sg/openid4vc/specifications/
80
Authorized licensed use limited to: BRAC UNIVERSITY. Downloaded on April 08,2025 at 19:38:05 UTC from IEEE Xplore. Restrictions apply.
specifications of that family. They can be combined to create
a standardized way for smartphone wallets to authenticate and
authorize a user with claims from VCs.
III. R ELATED W ORK
With the field of Self-Sovereign Identity (SSI) having
enjoyed steady attention from researchers in the past years,
several authors have contributed work related to the topic of
integrating SSI into established identity and access manage-
ment (IAM) systems. These contributions roughly fit into three
categories. We start by mentioning surveys about integrations
of SSI into existing IAMs, then go over noteworthy integra-
tions with OIDC, and finally, integrations with other IAMs.
A survey by Kuperberg et al. [9] looking at SSI integrations
for established IAM protocols identifies only seven relevant
candidates. Most are commercial, and only two are available
as open-source software. They note a need for code examples
and an explanation of implementation specifics.
In another survey, Grüner et al. [10] formalize and compare
different interoperability concepts for SSI. They are unable to
clearly identify a superior concept. Also focused on interoper-
ability, Yildiz et al. [11] once more emphasize the need for true
interoperability in SSI and describe it as a key requirement for
further adoption. They introduce an SSI reference model that
structures SSI components and functionalities into different
layers. They also point out where specific protocols and
standards could be applied on these layers, including OIDC
technology standards.
A general survey of the state of SSI from 2022 by
Schardong et al. [12] notes that protocol integration into
established IAMs is vital to pave the adoption for SSI. The
authors provide a comprehensive list of existing efforts.
Grüner et al. introduced a system facilitating IAM between
the old SSI ecosystems of Jolocom and uPort, as well as
the still-existent Hyperledger Aries, and the established IAMs
OIDC and SAML2 over the course of two works [13], [14].
The presented system works as a two-way integration and
consequently assumes the role of issuer and relying party
simultaneously. An elaborate trust model, combined with
attribute mapping support, enables forwarding claims under
unified names while marking untrusted claims by renaming
them further. The most significant issue with this architecture
lies in its complexity and the considerable work needed to
integrate new blockchain-based SSI ecosystems.
Lux et al. [15] propose an integration architecture that
allows OIDC sign-in via SSI based on a blockchain public
key infrastructure. Namely, they are looking at Sovrin, which
uses Hyperledger Indy. In their implementation, they write
attributes to the OIDC id_token to avoid reliance on non-
default OIDC features. Unfortunately, the solution is exclusive
to Hyperledger Indy.
At least two open-source solutions without academic contri-
bution exist. The first one is the Province of British Columbia’s
Verifiable Credential Authentication with OpenID Connect
(VC-AuthN OIDC)3 . It supports a cross-device flow where the
3 https://github.com/bcgov/vc-authn-oidc
wallet interfaces via DIDComm and uses custom presentation
requests. Information from presented credentials is mapped
into the OIDC id_token. Unfortunately, the implementation
seems to be mostly, if not only, compatible with their BC
Mobile Wallet, and the trust model is unclear.
IdP Kit4 from walt.id is another open-source effort and
looks promising. From what the documentation5 shows, the
project focuses on OIDC compliance and additionally offers
sign-in based on Non-Fungible-Token possession. The most
significant downsides seem to lie in the lack of detail regarding
wallet interaction implementation and the amount of required
configuration. However, public deployments were unavailable,
and recent builds failed, as the documentation also acknowl-
edged.
Moving on to other IAMs, Hong et al. [16] develop an
architecture that allows sign-in through OAuth 2.0, also used
in OIDC. It is heavily blockchain-focused and requires one
identification smart contract to be deployed per user. This is
likely too complex for the average user in the near future and
leaves the question of who will pay user registration costs.
Since then, the standardization of DIDs has offered more
usable options for mass adoption.
Yildiz et al. [17] present an architecture making SSI creden-
tials available for SAML sign-in. The implementation relies on
Hyperledger Indy and Aries. It supports a cross-device flow
via DIDcomm. That means that the architecture’s SSI-facing
interface is locked into Hyperledger Indy.
