Learn how to integrate a claims source into an OID4VCI workflow
Introduction
In an OpenID4VCI issuance workflow, you can enhance the credential issuance process by configuring your tenant to fetch claims directly from a compatible Claims source. These claims can then be used to issue verifiable credentials tailored to the user's data.
Claim sources can be integrated both to OID4VCI Authorization Code and Pre-authorized Code flows.
This tutorial focuses on guiding you through the process of setting up an OID4VCI workflow that integrates a claims source to retrieve and utilize claims during credential issuance—showing you how to achieve this using both the MATTR Portal and the MATTR VII Platform APIs.
Prerequisites
- Ensure you have completed either the Authorization Code or Pre-authorized Code tutorials, as the claims source tutorial builds upon them.
- Download the sample Claims source application, which will be used to simulate a claims source.
- To test locally you will need to expose your local claims source to the internet. You can do this by setting up a free ngrok account, using a Cloudflare tunnel or using your own solution. For this tutorial we will be using ngrok. Sign up for a free account at ngrok.com.
We recommend using the MATTR VII Postman collection in this tutorial. While this isn't an explicit prerequisite it can really speed things up.
Tutorial overview
The current tutorial builds upon the Authorization Code or Pre-authorized Code tutorials by adding the following steps:
- Set up a local Claims source: Use the provided sample Node.js application to simulate a claims source by providing a REST API to retrieve claims for specific users.
- Integrate the Claims source with MATTR VII: Configure MATTR VII to connect to and utilize the sample Claims source for retrieving claims during an OID4VCI workflow.
Tutorial steps
Set up a local Claims source
-
Clone the MATTR Sample Apps repo to your machine and navigate to the
claims-source-app
folder. -
Rename the
env-example
file to.env
. -
Change the value of
NGROK_AUTHTOKEN
to your ngrok authentication token. -
Open the
database.json
file and add a new object to represent a user with claims:- Set any number as the user's
age
. - Set the
email
value based on the type of flow you are implementing:- If you are building on top of the Authorization Code flow tutorial, use the email address that matches the email of the user you created in your Auth0 application.
- If you are building on top of the Pre-authorized Code flow tutorial, you can use any email address, but make note of it as you will need it later when you create the credential offer.
- Set any number as the user's
-
Start the claims source app either via npm or docker:
Start via npm npm install npm run start
or
Start via docker docker compose up --build
-
Make note of the
Public Claims Source URL
displayed in the terminal after starting the app. This URL will be used to configure the Claims source in your MATTR VII tenant.
Your claim source is now set up and ready to be used, as the provided application meets the requirements for integrating a Claim source into a MATTR VII OID4VCI workflow.
Next, we will configure MATTR VII to connect to this claims source.
Configure the Claims source in your MATTR VII tenant
This step can be achieved either via the MATTR Portal or the MATTR VII Platform APIs.
-
In the navigation panel on the left-hand side, expand the Credential Issuance menu.
-
Select Claims sources.
-
Click the Create new button.
-
Insert a meaningful name for your Claims source in the Name field.
-
In the URL field, paste the
Public Claims Source URL
generated when you started the claims source application. -
In the Authorization type section, select API Key as the type.
-
In the API Key field, paste
supersecretapikey
. This is the API key used by the sample claims source application to control access. In Production environments, it is strongly recommended to use a more secure API key. -
Paste the following code into the Request parameters field:
Request parameters { "email": { "mapFrom": "claims.email" } }
This maps the user's
email
claim to a request parameter that will be sent to the claims source to retrieve user-specific information.- In Authorization code flows it is provided by the Authentication provider.
- In Pre-authorized code flows it is provided by the issuer as part of the credential offer.
-
Select Save to create the Claims source.
Make a request of the following structure to configure a new claims source:
POST /v1/claim-sources
{
"name": "My tutorial Claims source",
"url": "<CLAIM_SOURCE_URL>",
"authorization": {
"type": "api-key",
"value": "supersecretapikey"
},
"requestMethod": "GET",
"requestParameters": {
"email": {
"mapFrom": "claims.email"
}
}
}
url
: Replace this with thePublic Claims Source URL
URL generated when you started the claims source application. The URL should follow this format:https://<YOUR_NGROK_SUBDOMAIN>/claims
.authorization
: Specifies how to access the claims source. The sample claims source application uses an API key (supersecretapikey
) for access control. For production environments, it is strongly recommended to use a more secure API key.requestParameters
: Maps the user'semail
claim to a request parameter. This parameter is sent to the claims source to retrieve user-specific information.- In Authorization code flows it is provided by the Authentication provider.
