OID4VCI Authorization Code flow tutorial
Introduction
The OpenID4VCI specification is an open standard developed by the OpenID Foundation. It leverages the OpenID protocol to support verifiable credentials issuance and management.
In this tutorial we will configure an OID4VCI Authorization Code flow and use it to issue an mDoc to the MATTR GO Hold example app, showing each step both through the MATTR Portal and via the equivalent API calls.
User experience
This is the user experience you will build in this tutorial:
- User launches their GO Hold example app and scans a QR code received from an issuer.
- The wallet displays what credential is being offered to the user and by what issuer.
- The user agrees to claiming the offered credentials.
- The user is redirected to complete authentication via Auth0.
- Upon successful authentication, the credential is issued to the user's GO Hold example app. They can now view the credential and present it for verification.
Prerequisites
- Complete the sign up form to get trial access to MATTR VII and the MATTR Portal, and then Create a tenant.
- Install the MATTR GO Hold example app by following the getting started guide.
- Sign up with Auth0 which we will use to authenticate the holder as part of the issuance workflow.
We recommend using the MATTR VII Postman collection in this tutorial. While this isn't an explicit prerequisite it can really speed things up.
Tutorial overview
To build this user experience, the current tutorial comprises the following steps:
- Configure an Auth0 application: We will use this application to authenticate the user as part of the OID4VCI Authorization Code flow.
- Obtain a MATTR VII access token: You need this to access protected endpoints on your MATTR VII tenant.
- Configure an Authentication provider: Required to authenticate users before you can issue them credentials.
- Create Issuer certificates: Required to sign mDocs.
- Create an mDocs credentials configuration: Controls the content and branding of issued Credentials.
- Create and share a Credential offer: Used by digital wallets to trigger the issuance workflow.
- Claim the credential as the holder: Use your GO Hold example app to claim the offered Credential.
Tutorial steps
Configure an Auth0 application
Let's start by configuring an Auth0 application. This application will be used to authenticate the user as part of the OID4VCI Authorization Code flow.
Create a new Auth0 application
- Log into Auth0.
- Skip the Auth0 onboarding tutorials and go straight to your Dashboard.
- Select Create Application.
- Insert a Name for your application.
- Select Regular Web Application.
- Select Create.
- Select Skip Integration.
Your application is created and you will be redirected to the Settings tab under the Applications section.
- Record your application
Domain
,Client ID
andClient Secret
. - Add a simple Description.
- Scroll down to the Application URIs area, locate the Allowed Callback URLs textbox and
insert the following URL:
https://{your_tenant_url}/core/v1/oauth/authentication/callback
(make sure you replace{your_tenant_url}
with thetenant_url
provided with your MATTR VII tenant details). - Select the Connections tab.
- Enable Username-Password-Authentication under Database.
- Disable everything under Social.
Create a User
- Select the User Management menu on the left hand side navigation panel and select Users.
- Select the Create User button.
- Add an Email. This must be different to the one you use to sign up to your Auth0 account.
- Add a password.
- Select Username-Password-Authentication from the Connection dropdown list.
- Select Create. You will be redirected to the new user’s Details tab.
- Select Edit under Name and replace the value (Auth0 uses the email by default) with the full user name.
Auth0 holds and stores information against user objects, including PII. Before you add any additional data, make sure you understand Auth0's policies around storing this information.
Configure a MATTR VII Authentication provider
Next you need to configure your Auth0 Authentication provider in your MATTR VII tenant. This is required so that MATTR VII can use the Auth0 application to authenticate users before issuing them credentials.
- In the navigation panel on the left-hand side, expand the Credential Issuance menu.
- Select Authentication provider.
- Insert your Auth0 application
Domain
in the Base URL field. Make sure you prefix it withhttps://
. - Insert your Auth0 application
Client ID
in the Client ID field. - Insert your Auth0 application
Client Secret
in the Client secret field. - Select Create.
Step 1: Obtain a MATTR VII access token
All of the MATTR VII endpoints you will use in this tutorial are protected, so you will first need to use your tenant details to make a request of the following structure and obtain an access token:
POST https://{auth_server}/oauth/token
auth_server
: Replace with theauth_url
value from your tenant details.
{
"client_id": "F5qaeLDdbvnU9zhA0j4eHUGCHwC1bKtt",
"client_secret": "Wzc8J**********************************************************",
"audience": "learn.vii.au01.mattr.global",
"grant_type": "client_credentials"
}
- Replace
client_id
,client_secret
andaudience
with your own tenant details. - Keep
grant_type
asclient_credentials
.
Response
{
"access_token": "eyJhb********************************************************************",
"expires_in": 14400,
"token_type": "Bearer"
}
Use the returned access_token
value as a bearer token for all requests to your MATTR VII tenant in
the next steps of this tutorial.
You will need to obtain a new access token whenever it expires. We recommend using our Postman collection to interact with your MATTR VII tenant. This collection includes a pre-request script to obtain an access token when it is missing or expired, as well as pre-configured templates for all available requests.
Step 2: Configure an Authentication provider
Now that you have an access token, you can make a request to create an Authentication provider configuration based on the details of your Auth0 application. This will be used to authenticate users as part of the OID4VCI Authorization Code flow.
