Authentication provider
An authentication or identity provider (IdP) is a platform used to store and manage user accounts. MATTR VII uses auth providers to authenticate users before issuing them credentials as part of the OID4VCI workflow.
To configure a MATTR VII Authentication provider you will need an existing provider that exposes an OpenID Connect-based interface, populated with users who can be issued verifiable credentials. Your provider should allow creating application clients, which will be used by MATTR VII to generate the authentication requests when issuing credentials.
Alongside authentication, you can configure MATTR VII to query your provider for different scopes of claims that can be retrieved and used as part of the OID4VCI workflow. Available scopes depend on your provider and its configuration. See Auth0 supported scopes as an example.
Each MATTR VII tenant has a single Authentication provider which is used for all OID4VCI workflows.
Requirements
You can use any OpenID provider if it supports the following capabilities specified by OpenID Connect Core and OpenID Connect Discovery:
- Must publish its OpenID Provider configuration at /.well-known/openid-configuration
- Must support Authorization Code flow
- Must support the state parameter
These requirements allow the OID4VCI workflow to engage with your Authentication provider and accept an ID Token containing the user claims.
Request parameters
You can configure MATTR VII to include request parameters when the holder is redirected to the Authentication provider:
- Static request parameters are included in the request to your IdP, and will be identical for
every request as defined in your configuration. An example would be setting the
prompt
to belogin
to let your Authentication provider know it should show the login page every time.- Keys must be strings.
- Values of top-level object keys must stringify to less than 1000 characters.
- Dynamic request parameters are fetched uniquely for each request to make the user journey more
seamless. Here, you can forward params to your Authentication provider like
login_hint
which will pass the email of the user starting the flow.- Dynamic parameters values are limited to 1000 characters each.
Persisting claims
Upon successful authentication the provider responds with an ID token. You can configure MATTR VII to persist selected claims on your tenant.
By default no claims are persisted. It is highly recommended to take privacy considerations into account before configuring MATTR VII to persist any claims.