# OpenID Connect for Verifiable Presentations

## Overview

**Dentity** provides a way for verifiers to request holders to share their credentials to verify easily and securely using [OpenID Connect](https://openid.net/developers/how-connect-works/) (OIDC). Specifically in this specification we build and follow [OpenID Connect for Verifiable Presentations](https://openid.net/specs/openid-connect-4-verifiable-presentations-1_0-07.html) and [W3C Verifiable Credentials](https://www.w3.org/TR/vc-data-model/#presentations).

## Usage

### Prerequisites <a href="#prerequisites" id="prerequisites"></a>

You need some of the following to get started:

* Access to [Denity Business](https://business.dentity.com/) site to create OIDC client. If you didn't, contact us to get support.
* Have a basic understanding of [OpenID Connect](https://openid.net/developers/how-connect-works/) (OIDC) and related concepts.
* Have created OIDC client.

### Configuration

Create OIDC client in [Denity Business](https://business.dentity.com/) site and get the configuration. Configure the OIDC library you use with the parameters below.

Authority URL: `https://oidc.dentity.com/oidc/auth`

<table><thead><tr><th width="186">Parameter</th><th>Description</th></tr></thead><tbody><tr><td>client_id</td><td>A unique string that you receive after creating the client to identify the application</td></tr><tr><td>redirect_uri</td><td>The URL will be redirected after the user has verified successfully</td></tr><tr><td>response_type</td><td><code>code</code></td></tr><tr><td>scope</td><td><code>openid</code> <code>profile</code></td></tr></tbody></table>

### Response and vp\_token

After the user successfully verify with their credential you will receive the corresponding sample format below.

{% hint style="info" %}
**vp\_token example**: Notice that the data below has been changed for brevity.
{% endhint %}

```json
{
  "access_token": "fkGh6S2437IaX4YfM0Eumv_2QCjbl14Z1MybzUeQf3r",
  "expires_in": 86400,
  "id_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6...",
  "scope": "openid profile",
  "token_type": "Bearer",
  "vp_token": [
    {
      "@context": [
        "https://www.w3.org/2018/credentials/v1",
        "https://w3id.org/bbs/v1",
        ...
      ],
      "id": "urn:vc",
      "type": [
        "VerifiedPhoneNumber",
        "VerifiableCredential"
      ],
      "credentialSchema": {
        "id": "...",
        "type": "JsonSchemaValidator2018"
      },
      "credentialStatus": {
        "id": "urn:revocation-registry:dentity:KZswpDQWysmHYy...",
        "type": "RevocationList2020Status",
        "revocationListCredential": "urn:revocation-registry:dentity:KZswpDQWysmHYy...",
        "revocationListIndex": "147"
      },
      "credentialSubject": {
        "id": "urn:vc:subject:0",
        "credentialIssuer": "...",
        "credentialType": "...",
        "holderFullName": "...",
        "phoneNumber": "..."
      },
      "issuanceDate": "2023-07-19T03:02:53Z",
      "issuer": "did:ion:test:EiAMNztHqMNA3MrKg-...",
      "proof": {
        "type": "BbsBlsSignatureProof2020",
        "created": "2023-07-19T03:02:53Z",
        "nonce": "IZU4ZNyOUzfAqpjCvtgZ...",
        "proofPurpose": "assertionMethod",
        "proofValue": "ABMH//+V8aQn2fUDpr8a3XGIyosNIVh3LaF0lbjsI...",
        "verificationMethod": "did:ion:test:EiAMNztHqMNA3MrKg-dDGJ5...#g2-public"
      }
    }
  ]
}
```

The response parameter `vp_token` is defined as follows:

* `vp_token`: a parameter that either directly contains a verifiable presentation or a JSON array with multiple verifiable presentations
* A `vp_token` MUST be provided in the same response as the `id_token` of the respective OpenID Connect transaction. Depending on the response/grant type, this can be either the authentication response or the token response.
* The `vp_token` either contains a single verifiable presentation or an array of verifiable presentations.

### Verify the proof

When the user verifies successfully. You will get vp\_token. Before you start using that data, we recommend you verify it first.&#x20;

The proof can be verified with:

* Libraries that support VC verifications for [BBS+ signatures](https://identity.foundation/bbs-signature/draft-irtf-cfrg-bbs-signatures.html).&#x20;
* Call [Dentity's API](https://docs.dentity.com/reference/api-endpoints/credential#verify-credential-proof) to verify the proof

{% hint style="warning" %}
**Verify the proof:** \
Always verify the proof before making use of its data. You can rely on the return value when verifying to use it for your purposes.

Without verification, the received proof is of no more value than an unsubstantiated claim made by your user.
{% endhint %}

## OIDC client libraries&#x20;

Currently, there are many libraries/packages that support OIDC client integration for most languages. You can view some of the certified packages from [OpenID Connect](https://openid.net/certified-open-id-developer-tools/):

* `Typescript/Javascript` [oidc-client](https://www.npmjs.com/package/openid-client)
* `C#` [IdentityModel.OidcClient](https://github.com/IdentityModel/IdentityModel.OidcClient2)
* `Golang` [OIDC v0.15.7](https://github.com/zitadel/oidc)
* `Java` [GKIDP Broker 1.0.0](https://www.kinto-technologies.com/)
* `Python` [pyoidc](https://github.com/CZ-NIC/pyoidc)
* `Ruby` [openid\_connect](https://github.com/nov/openid_connect)<br>