IV. M IDDLEWARE A RCHITECTURE
Our proposed middleware design negotiates authentication
and authorization between an SSI ecosystem and an OIDC
client. Beyond the scope of an individual sign-in process,
our design is stateless, simplifying maintenance and migration
operations. We introduce a one-file configuration to avoid
the common pitfall of overloading administrators with all the
combined complexity of the middleware interfaces.
A. Deployment Considerations
The design of the middleware is heavily influenced by its
intended deployment model. Acting as an OIDC Provider
to service clients, the middleware has full authority over
transmitted user information with no accountability. Thus, the
only feasible deployment option is for every service provider
to deploy one themselves. Prior work has also reached this
conclusion [10]. Consequently, our architecture is designed to
support one sign-in configuration, represented by one login
policy.
B. Components
The middleware architecture we propose is made up of five
subcomponents that are depicted in Figure 1. Each component
is a tightly coupled unit of functionality and could likely be its
own library. However, actual implementation choices are up
to the individual implementor as long as external interfaces
4 https://github.com/walt-id/waltid-idpkit
5 https://docs.walt.id/v/idpkit/getting-started/quick-start
81
Authorized licensed use limited to: BRAC UNIVERSITY. Downloaded on April 08,2025 at 19:38:05 UTC from IEEE Xplore. Restrictions apply.
are strictly followed. In the following, we will look at each
component separately:
1) OpenID Connect Provider: An OpenID Connect
Provider (OIDC Provider) is a service or software component
that implements the OIDC protocol to enable secure and
standardized user authentication and authorization. In our ar-
chitecture, it is the interface for OIDC clients. At a minimum,
it should support the common OAuth2.0 Authorization Code
flow [5]. The more robust and fully compliant this OIDC
Provider is, the better the interoperability with existing OIDC
clients. Since the service provider operates the middleware,
we do not use scopes beyond the default openid scope. We
also do not need the OIDC consent phase because a Verifiable
Presentation (VP) already ensures consent.
2) Relying Party Service: The Relying Party Service ad-
heres to OID4VP with SIOPv2 to request and receive a VP
from a wallet. OID4VP dictates that a presentation definition
from the DIF Presentation Exchange (PEX) [18] specification
is used to inform the wallet how many credentials with what
claims are expected. This is not critical for security in our
system, but it is necessary to improve the user experience
because wallets will usually pre-select suitable credentials
based on the presentation definition.
3) Presentation Definition Generator: The Presentation
Definition Generator creates a presentation definition based
on a login policy. The policy specifies one or more credentials
it expects. For each expected credential, at least one pattern
defines expected claims and trusted issuer. All patterns from
the policy are turned into input descriptors requesting the pres-
ence of the claim without specifying filters. The Submission
Requirement Feature [18] is used to properly translate that
only one of the patterns from each expected credential needs
to be fulfilled. A custom array of input descriptors may be
supplied if a service provider requires more control, overriding
the Presentation Definition Generator.
4) Verifiable Credential Verifier: The Verifiable Credential
Verifier’s job is the cryptographic and structural verification
of W3C VCs and VPs according to specification. In addition
to that, revocation following the W3C’s StatusList2021 [19]
proposal should be supported. The status list server is optional
and operated by the respective issuer that wishes to support
revocation. DID resolution must be added as needed. Should
a universal DID resolver emerge, it is trivial to incorporate it
here. This whole Verifiable Credential Verifier is a standard
component that can be realized by any of the existing open-
source libraries in the SSI space.
5) Policy Service: To ensure that presented credentials con-
tain the required claims and are issued by trusted issuers, the
Policy Service evaluates a VP with respect to the login policy.
To be accepted, each VC in a submitted VP must be matched
to precisely one of the expected credentials in the login policy.
Additionally, this service also extracts and transforms claim
data. Claims from the VP a user presents must be made
available via OIDC in a way that is readable by current OIDC
clients. The new vp_token defined in OID4VP [7] could
be used, but it is infeasible to rely on the quick adoption of
 Fig. 1. A component diagram of our proposed middleware and its interfaces.
