Learn how to build an application that can verify an mDoc from another app on the same device
Overview
In this tutorial you will use the mDocs Mobile Verifier SDKs to build an application that can verify an mDoc presented from a different application on the same device via OID4VP , as defined in ISO 18013-7 Annex B.
- A relying party uses the Mobile Verifier SDK to embed a remote verification workflow into a mobile application.
- When a user interacts with the mobile application, a matching wallet application installed on their mobile device is invoked to request an mDoc for verification.
- The user consents to sharing the requested information.
- The user’s wallet application shares the matching mDoc with the MATTR VII tenant configured by the Mobile Verifier SDK to perform the verification workflow.
- The MATTR VII tenant performs the required checks and returns the verification results via the Mobile Verifier SDK to the verifier application.
- The user journey continues based on the verification results.
The result will look something like this:
To achieve this, you will build the following capabilities into your verifier application:
- Initialize the SDK, so that your application can use its functions and classes.
- Request an mDoc for verification from a compliant wallet application.
- Handle the redirect from the wallet application.
- Display the verification results.
Prerequisites
Before you get started, let’s make sure you have everything you need.
Prior knowledge
-
The remote verification workflow described in this tutorial is based on the OID4VP specification and the ISO 18013-7 standard. If you are unfamiliar with these, refer to the following resources for more information:
- What are mDocs?
- What is remote verification?
- Breakdown of the remote mobile app verification workflow.
-
We assume you have experience developing applications in the relevant programming languages and frameworks (Swift for iOS and Kotlin for Android).
Assets
Development environment
Testing device
You will need to have a mobile device to test the workflow.
Got everything? Let’s get going!
Overview
The following diagram depicts the workflow you will build in this tutorial:
- The user triggers the workflow by interacting with the verifier application.
- The verifier application uses the embedded Mobile Verifier SDK capabilities to start a presentation-based verification session with the configured MATTR VII tenant.
- The MATTR VII tenant responds with a link to invoke a matching wallet application.
- The verifier application uses the link to invoke a matching wallet application using a redirect.
- The wallet application makes a request to the MATTR VII tenant to retrieve a request object, defining what information is requested for verification.
- The MATTR VII tenant returns the request object to the wallet application.
- The wallet application (upon user consent) returns an authorization response to the MATTR VII tenant, which includes the information required for verification.
- The MATTR VII tenant returns the verification results to the verifier application.
- The verifier application surfaces the verification results to the user and the interaction continues.
You will build this workflow in two parts:
- Part 1: Setup the MATTR VII Verifier tenant.
- Part 2: Build a mobile application with mDocs verification capabilities.
Part 1: Setup the MATTR VII Verifier tenant
The MATTR VII tenant will be used to interact with your mobile application (generating a verification request) and the wallet application (presenting an mDoc for verification) as per OID4VP and ISO/IEC 18013-7 Annex B. To enable this, you must:
- Create a verifier application configuration: Define what applications can create verification sessions with the MATTR VII tenant, and how to handle these requests.
- Create a trusted wallet provider configuration: Define how to invoke specific wallet applications as part of a remote verification workflow.
- Configure a trusted issuer: The MATTR VII verifier tenant will only accept mDocs issued by these trusted issuers.
Create a verifier application configuration
Each MATTR VII tenant can interact with multiple verifier applications, and can handle requests differently for each application. This means you must create a verifier application configuration that defines how to handle verification requests from your mobile application.
Request
Make the following request to your MATTR VII tenant to create a verifier application configuration:
POST /v2/presentations/applications
Request body
{
"name": "My Mobile Verifier Application",
"type": "ios",
"teamId": "A2B3C4D5E6",
"bundleId": "io.mattrlabs.dev.sampleApp.MdocSampleApp",
"openid4vpConfiguration": {
"redirectUri": "io.mattrlabs.dev.sampleApp.MdocSampleApp://my/path"
},
"resultAvailableInFrontChannel": true
}
name
: You can use whatever name you’d like, as long as it is unique on your tenant.type
: Useios
as you are building an iOS application.teamId
: Replace with your Apple Developer Team ID associated with your iOS application. You can find it in the Membership details section of your Apple Developer account .bundleId
: Replace with your iOS application bundle identifier. This is the unique identifier of your iOS application, which you can set in your Xcode project settings . This will be used by the MATTR VII tenant to validate incoming requests are from a known and trusted application.openid4vpConfiguration
:redirectUri
: This is the URI the user is redirected to after presenting the credential from their wallet. This can point to your app via a custom URI scheme or a web page.
resultAvailableInFrontChannel
: Setting this totrue
makes the verification results available directly to the mobile application.
Response
{
"id": "0eaa8074-8cc4-41ec-9e42-072d36e2acb0",
"name": "My Mobile Verifier Application"
//... rest of application configuration
}
id
: You will use this value later to initialize the SDK so that requests coming from your verifier application can be recognized and trusted by the MATTR VII tenant.
