Authentication provider

An authentication or identity provider (IdP) is a platform used to store and manage user accounts. MATTR VII uses auth providers to authenticate users before issuing them credentials as part of the OID4VCI workflow.

To configure a MATTR VII Authentication provider you will need an existing provider that exposes an OpenID Connect-based interface, populated with users who can be issued verifiable credentials. Your provider should allow creating application clients, which will be used by MATTR VII to generate the authentication requests when issuing credentials.

Alongside authentication, you can configure MATTR VII to query your provider for different scopes of claims that can be retrieved and used as part of the OID4VCI workflow. Available scopes depend on your provider and its configuration. See Auth0 supported scopes (opens in a new tab) as an example.

Each MATTR VII tenant has a single Authentication provider which is used for all OID4VCI workflows.

Requirements

You can use any OpenID provider if it supports the following capabilities specified by OpenID Connect Core (opens in a new tab) and OpenID Connect Discovery (opens in a new tab):

  • Must publish its OpenID Provider configuration at /.well-known/openid-configuration
  • Must support Authorization Code flow
  • Must support the state parameter

These requirements allow the OID4VCI workflow to engage with your Authentication provider and accept an ID Token containing the user claims.

Request parameters

You can configure MATTR VII to include request parameters when the holder is redirected to the Authentication provider:

  • Static request parameters are included in the request to your IdP, and will be identical for every request as defined in your configuration. An example would be setting the prompt to be login to let your Authentication provider know it should show the login page every time.
    • Keys must be strings.
    • Values of top-level object keys must stringify to less than 1000 characters.
  • Dynamic request parameters are fetched uniquely for each request to make the user journey more seamless. Here, you can forward params to your Authentication provider like login_hint which will pass the email of the user starting the flow.
    • Dynamic parameters values are limited to 1000 characters each.

Persisting claims

Upon successful authentication the provider responds with an ID token. You can configure MATTR VII to persist selected claims on your tenant.

⚠️

By default no claims are persisted. It is highly recommended to take privacy considerations into account before configuring MATTR VII to persist any claims.

Additional resources

Guides

API Reference