1 openid-vc://
2 ?client_id=<MIDDLEWARE_DID>
3 ?request_uri=<BACKEND_URL>/api/presentCredential
4 %3Flogin_id=<CHALLENGE>
Listing 1: QR code contents for starting a credential exchange
process with a wallet via SIOPv2 and OID4VP.
a draft specification that will likely never be supported by
many legacy systems depending on OIDC when we design
for interoperability. Thus, claims need to be transferred into
the established id_token and access_token [2] to work
with all OIDC clients.
C. Protocol Integration
One big challenge in engineering our middleware lies in the
specifics of the cross-device sign-in flow. As an example, we
will now examine our adaption of perhaps the most common
OAuth 2.0 flow: the authorization code flow [5]. Our protocol
flow can be seen in Figure 2. While not mandatory to our
architecture, we assume the use of an existing OIDC Provider
implementation, which is preferable for stability. We have
slightly simplified some parts while keeping the depiction
close to the technical reality. For example, we have omitted
responses for data store interactions.
At the start of the depicted flow, the user is assumed to
have opened a service website hosted by the OIDC client web
server in their browser. When requesting to sign in, the user
is redirected to our login page. It features a QR code that
contains the necessary information to involve the smartphone
wallet in the flow, which is depicted in Listing 1.
The request_uri tells the wallet where to fetch a pre-
sentation request. Notably, we add a custom query parameter
called login_id to use as a challenge for the following
presentation exchange and to allow the Relying Party Service
(RPS) backend to know which browser and wallet are involved
in the same sign-in procedure. When the wallet asks for a
presentation request in step 9, it also automatically provides
82
Authorized licensed use limited to: BRAC UNIVERSITY. Downloaded on April 08,2025 at 19:38:05 UTC from IEEE Xplore. Restrictions apply.
the RPS with the login_id. It is used as the VP challenge
during the following standardized Presentation Exchange flow.
After step 17, the RPS has received a VP. Following
successful processing, it uses the challenge from that VP
to confirm the authentication and authorization to the OIDC
provider. The subject is identified by its DID. Additionally, all
processed claims from the VP are written to the data store to
be accessible during the next phase.
At this point, the active role in the sign-in process needs to
be handed back to the browser. To do so, the RPS has written
the redirect_uri for the browser to its data store. Using
the challenge, the browser periodically requests the redirect to
see if the VP submission has happened yet. When it succeeds,
it executes the redirect in step 29.
Now, the consent phase of the authorization code flow will
take place, but as we do not need to ask for consent a second
time, the RPS will automatically complete it. Using the new
consent_challenge, the RPS can request metadata on
this consent process from the OIDC provider in step 31. Most
importantly, that includes the subject DID, which is used to
retrieve the processed claims that were previously written to
the data store in step 23. Then, the RPS confirms the user’s
consent to the OIDC provider and sends the claim data for
tokens in step 34.
Finally, the sign-in procedure concludes as usual for an
authorization code flow from step 35 and on. The only
noteworthy exception is that the middleware never provides
a refresh_token because it must not depend on caching
critical identity data and should remain stateless in the larger
context.
D. Login Policy Definition
A login policy is our central configuration format for the
entire middleware. For illustration purposes, a simple example
policy is depicted in Listing 2. It is a JSON array of objects
that describe an expected VC each and are indexed by a
credentialId. Our example expects exactly one VC. Since
 Fig. 2. An only slightly simplified sign-in procedure with our middleware using the authorization code flow. At the start of the presented sequence, we
assume that the user has accessed the web page provided by the OIDC client. Names of variables and endpoints have been chosen to be descriptive.

a service may want to accept VCs of different types from dif-
ferent issuers that still contain the same relevant information,
each expected VC is characterized by a list of patterns. Once
again, our simple example only has one pattern.
Each pattern lists claims identified by JSONPaths following
the Presentation Exchange specification [18], which must
begin from the root element. A VC matches a pattern if and
only if the issuer matches and all required claims are present.
By default, every claim is assumed to be required. Because
existing services incorporating an OIDC client likely depend
on standard OIDC claim names, transferring claims might not
be sufficient, leading us to support renaming. This is also
necessary if two trusted issuers use different claim names
for the same piece of information, which should be unified
for the downstream service. Every claim has a claimPath,
which is a JSONPath. Optionally, newPath provides a new
JSONPath for the claim value inside the corresponding OIDC
token. It defaults to the last element of the claimPath and, if
explicitly specified, must always point to exactly one location.
