Baseline identity-provider role. Every wallet-facing flow layers on top of a clean OP. Covers discovery, JWKS, /authorize, /token, /userinfo, PKCE, refresh rotation, code-reuse invalidation, prompt=none / max_age / id_token_hint, and OIDC Core 6.1 Request Object handling.
Full test results, evidence bundle, private OIDF plan link →OpenID Foundation conformance roadmap
Public evidence trail for CodeB Sovereign Communications’ OpenID Foundation self-certification programme. Each milestone links to the artefacts produced. Dates are targets, not promises — the roadmap moves when standards do.
Milestones
The core protocol every wallet-based sign-in speaks. Certifying this proves our verifier substrate is correct across:
- Signed Authorization Request (JAR) construction,
request_uriserving,x509_san_dnsandx509_hashclient identifier prefixes - DCQL credential-query encoding, presentation-definition negotiation
- JWE-encrypted responses (ECDH-ES + A128GCM),
direct_post.jwtresponse mode - SD-JWT VC selective disclosure with KB-JWT holder binding, nonce + transaction_data enforcement
Runs against the same verifier endpoints already exposed for internal age-verify, sign-in-widget and OIDC-clients presentation requests. Most tests expected green on first run; the suite’s value is proving each field is emitted per spec, not per implementer memory.
The EU-Wallet-specific profile that constrains OID4VP to a single interop set. Because every national wallet scheme aligns to HAIP, verifiers that only pass generic OID4VP still fail against real wallets. HAIP nails down:
- ES256 signature algorithm only, no negotiation
- SD-JWT VC as the credential format (no mDoc for the web-verifier profile)
- Client Identifier Prefixes limited to
x509_san_dnsandx509_hash - KB-JWT with nonce binding mandatory on every presentation
- Trust chain rooted in national EU Lists of Trusted Lists (LOTL)
The complementary spec — instead of accepting credentials from a wallet, this one issues them. Turns a CodeB tenant into an operational credential issuer for staff badges, tenant onboarding tokens, age attestations, or any domain-specific SD-JWT VC. Certifying it adds a full issuer story to the verifier story: same platform, both directions.
Not on the near-term path. FAPI is the profile banks and PSD2 open-banking clients require; picking it up means signed request objects everywhere, mandatory PAR, mTLS or private_key_jwt client auth, and richer replay defences. We’ll do it if a deal justifies the engineering; otherwise it stays parked.
Why this order
HAIP is a profile that layers strict constraints on top of OID4VP. Running the OID4VP suite first isolates baseline protocol issues from HAIP-specific rules — two smaller debugging cycles beats one large one. And Basic OP had to land before either verifier profile because both re-use OIDC discovery, JWKS handling, and token-endpoint semantics.
OpenID4VCI runs in parallel with the verifier profiles — the tender surface (EUDI wallet acceptance) is verifier-first, but issuing is a natural extension of the same substrate and we’re landing all three self-tests together by 14 August 2026. That gives one dated evidence trail covering acceptance and issuance from the same platform.
How to verify progress independently
Every finished milestone links to:
- a signed, read-only OIDF plan URL that shows every test run and every log entry;
- a JWS-signed evidence ZIP bundle downloadable from this site;
- a step-by-step recipe for reproducing the run against your own CodeB tenant (or any spec-compliant OIDC provider).
Nothing here needs to be taken on trust. If a claim on this page ever loses its evidence link, that’s a bug — write to the CodeB team and we’ll fix it.
The bigger picture
Under eIDAS 2.0 (Regulation (EU) 2024/1183, Article 5f), every regulated EU private-sector business is legally required to accept the EU Digital Identity Wallet as a customer login from December 2027 onward. HAIP is the interop profile that makes that acceptance work with real wallets. The roadmap above is what “ready” looks like on the vendor side, dated and evidenced.
Last updated 2026-07-18. Related pages: Basic OP results · HAIP implementation notes · OIDC OP features · EU Wallet verifier · API reference