OpenID Connect for Verifiable Presentations

Overview

Dentity provides a way for verifiers to request holders to share their credentials to verify easily and securely using OpenID Connect (OIDC). Specifically in this specification we build and follow OpenID Connect for Verifiable Presentations and W3C Verifiable Credentials.

Usage

Prerequisites

You need some of the following to get started:

Access to Denity Business site to create OIDC client. If you didn't, contact us to get support.
Have a basic understanding of OpenID Connect (OIDC) and related concepts.
Have created OIDC client.

Configuration

Create OIDC client in Denity Business site and get the configuration. Configure the OIDC library you use with the parameters below.

Authority URL: https://oidc.dentity.com/oidc/auth

Parameter

Description

Response and vp_token

After the user successfully verify with their credential you will receive the corresponding sample format below.

vp_token example: Notice that the data below has been changed for brevity.

{
  "access_token": "fkGh6S2437IaX4YfM0Eumv_2QCjbl14Z1MybzUeQf3r",
  "expires_in": 86400,
  "id_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6...",
  "scope": "openid profile",
  "token_type": "Bearer",
  "vp_token": [
    {
      "@context": [
        "https://www.w3.org/2018/credentials/v1",
        "https://w3id.org/bbs/v1",
        ...
      ],
      "id": "urn:vc",
      "type": [
        "VerifiedPhoneNumber",
        "VerifiableCredential"
      ],
      "credentialSchema": {
        "id": "...",
        "type": "JsonSchemaValidator2018"
      },
      "credentialStatus": {
        "id": "urn:revocation-registry:dentity:KZswpDQWysmHYy...",
        "type": "RevocationList2020Status",
        "revocationListCredential": "urn:revocation-registry:dentity:KZswpDQWysmHYy...",
        "revocationListIndex": "147"
      },
      "credentialSubject": {
        "id": "urn:vc:subject:0",
        "credentialIssuer": "...",
        "credentialType": "...",
        "holderFullName": "...",
        "phoneNumber": "..."
      },
      "issuanceDate": "2023-07-19T03:02:53Z",
      "issuer": "did:ion:test:EiAMNztHqMNA3MrKg-...",
      "proof": {
        "type": "BbsBlsSignatureProof2020",
        "created": "2023-07-19T03:02:53Z",
        "nonce": "IZU4ZNyOUzfAqpjCvtgZ...",
        "proofPurpose": "assertionMethod",
        "proofValue": "ABMH//+V8aQn2fUDpr8a3XGIyosNIVh3LaF0lbjsI...",
        "verificationMethod": "did:ion:test:EiAMNztHqMNA3MrKg-dDGJ5...#g2-public"
      }
    }
  ]
}

The response parameter vp_token is defined as follows:

vp_token: a parameter that either directly contains a verifiable presentation or a JSON array with multiple verifiable presentations
A vp_token MUST be provided in the same response as the id_token of the respective OpenID Connect transaction. Depending on the response/grant type, this can be either the authentication response or the token response.
The vp_token either contains a single verifiable presentation or an array of verifiable presentations.

Verify the proof

When the user verifies successfully. You will get vp_token. Before you start using that data, we recommend you verify it first.

The proof can be verified with:

Libraries that support VC verifications for BBS+ signatures.
Call Dentity's API to verify the proof

Verify the proof: Always verify the proof before making use of its data. You can rely on the return value when verifying to use it for your purposes.

Without verification, the received proof is of no more value than an unsubstantiated claim made by your user.

OIDC client libraries

Currently, there are many libraries/packages that support OIDC client integration for most languages. You can view some of the certified packages from OpenID Connect:

Typescript/Javascript oidc-client
C# IdentityModel.OidcClient
Golang OIDC v0.15.7
Java GKIDP Broker 1.0.0
Python pyoidc
Ruby openid_connect

PreviousOpenID for Verifiable Credentials

Last updated 1 year ago