The target token is specified using the token property, which
defaults to the access_token if not present. In the case that
a claimPath points to more than one value, a newPath is
required. All claims in the original path are aggregated as a
JSON object and indexed only by their ultimate JSONPath

83

Authorized licensed use limited to: BRAC UNIVERSITY. Downloaded on April 08,2025 at 19:38:05 UTC from IEEE Xplore. Restrictions apply.
1 [{
2 "credentialId": "email_vc",
3 "patterns": [{
4 "issuer": "did:web:emailvalidator.example.com",
5 "claims": [{
6 "claimPath": "$.credentialSubject.email",
7 "token": "id_token"
8 }],
9 "constraint": {
10 "op": "equalsDID",
11 "a": "$VP.proof.verificationMethod",
12 "b": "$.credentialSubject.id"
13 }
14 }]
15 }]
Listing 2: An example login policy that expects one VC,
which is certifying the subject’s email address. The constraint
enforces a simple holder binding.
element. That object is written to the newPath.
A constraint may be defined for each pattern to provide
conditions under which a VP is accepted that go beyond a
normal VP verification. We define a constraint as a JSON ob-
ject containing an operator code op and usually two operands.
Every constraint can only return a boolean. That makes the
constraints easily extensible should the need arise in the future.
The expressiveness of the constraint definition is ensured via
the logical operators and, or, and not, which allow complex
combinations of multiple other constraints. Beyond the logical
operators, there are the following ones:
1) equals Strictly compares two string values. Takes two
JSONPaths or a JSONPath and a string.
2) startsWith Evaluates whether string a starts with b.
Takes two JSONPaths or a JSONPath and a string.
3) endsWith Evaluates whether string a ends with b. Takes
two JSONPaths or a JSONPath and a string.
4) matches Evaluates whether string a has a match for
regular expression b. Takes a JSONPath and a string.
5) equalsDID Compares two DIDs or DID URLs by only
their DID. Takes two JSONPaths or a JSONPath and a
string.
Constraints must be evaluated after a VP’s VCs have been
matched to the corresponding patterns. That ensures that the
constraint of one VC can address the contents of another.
Especially in scenarios where more than one VC is expected,
it might be necessary to define how these VCs are related to
each other. To make other credentials addressable, we extend
the JSONPaths definition. Directly after the root element
indicator $, a credentialId may be inserted to make the
path relative to that matching VC’s root. The identifier VP is
reserved to refer to the root of the VP. Our example in Listing
2 uses a single constraint to enforce that the signer of the
VP is also the subject of the presented VC, which constitutes
a simple holder binding. In case of a constraint validation
error, for example, an unresolvable JSONPath, this specific
constraint validation must fail and return false. Only if the
validation of a pattern’s constraint returns false at its root
does the login policy reject a VP.
84
Authorized licensed use limited to: BRAC UNIVERSITY. Downloaded on April 08,2025 at 19:38:05 UTC from IEEE Xplore. Restrictions apply.
1 "credentialSubject": {
2 "id": "did:key:z6M...",
3 "email": "[email protected]",
4 "type": "EmailPass",
5 "issuedBy": { "name": "Altme" }
6 }
Listing 3: The credentialSubject key in an Altme Proof
of email VC with shortened id field.
E. Limitations
First, services using our middleware only have access to
user attributes, not an interactive wallet connection. So, if a
service requires a wallet interaction to, for instance, obtain
a user signature, relying on OIDC might not be advisable.
Similarly, requesting additional VCs after a user is signed in is
not supported. Second, any implementation of our architecture
must make choices about the DID methods, signatures, and
VC formats it wants to support. It may never be possible to
develop a middleware that supports all SSI ecosystems and
flavors.
V. P RELIMINARY E VALUATION
We evaluated our design by implementing it and testing
different sign-in scenarios. For our implementation, we were
looking for a robust and configurable open-source OIDC
Provider. We ended up choosing Ory Hydra6 . Its compliance is
officially verified by the OpenID Foundation. Setting up Hydra
is convenient via Docker7 and the sign-in flow implementation
makes it possible to redirect to custom web services for login
and consent8 . That allows us to build our proof of concept
without touching Hydra’s source code.