- In Pre-authorized code flows it is provided by the issuer as part of the credential offer.
Response
{
"id": "945214ad-3635-4aff-b51d-61d69a3c8eee"
// Remaining response properties
}
id
: Unique identifier for the configured Claims source. We will use it in the next step to integrate the Claims source into the OID4VCI workflow.
Use the Claim source in a credential configuration
This step can be achieved either via the MATTR Portal or the MATTR VII Platform APIs.
-
In the navigation panel on the left-hand side, expand the Credential Issuance menu.
-
Select Mobile credential.
-
Select the Create new button.
-
In the Name text box, enter a clear and descriptive title that will appear on the credential in the wallet, for example "Enriched Credential".
-
In the Description text box, enter a clear and descriptive description that will appear on the credential in the wallet, for example "Credential with integrated claims source".
-
In the Credential type text box, enter a unique identifier for the credential type, for example
com.example.credentialwithclaims
. -
Paste the following JSON into the Claim mappings text box:
Claim mappings { "com.example.personaldetails.1": { "name": { "mapFrom": "claims.name", "type": "string" }, "email": { "mapFrom": "claims.email", "type": "string" }, "age": { "mapFrom": "claims.age", "type": "number" } } }
The
age
claim will be retrieved from the Claims source configured in the next step, while thename
andemail
claims will be retrieved from the authentication provider (e.g., Auth0) during the OID4VCI workflow. -
Use the Claim source dropdown to select the Claims source you created in the previous step. This will allow the credential to retrieve claims from the configured Claims source during issuance.
-
Enter "1" in the Months text box in the Validity for panel to set the credential expiration period.
-
Select the Create button to create the credential configuration.
Make the following request to create a simple mDoc credentials configuration that includes the holder's name and e-mail, but also their age from your configured Claims source:
POST /v2/credentials/mobile/configurations
{
"type": "com.example.credentialwithclaims",
"expiresIn": {
"months": 1
},
"claimMappings": {
"com.example.personaldetails.1": {
"name": {
"mapFrom": "claims.name",
"type": "string"
},
"email": {
"mapFrom": "claims.email",
"type": "string"
},
"age": {
"mapFrom": "claims.age",
"type": "number"
}
}
},
"branding": {
"name": "My Credential with Claims",
"description": "For rich credential issuance experience",
"backgroundColor": "#a22dd8ff"
},
"claimSourceId": "<CLAIM_SOURCE_ID>",
"includeStatus": true
}
age
: This claim represents the user's age. It is retrieved from the Claims source and stored in the usersclaims
object as a newage
property. During credential issuanceclaims.age
will be mapped to theage
claim in the credential.claimSourceId
: Replace this with theid
value returned in the response when you configured the Claims source in the previous step.
Response
{
"id": "294868aa-3814-4a50-9862-5ff48381a8e5"
//... rest of your credential configuration
}
id
: Unique identifier for the created mDocs credentials configuration. This ID is used to create a Credential offer in the next step.
Create a Credential offer
You now have all the pieces in place and can wrap them all together to generate a Credential offer and share it with the intended holder.
Make sure you create a credential offer that matches the flow you are implementing.
Test the workflow
- Open the GO hold example app.
- Select Scan.
- Scan the QR code generated in the previous step.
- Review the credential offer and select Accept.
- Follow the issuance workflow instructions to claim the credential.
You should now see a credential in your wallet that includes the age
claim, which was retrieved
from your configured Claims source. MATTR VII obtains this claim by querying the Claims source using
the user's email—either supplied by the authentication provider (Authorization Code flow) or
specified in the credential offer (Pre-authorized Code flow).
What's next?
Check out more resources on MATTR Learn that will enable you to:
- Configure an Interaction hook to redirect the user to custom components as part of the issuance workflow (only supported for the Authorization Code flow).
- Apply branding to issued credentials as part of creating a Credential configuration.
How would you rate this page?