interID -- An Ecosystem-agnostic Verifier-as-a-Service with OpenID Connect Bridge

TL;DR

interID provides a standardized, ecosystem-agnostic platform for SSI credential verification via an OIDC bridge, simplifying integration and ensuring compliance with EU regulations through a secure, multi-tenant SaaS solution.

Contribution

The paper introduces an OIDC bridge for interID, enabling seamless SSI verification across multiple ecosystems without custom infrastructure, and provides a security analysis of novel attack vectors.

Findings

Security equivalence to production identity providers

11 attack vectors identified, 7 beyond RFC 6819 scope

Organizations can adopt SSI with effort similar to traditional providers

Abstract

Self-Sovereign Identity (SSI) enables user-controlled, cryptographically verifiable credentials. As EU regulations mandate EUDI Wallet acceptance by 2027, SSI adoption becomes a compliance necessity. However, each SSI Verifier exposes different APIs with distinct request parameters, response formats, and claim structures, requiring custom wrappers and dedicated infrastructure, contrasting with OpenID Connect (OIDC) where standardized protocols enable seamless integration. interID is an ecosystem-agnostic platform unifying credential verification across Hyperledger Aries/Indy, EBSI, and EUDI ecosystems. We extend interID with an OIDC bridge providing Verifier-as-a-Service, enabling SSI verification through standard OIDC flows. Organizations receive ID Tokens with verified credential attributes without implementing Verifier-specific logic or deploying infrastructure. The multi-tenant architecture leverages Keycloak with strict tenant isolation. Key innovations include PKCE support, scope-to-proof-template mappings translating OIDC scopes into ecosystem-specific verification requests, and a security analysis identifying novel attack surfaces at the intersection of OIDC, SSI, and multi-tenant architectures, threats covered by neither RFC 6819 nor existing SSI analyses alone. Our evaluation demonstrates security equivalence to production identity providers through threat modeling identifying 11 attack vectors, including seven beyond RFC 6819's scope. Integration analysis shows organizations can adopt SSI authentication with comparable effort to adding traditional federated providers. By combining familiar OIDC patterns with SaaS deployment, our work lowers integration and operational barriers, enabling regulatory compliance through configuration rather than custom development.