Make the following API request to your MATTR VII tenant:
POST /v1/users/authentication-providers
{
"url": "https://example.us.auth0.com/",
"scope": ["openid", "profile", "email"],
"clientId": "zH1IGGkRo6q0ofwiNJnlY0bg9fchw3s0",
"clientSecret": "***********************************************************LFRrZ",
"tokenEndpointAuthMethod": "client_secret_post",
"staticRequestParameters": {
"prompt": "login",
"maxAge": 10000
}
}
url
: Replace with your Auth0 applicationDomain
. Make sure you prefix it withhttps
.scope
: This determines what claims are returned by the authentication provider following successful authentication. Refer to Auth0 OIDC scopes for more information.clientId
: Replace with your Auth0 applicationClient ID
.clientSecret
: Replace with your Auth0 applicationClient Secret
.
Create issuer certificates
In this tutorial you are going to issue an mDoc, so you need to have valid IACA.
- Log into the MATTR Portal.
- In the navigation panel on the left-hand side, expand the Platform Management menu.
- Select Certificates.
- Select the Create new button.
- Use the Type radio button to select IACA - Issuing Authority Certificate Authority.
- Use the Management method radio button to select MATTR managed.
- Use the Country dropdown list to select an issuing country.
- Select the Create button to create the IACA certificate.
The IACA is created as inactive by default. - Use the Status radio button to select Active.
- Select the Update button to activate the IACA certificate.
- Make the following request to your MATTR VII tenant to create an IACA:
POST /v2/credentials/mobile/iacas
The response will include an id
element which you will use in the next step.
- Make the following request to activate the IACA you just created:
PUT /v2/credentials/mobile/iacas/{iacaId}
iacaId
: Replace with theid
element returned in the response when you created the IACA in the previous steps.
{
"active": true
}
Your IACA is now active and can be used to sign mDocs.
Create a MATTR VII mDocs credential configuration
Now that you have valid certificates in place, the next component you need is a Credential configuration to define the structure and branding of the issued credential.
-
In the navigation panel on the left-hand side, expand the Credential Issuance menu.
-
Select Mobile credential.
-
Select the Create new button.
-
In the Name text box, enter a clear and descriptive title that will appear on the credential in the wallet, for example "My First Credential".
-
In the Description text box, enter a clear and descriptive description that will appear on the credential in the wallet, for example "Use For High Assurance Interactions".
-
In the Credential type text box, enter a unique identifier for the credential type, for example
com.example.myfirstcredential
. -
Copy and paste the following JSON into the Claim mappings text box:
Claim mappings { "com.example.personaldetails.1": { "name": { "mapFrom": "claims.name", "type": "string" }, "email": { "mapFrom": "claims.email", "type": "string" } } }
-
Enter "1" in the Months text box in the Validity for panel to set the credential expiration period.
-
Select the Create button to create the credential configuration.
Make the following request to create a simple mDoc credentials configuration that includes the holder's name and e-mail:
POST /v2/credentials/mobile/configurations
{
"type": "com.example.myfirstcredential",
"expiresIn": {
"months": 1
},
"claimMappings": {
"com.example.personaldetails.1": {
"name": {
"mapFrom": "claims.name",
"type": "string"
},
"email": {
"mapFrom": "claims.email",
"type": "string"
}
}
},
"branding": {
"name": "My First Credential",
"description": "For High Assurance Interactions",
"backgroundColor": "#2d46d8"
},
"includeStatus": true
}
The response will include an id
element. You will use it to create a Credential offer in the next
step.
Create a Credential offer
You now have all the pieces in place and can wrap them all together to generate a Credential offer and share it with the intended holder so that they know what credentials are being offered and by whom.
- In the navigation panel on the left-hand side, expand the Credential Issuance menu.
- Select Credential offer.
- Select the Select button.
- Check the checkbox next to the credential configuration you created in the previous step.
- Select the Apply button.
- Select the Generate button.
- Download the displayed QR code and save it somewhere safe.
This QR code will be used by the holder to claim the credential.
Make the following request to generate a new Credential offer:
POST /v1/openid/offers
{
"credentials": ["945214ad-3635-4aff-b51d-61d69a3c8eee"]
}
credentials
: Populate the array with theid
element returned in the response when you created an mDocs credentials configuration in the previous step.
The response will include a uri
element which can be used by a digital wallet to trigger the
OID4VCI workflow. Use one of the following tools to convert the uri
value to a QR code (make sure
you use the Plain text
option where available):
MATTR is not affiliated with any of these service providers and cannot vouch for their offerings.
Save the generated QR code on your computer.
Claim the credential
- Open the GO hold example app.
- Select Scan.
- Scan the QR code generated in the previous step.
- Review the credential offer and select Accept.
- Follow the issuance workflow instructions to claim the credential.
Congratulations, you just configured an end-to-end OID4VCI Authorization Code flow to issue an mDoc into a digital wallet!!!
What's next?
In this tutorial we have configured a basic OID4VCI Authorization Code flow. However, you can use MATTR VII to create more complex and rich issuance experience. Check out more resources on MATTR Learn that will enable you to:
- Experiment with a different issuance flow by completing the OID4VCI Pre-authorized Code flow tutorial.
- Configure a Claims source to retrieve data from compatible data sources and use it in the issued credential.
- Configure an Interaction hook to redirect the user to custom components as part of the issuance workflow.
- Apply branding to issued credentials as part of creating a Credential configuration.
How would you rate this page?