OpenID4VCI Workflow

Creating a Credential offer

The workflow begins when an issuer creates what is referred to as a credential offer, used to share important information with the holder’s digital wallet. This includes the credential’s issuer, what it includes and how to claim it. The OID4VCI specification defines a method for a digital wallet to discover this information in a standardized and interoperable way.

Sharing a Credential offer

Credential offers are created by making a request to a MATTR VII endpoint that returns an offer URI. This URI is shared with the intended holder as a QR code, wallet push notification or a deep-link. The offer only includes metadata required to initiate the issuance process, and the actual credential is only created and signed later in the workflow.

Accepting a Credential offer

Once the wallet receives the credential offer, it makes a request to the issuer’s .well-known endpoint (https://{your_tenant_url}/.well-known/openid-credential-issuer). The OID4VCI specification defines that this endpoint must be publicly available and include information required to initiate the issuance workflow. This includes what type of credentials will be issued and by whom, and also details endpoints and parameters that will be used as part of the workflow.

The wallet displays relevant information from the credential offer to the holder, asking for their consent to begin the issuance workflow.

Authentication

When the holder consents they are redirected to a configured Authentication provider, used to authenticate and identify the holder. This provider can also be used as an identity provider to retrieve claims about the authenticated user. Once retrieved, these claims can be used in the issued credential.

After the holder completes authentication, they are redirected from the Authentication provider back to the issuance workflow.

Custom components (optional)

This is where issuers can optionally add their own business logic to the workflow by configuring an Interaction hook. This is optional step enables issuers to plug in any custom experiences to interact with the holder after they have authenticated but before the credential is issued. For example, this can be used to gather additional information from the user or to add higher identity assurance components such as a liveness or biometrics checks.

Querying an external database (optional)

Following the interaction hook, issuers can configure another optional step to retrieve additional user claims from an existing databases and use it in the issued credential. This integration is referred to as a Claims source. Claims sources can query the configured endpoints with any of the user claims retrieved from the Authentication provider and/or Interaction hook. This enables the issuer to create flexible and efficient queries to retrieve the exact user claims required to issue a specific credential.

Formatting and Signing the credential

Now that all the data is available, MATTR VII will format it into a digital credential and cryptographically sign it. This is achieved using a Credential configuration that is defined as part of the credential offer. This is a template that defines how should the issued credential be constructed. It details where the credential claims are mapped from, what the credential should look like in the wallet, when and if it should expire and whether it is revocable.

Delivering the signed credential

Finally, the signed credential is delivered directly to the holder’s digital wallet and can be presented to verifying parties upon request.