Use x509 wallet verifier client ID scheme

Author: Johan Sellström

STATUS.md

@@ -3,6 +3,9 @@
 - [x] Add the missing `client_id_scheme=pre-registered` fields to the wallet verifier flow
 - [x] Verify the wallet verifier request shape locally with tests
 - [x] Redeploy the public verifier and confirm the live wallet request JWT includes the preregistered client ID scheme
+- [x] Switch the public wallet verifier flow to the x509 SAN DNS client ID scheme for wallet compatibility
+- [x] Verify the x509 wallet verifier request shape locally with tests
+- [x] Redeploy the public verifier and confirm the live wallet request JWT uses x509 SAN DNS with the existing x5c certificate
 
 - [x] Add a local demo-conductor package for the Village speed-build presentation
 - [x] Verify the demo-conductor build and unit tests locally

verifier/src/wallet-rp.ts

@@ -5,11 +5,12 @@ const SESSION_TTL_MS = 15 * 60_000
 const QR_SIZE = 280
 const EUDI_PID_VCTS = ['urn:eudi:pid:1']
 const LAB_AGE_VCTS = ['https://example.org/vct/age-credential']
-const PREREGISTERED_CLIENT_ID_SCHEME = 'pre-registered'
+const X509_SAN_DNS_CLIENT_ID_SCHEME = 'x509_san_dns'
 
 export type WalletVerifierProfile = {
   baseUrl: string
   clientId: string
+  requestClientId: string
   legalName: string
 }
 
@@ -36,6 +37,7 @@ export type WalletRpSession = {
   state: string
   nonce: string
   clientId: string
+  requestClientId: string
   legalName: string
   verifierApi: string
   requestUri: string
@@ -56,7 +58,7 @@ export type WalletDirectPostBody = {
 
 export type WalletRequestObject = {
   client_id: string
-  client_id_scheme: 'pre-registered'
+  client_id_scheme: 'x509_san_dns'
   response_uri: string
   response_type: 'vp_token'
   response_mode: 'direct_post'
@@ -89,6 +91,7 @@ export function deriveWalletVerifierProfile(baseUrl: string): WalletVerifierProf
   return {
     baseUrl: url.origin,
     clientId: url.host,
+    requestClientId: `${X509_SAN_DNS_CLIENT_ID_SCHEME}:${url.host}`,
     legalName: 'iProov Verifier'
   }
 }
@@ -108,24 +111,25 @@ export function createWalletSession(baseUrl: string, now = Date.now()): WalletRp
     state,
     nonce,
     clientId: profile.clientId,
+    requestClientId: profile.requestClientId,
     legalName: profile.legalName,
     verifierApi: profile.baseUrl,
     requestUri,
     responseUri,
     resultUri,
-    deepLink: buildWalletDeepLink(profile.clientId, requestUri),
+    deepLink: buildWalletDeepLink(profile.clientId, profile.requestClientId, requestUri),
     outcome: { status: 'pending' }
   }
 }
 
-export function buildWalletDeepLink(clientId: string, requestUri: string) {
-  return `eudi-openid4vp://${clientId}?client_id=${encodeURIComponent(clientId)}&client_id_scheme=${encodeURIComponent(PREREGISTERED_CLIENT_ID_SCHEME)}&request_uri=${encodeURIComponent(requestUri)}`
+export function buildWalletDeepLink(clientId: string, requestClientId: string, requestUri: string) {
+  return `eudi-openid4vp://${clientId}?client_id=${encodeURIComponent(requestClientId)}&client_id_scheme=${encodeURIComponent(X509_SAN_DNS_CLIENT_ID_SCHEME)}&request_uri=${encodeURIComponent(requestUri)}`
 }
 
 export function buildWalletRequestObject(session: WalletRpSession, walletNonce?: string): WalletRequestObject & { wallet_nonce?: string } {
   return {
-    client_id: session.clientId,
-    client_id_scheme: PREREGISTERED_CLIENT_ID_SCHEME,
+    client_id: session.requestClientId,
+    client_id_scheme: X509_SAN_DNS_CLIENT_ID_SCHEME,
     response_uri: session.responseUri,
     response_type: 'vp_token',
     response_mode: 'direct_post',

verifier/test/wallet-request-signing.test.ts

@@ -23,12 +23,12 @@ test('wallet request signer embeds an x5c certificate for verifier.ipid.me', asy
   assert.match(certificate.subject, /CN=verifier\.ipid\.me/)
 
   const verified = await jwtVerify(jwt, await importX509(pem, 'ES256'), {
-    issuer: 'verifier.ipid.me',
+    issuer: 'x509_san_dns:verifier.ipid.me',
     audience: WALLET_REQUEST_AUDIENCE
   })
 
-  assert.equal(verified.payload.client_id, 'verifier.ipid.me')
-  assert.equal(verified.payload.client_id_scheme, 'pre-registered')
+  assert.equal(verified.payload.client_id, 'x509_san_dns:verifier.ipid.me')
+  assert.equal(verified.payload.client_id_scheme, 'x509_san_dns')
   assert.equal(verified.payload.response_mode, 'direct_post')
 })
 

verifier/test/wallet-rp.test.ts

@@ -7,26 +7,27 @@ import {
   normalizeWalletDirectPostBody
 } from '../src/wallet-rp.ts'
 
-test('createWalletSession builds a preregistered deep link for the public verifier', () => {
+test('createWalletSession builds an x509 SAN DNS deep link for the public verifier', () => {
   const session = createWalletSession('https://verifier.ipid.me', Date.UTC(2026, 2, 23, 12, 0, 0))
 
   assert.equal(session.clientId, 'verifier.ipid.me')
+  assert.equal(session.requestClientId, 'x509_san_dns:verifier.ipid.me')
   assert.equal(session.legalName, 'iProov Verifier')
   assert.match(session.requestUri, /^https:\/\/verifier\.ipid\.me\/wallet\/request\.jwt\//)
   assert.match(session.responseUri, /^https:\/\/verifier\.ipid\.me\/wallet\/direct_post\//)
   assert.match(session.resultUri, /^https:\/\/verifier\.ipid\.me\/wallet\/session\//)
   assert.match(
     session.deepLink,
-    /^eudi-openid4vp:\/\/verifier\.ipid\.me\?client_id=verifier\.ipid\.me&client_id_scheme=pre-registered&request_uri=https%3A%2F%2Fverifier\.ipid\.me%2Fwallet%2Frequest\.jwt%2F/
+    /^eudi-openid4vp:\/\/verifier\.ipid\.me\?client_id=x509_san_dns%3Averifier\.ipid\.me&client_id_scheme=x509_san_dns&request_uri=https%3A%2F%2Fverifier\.ipid\.me%2Fwallet%2Frequest\.jwt%2F/
   )
 })
 
 test('buildWalletRequestObject asks for over-21 plus nationality with a fallback credential', () => {
   const session = createWalletSession('https://verifier.ipid.me')
   const request = buildWalletRequestObject(session)
 
-  assert.equal(request.client_id, 'verifier.ipid.me')
-  assert.equal(request.client_id_scheme, 'pre-registered')
+  assert.equal(request.client_id, 'x509_san_dns:verifier.ipid.me')
+  assert.equal(request.client_id_scheme, 'x509_san_dns')
   assert.equal(request.response_uri, session.responseUri)
   assert.equal(request.response_type, 'vp_token')
   assert.equal(request.response_mode, 'direct_post')