Thanks to Credo Maintainer Timo Glastra for sharing this great overview of these new, important projects.
At the first Technical Advisory Council meeting of 2025 three new lab projects were accepted into the OpenWallet Foundation. All projects focus on providing a low-level, environment agnostic, and un-opinionated implementation of several digital identity standards. This blog post gives an overview of the three new projects, why they’re important, and how you can get involved.
Before we dive into the three new lab projects, let’s go into a little bit of background on how they came to be. In the past year the Animo team, who are contributors and maintainers of the OWF-hosted Credo Framework, has been working on a prototype EUDI Wallet for the German Federal Agency for Breakthrough Innovation. The goal of this SPRIN-D project is to create the most secure and usable EUDI wallet, while tackling breaking edge innovation topics in digital identity. During the building of the wallet, several libraries were created by the Animo team and then submitted to the OpenWallet Foundation.
- OpenID4VC TypeScript – a TypeScript implementation of the OpenID for Verifiable Credentials (OpenID4VC) set of standards.
- DCQL TypeScript – a TypeScript implementation of the new Digital Credential Query Language (DCQL) as defined in the OpenID for Verifiable Presentations (OpenID4VP) specification.
- OpenID Federation TypeScript – a TypeScript implementation of the OpenID Federation specification, with extensions for the OpenID Federation Wallet Architectures
All projects support the latest advancements in the OpenID specifications related to verifiable credentials and digital trust, and will be kept up to date as they evolve. You can see all libraries in action in a demo video of the EUDI wallet.
OpenID4VC TypeScript
Let’s start with the project that connects all three projects. The OpenID4VC TypeScript project provides an environment, cryptographic, and credential format agnostic implementation of the OpenID for Verifiable Credentials standards.
The project currently has a focus on OpenID for Verifiable Credential Issuance (OpenID4VCI) and OpenID for Verifiable Presentations (OpenID4VP), in combination with the High Assurance Interoperability Profile (HAIP) to enable interoperability for projects where a high level of security and privacy is required.
While credential formats (such as SD-JWT VC, mDOC, or W3C VCs) are required to use the OpenID4VC standards, this library does not implement any credential format. It only implements the credential format specific profiles as defined in the OpenID4VCI specification, such as the Credential Issuer Metadata, or Credential Request structures. There’s already numerous credential format implementations available that can be used with this library such as the OpenWallet Foundation SD-JWT JS library, the Auth0 mDL library, or the DigitalBazaar W3C VC JS library.
An important design decision for the library was that it should run in any environment that runs JavaScript, whether it’s Node.JS, React Native or the Browser. We achieve this by only using APIs that are available by default in JavaScript, and require platform specific APIs to be provided in the library configuration. This has the biggest impact on the cryptographic methods of the library. Since the cryptographic APIs that are available are heavily dependent on the platform you run on, these need to be provided.
Finally, the library is meant to be un-opiniated. Which means that if a feature is described in one of the related specifications, we’re likely to implement it, or accept pull requests that implement these features. For features that may not fit the core of the project but require deep integration with the functionality of this library, we want to ensure all APIs allow for extension. Most OpenID and OAuth specification with extension in mind, which I think is a big part of why the OAuth2 is used so broadly. If the specification doesn’t fully align with your requirements, you can extend it to make it fit your requirements while still benefiting from the core functionality.
These implementation decisions combined make the library:
- Agnostic to the specific credential format being used
- Agnostic to the environment in which it is executed, you can run it in the browser, Node.JS or React Native.
- Agnostic to the cryptographic implementation being used. Plug in the default Node.JS supported crypto, or connect it to an external Hardware Key Management System such as AWS KMS for advanced security, it’s up to you.
Currently the library supports Draft 11, Draft 13 and Draft 14 of the OpenID4VCI specification, with support for features such as the authorization code flow, batch issuance, presentation during issuance. In addition it supports most of the additional security requirements from HAIP such as PKCE, DPoP and Pushed Authorization Requests (PAR). In an upcoming release support for Draft 15 of the OpenID4VCI specification will be added, including support for wallet and key attestations.
The initial implementation for OpenID4VP is almost ready to be released, and will have support for Draft 24 (released on January 27th 2025) of OpenID4VP. It implements several client id schemes, signed authorization requests (using JAR), encrypted authorization responses (using JARM), DIF Presentation Exchange and DCQL (based on the DCQL TypeScript project). In addition the new transaction data will be supported, which will likely be used by EUDI Wallets for QES and Payment authorization.
The OpenID4VC TypeScript project was co-contributed by Animo and Verifiables, leading to a more robust project in terms of maintenance.
“We had been looking for an unopinionated low-level TS library supporting OID4VC/VP. So far, existing libraries are heavily dependent on specific environments and coupled with features we do not necessarily want or need. The approach taken in building these packages, in a way that is open and allows for extension, is one we, at Verifiables, share with Animo. We decided to contribute and help maintain them in the future. I believe bringing these standards to a larger audience will foster adoption and help grow the ecosystem.”
Alexis Delamare Deboutteville, CTO, Verifiables
DCQL TypeScript
The Digital Credentials Query Language (DCQL) is a new JSON-encoded query language defined as part of OpenID4VP and used to express which credentials a verifier would like to request from a holder.