We implemented all components of the middleware apart
from the OIDC Provider from the ground up as one web
service and called it vclogin. This service connects to Hydra by
using its APIs for custom login and consent services. We chose
to build with Next.js9 , as it allows us to combine user-facing
web pages with API routes in a single code base. Furthermore,
we use a PostgreSQL10 Database for Hydra and a Redis11 as a
short-term data store for vclogin. The Redis store only acts as
temporary storage, and all data is set to expire within minutes.
For our use case, the PostgreSQL database can also be reset
without effect. Thus, the entire middleware implementation is
essentially stateless and can be migrated without a database
migration. Our final code base is available online12 as open-
source software.
For practical testing, we used the Altme Wallet13 . It is
open-source, actively worked on, and available on app stores
for convenient installation. For our testing, it is essential that
6 https://github.com/ory/hydra
7 https://www.docker.com/
8 https://www.ory.sh/docs/oauth2-oidc/custom-login-consent/flow
9 https://nextjs.org/
10 https://www.postgresql.org/
11 https://redis.io/
12 https://github.com/GAIA-X4PLC-AAD/ssi-to-oidc-bridge
13 https://github.com/TalaoDAO/AltMe

1 [{
2 "credentialID": "one",
3 "patterns": [{
4 "issuer": "did:web:app.altme.io:issuer",
5 "claims": [{
6 "claimPath": "$.credentialSubject.email",
7 "token": "id_token"
8 }]
9 }]
10 }]
Listing 4: A login policy accepting a VC issued by Altme
containing an email.
the wallet supports OID4VP with SIOPv2. Altme offers the
issuance of a Proof of email JSON-LD VC, which we used
in our initial test. The relevant claims from that VC are
shown in Listing 3. It is signed by a did:web and contains
a StatusList2021 entry. We used the test client included in
Hydra’s command line interface (CLI) for testing14 . It hosts
a website with a sign-in button and shows session metadata
upon successful sign-in. The browser used does not matter.
The login policy we used can be found in Listing 4. To perform
the test, we started our middleware and used Hydra’s CLI
to register and start the test client. This successful first test
indicates that our end-to-end design is feasible:
1) Click ”Authorize application” in the browser.
2) Scan the QR code on the next page with the wallet.
3) Select one email VC from the list and press ”Present”
in the wallet.
4) On the browser, get redirected to a page showing the
received session tokens for validation.
VI. C ONCLUSION
We have designed, implemented, and initially tested a
middleware architecture that can simplify the adoption of
SSI for sign-in procedures by leveraging the existing imple-
mentations and expertise available for OIDC. The results are
promising. Yet, extended validation of usability, performance,
and security is necessary. For further future work, finding a
mapping that can bring our login policy’s constraints into the
Presentation Exchange’s presentation definition would enhance
the user experience by providing even better guidance upon
VC selection in a wallet. Also, while our architecture and login
policy language should theoretically work with JWT-VC proof
formats, we have not confirmed that.
ACKNOWLEDGMENT
This work has been funded by the German Federal Ministry
of Economic Affairs and Climate Action (BMWK) under
grant 19S21006N. The responsibility for the content of this
publication lies with the authors.
R EFERENCES
[1] C. Allen, “The path to self-sovereign identity,” 2016, (Accessed
21-11-2023). [Online]. Available: http://www.lifewithalacrity.com/2016/
04/the-path-to-self-soverereign-identity.html
14 https://www.ory.sh/docs/cli/ory-perform-authorization-code
85
Authorized licensed use limited to: BRAC UNIVERSITY. Downloaded on April 08,2025 at 19:38:05 UTC from IEEE Xplore. Restrictions apply.
[2] OpenID Foundation, “OpenID Connect Core 1.0 incorporating errata set
1,” https://openid.net/specs/openid-connect-core-1 0.html, 2014, (Ac-
cessed 02-12-2023).
[3] M. Sporny, D. Longley, and D. Chadwick, “Verifiable Credentials Data
Model v1.1,” https://www.w3.org/TR/vc-data-model/, 2022, (Accessed
03-12-2023).