Although the DCQL TypeScript implementation supports credential format specific query features (such as the vct_values for SD-JWT VCs), it does not know anything about the encoding and decoding of credential format specific credentials. Instead, you provide the library with a decoded payload of the credential. This makes the scope of the library very focused on one goal: find which credential payloads match the provided credential queries, and check if these payloads fulfill the presentation request. Adding support for a new format is super simple, and means the library can stay very lightweight with only a single dependency used for validation.
What makes this library so powerful is the very clear error messages, and the detailed structures explaining why a credential didn’t match with the provided query. Knowing why a credential didn’t match is very important. During debugging, but also when you’re using the library to power interactions between a wallet and verifier. We already have ideas to expand on this in future. For example by highlighting partial matches, enabling wallets to provide clear indications to the user that a credential of a specific type they have was requested, but not all values matched (e.g. a query requesting presentation of a mobile drivers license where the value of age_over_21 is true, but the credential in the wallet has the value false).
DCQL is still a very new query language, only being added to the OpenID4VP specification since Draft 22 (released on 31 October 2024). Currently the OpenID4VP specification supports both DCQL and DIF Presentation Exchange, but in the latest draft of HAIP DCQL is already the only mandated query language.
OpenID Federation TypeScript
Finally, the OpenID Federation TypeScript project provides an agnostic and low-level implementation of the OpenID Federation specification. OpenID Federation has maybe the most complex specification from these libraries, but probably also the most powerful if widely adopted, and thus deserves some additional context.
OpenID Federation allows organizations that belong to the same federation to trust each other, without knowing each other, as long as they both trust a common third party. At the core this is similar to what X509 certificate chains can achieve, but OpenID Federation allows for much more dynamic and extensible configurations by design. With OpenID Federation there is not necessarily one possible trust chain (the trust path from an entity you’re interacting with to a trust anchor you trust). Depending on the interaction, different trust chains can be discovered dynamically to the entity you’re interacting with. The entity may be part of the OpenWallet Foundation and has received a Subordinate Statement, which could provide a sufficient level of trust for a specific interaction.
Usage of metadata policies and trust marks allow to programmatically limit what metadata actors in a federation can use, for example limiting the allowed signing algorithms to ES256. Trust marks on the other hand enable accreditation authorities to be part of the federation and issue trust statements to entities that meet certain criteria, for example a “HIPAA Secure Exchange Certified” trust mark can enable healthcare providers to verify that other institutions meet specific privacy and security standards before sharing patient data.
The OpenID Federation TypeScript implementation enables you to build OpenID Federation systems by providing the tools needed to create, sign, resolve and verify trust chains. It helps with creation of valid entity statements, resolving of a valid trust chain based on a set of trusted root anchors, as well as applying metadata policies. Similar to the OpenID4VC library, this library does not provide any cryptographic functionalities by default, and must be provided manually, To enable easier integration with existing systems and stay un-opinionated, the library does not expose any endpoints for hosting of the needed metadata and entity statements.
The library is built with extension in mind, and can be integrated into any system that wants to leverage OpenID Federation. The Credo framework has used the OpenID Federation library to integrate the OpenID Federation Wallet Architectures specification, an extension to OpenID Federation that focuses on digital wallet architectures and integration of the OpenID for Verifiable Credential specifications, into the framework. We expect different ecosystems to adapt and integrate OpenID Federation in the future, and think this library provides a good foundation to build on top of.
Usage
As mentioned earlier, these three projects were built and contributed by Animo for the prototype EUDI wallet we’re building for SPRIN-D, the German Federal Agency for Breakthrough Innovation, as part of the EUDI Wallet Prototype Funke. You can see all libraries in action in a demo video of our wallet.
The projects provide a good foundation for early adopters of these specifications, and are already actively being integrated into other projects:
- Credo, a TypeScript framework for building verifiable credentials based digital identity solutions, and a Growth project at the OpenWallet Foundation, is already integrating all three libraries to drive its support for OpenID4VC and OpenID Federation.
- Sphereon’s OpenID4VC library leverages the DCQL library in the OpenID4VP implementation next to their own implementation of DIF Presentation Exchange.
- Verifiables, A French company providing verifiable credentials issuance, management and verification services for businesses and organizations, has already made their first big contribution to the OpenID4VC project and has joined as a maintainer of the library.
All three projects were contributed as a Lab project at the Open Wallet Foundation, as we still expect numerous breaking changes to come based on changes to the specifications. As the specifications mature and reach stable versions, we intend to move the projects to the Growth stage and create stable releases.
If you want to learn more about the libraries, or get involved yourself, open an issue in one the Github repositories, or ask a question in OpenWallet Foundation Discord channels #oid4vc-ts, #dcql-ts #openid-federation-ts.
I would like to specifically thank SPRIN-D (for funding the development of these libraries), Martin Auer (for the DCQL and OID4VP implementation), Berend Sliedrecht and Tom Lanser (for the OpenID Federation implementation), Alexis Delamare Deboutteville and the Verifiables team (for the contributions to the OID4VC library), Sean Bohan (for the continued support in maintaining and proposing projects at OWF), the OWF TAC (for their work in adding these new projects to OWF), and Stephen Curran (for sponsoring all projects as TAC member).