[4] M. Sporny, D. Longley, M. Sabadello, D. Reed, O. Steele, and
C. Allen, “Decentralized Identifiers (DIDs) v1.0,” https://www.w3.org/
TR/did-core/, 2022, (Accessed 03-12-2023).
[5] D. Hardt, “The OAuth 2.0 Authorization Framework,” RFC 6749, Oct.
2012. [Online]. Available: https://www.rfc-editor.org/info/rfc6749
[6] K. Yasuda, T. Lodderstedt, D. Chadwick, K. Nakamura,
and J. Vercammen, “Openid for verifiable credentials,” https:
//openid.net/wordpress-content/uploads/2022/06/OIDF-Whitepaper
OpenID-for-Verifiable-Credentials-V2 2022-06-23.pdf, 2022,
(Accessed 02-12-2023).
[7] O. Terbu, T. Lodderstedt, K. Yasuda, and T. Looker, “OpenID
for Verifiable Presentations - draft 18,” https://openid.net/specs/
openid-4-verifiable-presentations-1 0-ID2.html, 2023, (Accessed 03-
12-2023).
[8] K. Yasuda and M. Jones, “Self-Issued OpenID Provider v2,” https:
//openid.net/specs/openid-connect-self-issued-v2-1 0-ID1.html, 2022,
(Accessed 03-12-2023).
[9] M. Kuperberg and R. Klemens, Integration of Self-Sovereign Identity
into Conventional Software Using Established IAM Protocols: A Survey.
Gesellschaft für Informatik e.V., 2022.
[10] A. Grüner, A. Mühle, and C. Meinel, “Analyzing Interoperability and
Portability Concepts for Self-Sovereign Identity,” in 2021 IEEE 20th
International Conference on Trust, Security and Privacy in Computing
and Communications (TrustCom). Shenyang, China: IEEE, Oct. 2021,
pp. 587–597.
[11] H. Yildiz, A. Küpper, D. Thatmann, S. Göndör, and P. Herbke, “A
Tutorial on the Interoperability of Self-sovereign Identities,” Aug. 2022.
[12] F. Schardong and R. Custódio, “Self-Sovereign Identity: A Systematic
Review, Mapping and Taxonomy,” Sensors, vol. 22, no. 15, p. 5641,
Jan. 2022.
[13] A. Grüner, A. Mühle, and C. Meinel, “An Integration Architecture to
Enable Service Providers for Self-sovereign Identity,” in 2019 IEEE
18th International Symposium on Network Computing and Applications
(NCA). Cambridge, MA, USA: IEEE, Sep. 2019, pp. 1–5.
[14] ——, “ATIB: Design and Evaluation of an Architecture for Brokered
Self-Sovereign Identity Integration and Trust-Enhancing Attribute Ag-
gregation for Service Provider,” IEEE Access, vol. 9, pp. 138 553–
138 570, 2021.
[15] Z. A. Lux, D. Thatmann, S. Zickau, and F. Beierle, “Distributed-Ledger-
based Authentication with Decentralized Identifiers and Verifiable Cre-
dentials,” Jun. 2020.
[16] S. Hong and H. Kim, “VaultPoint: A Blockchain-Based SSI Model that
Complies with OAuth 2.0,” Electronics, vol. 9, no. 8, p. 1231, Aug.
2020.
[17] H. Yildiz, C. Ritter, L. T. Nguyen, B. Frech, M. M. Martinez, and
A. Küpper, “Connecting Self-Sovereign Identity with Federated and
User-centric Identities via SAML Integration,” in 2021 IEEE Symposium
on Computers and Communications (ISCC). IEEE, Sep. 2021.
[18] D. McGrogan, G. Cohen, O. Steele, W. Chang, D. Chadwick,
J. Hensley, N. Klomp, and A. Kesselman, “DIF Presentation Ex-
change 2.0.0,” https://identity.foundation/presentation-exchange/spec/v2.
0.0/, 2022, (Accessed 03-12-2023).
[19] D. Longley and M. Sporny, “Status List 2021 —
w3.org,” https://www.w3.org/community/reports/credentials/
CG-FINAL-vc-status-list-2021-20230102/, 2023, (Accessed 01-
12-2023).