Create a trusted wallet provider configuration
Verifier applications can define specific wallet applications to accept mDocs from as part of their verification workflows. The MATTR VII verifier tenant needs to be configured with a specific URI scheme that will be used to invoke these wallets.
Request
Make the following request to your MATTR VII tenant to create a trusted wallet provider configuration:
POST /v2/presentations/wallet-providers
Request body
{
"name": "My Trusted Wallet Provider",
"openid4vpConfiguration": {
"authorizationEndpoint": "mdoc-openid4vp://"
}
}
name
: Unique name to identify this trusted wallet provider.authorizationEndpoint
: URI scheme that will be used to invoke the wallet application. You can learn more about URI scheme selection logic here.
The authorizationEndpoint
configured in the example above (mdoc-openid4vp://
) is the default
OID4VP scheme. While this is technically redundant, we chose to include this step to explain how
to configure this endpoint for wallet application using different schemes.
Response
{
"id": "99890c34-e4b7-4a23-84d6-e5de57114c00",
"name": "My Trusted Wallet Provider",
"openid4vpConfiguration": {
"authorizationEndpoint": "mdoc-openid4vp://"
}
}
id
: You will use this value later to indicate this is the wallet the verifier application expects to receive mDocs from.
Configure a trusted issuer
You must configure trusted issuers on your MATTR VII verifier tenant, as presented mDocs will only be verified if they had been issued by a trusted issuer.
This is achieved by providing the PEM certificate of the IACA used by these issuers to sign mDocs. In production environments the issuer can provide it out of band or you can obtain it via their issuer’s metadata.
Request
Make the following request to your MATTR VII tenant to configure a truster issuer:
POST /v2/credentials/mobile/trusted-issuers
Request body
{
"certificatePem": "-----BEGIN CERTIFICATE-----\nMIICYzCCAgmgAwIBAgIKXhjLoCkLWBxREDAKBggqhkjOPQQDAjA4MQswCQYDVQQG\nEwJBVTEpMCcGA1UEAwwgbW9udGNsaWZmLWRtdi5tYXR0cmxhYnMuY29tIElBQ0Ew\nHhcNMjQwMTE4MjMxNDE4WhcNMzQwMTE1MjMxNDE4WjA4MQswCQYDVQQGEwJBVTEp\nMCcGA1UEAwwgbW9udGNsaWZmLWRtdi5tYXR0cmxhYnMuY29tIElBQ0EwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASBnqobOh8baMW7mpSZaQMawj6wgM5e5nPd6HXp\ndB8eUVPlCMKribQ7XiiLU96rib/yQLH2k1CUeZmEjxoEi42xo4H6MIH3MBIGA1Ud\nEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBRFZwEOI9yq\n232NG+OzNQzFKa/LxDAuBgNVHRIEJzAlhiNodHRwczovL21vbnRjbGlmZi1kbXYu\nbWF0dHJsYWJzLmNvbTCBgQYDVR0fBHoweDB2oHSgcoZwaHR0cHM6Ly9tb250Y2xp\nZmYtZG12LnZpaS5hdTAxLm1hdHRyLmdsb2JhbC92Mi9jcmVkZW50aWFscy9tb2Jp\nbGUvaWFjYXMvMjk0YmExYmMtOTFhMS00MjJmLThhMTctY2IwODU0NWY0ODYwL2Ny\nbDAKBggqhkjOPQQDAgNIADBFAiAlZYQP95lGzVJfCykhcpCzpQ2LWE/AbjTGkcGI\nSNsu7gIhAJfP54a2hXz4YiQN4qJERlORjyL1Ru9M0/dtQppohFm6\n-----END CERTIFICATE-----"
}
certificatePem
: This is the IACA identifying the MATTR Labs demo issuer which issues the credential referenced in the Testing device prerequisite.
If you intend to test this tutorial with a credential different than the one recommended in our
Testing device prerequisite, replace the certificatePem
value with your own
issuer’s IACA.
Response
A successful 201
response indicates that this issuer’s certificate was added to your MATTR VII
tenant’s trusted issuer’s list. This means that mDocs that use this IACA as their root certificate
can be trusted and verified.
Part 2: Build a mobile application with mDocs verification capabilities
Now that the MATTR VII verifier tenant is properly configured, you can proceed with the steps required to embed verification capabilities into your mobile verifier application:
- Setup your environment: Setup the required infrastructure for your mobile application.
- Initialize the SDK: So that the SDK functions are available in your mobile application.
- Request a credential from wallet application: Build the capability to request an mDoc for verification from a wallet application.
- Display verification results:
Step 1: Environment setup
Step 2: Initialize the SDK
Step 3: Request a credential from wallet application
Once the SDK is initialized, you can start building the capabilities to request an mDoc for verification from a wallet application. This is done by:
- Creating a request object that defines what information is required for verification.
- Sending this request to the wallet application installed on the device.
- Redirecting the user to the wallet application to present the requested mDoc.
Step 4: Display verification results
Once the user provides their consent to share the requested information, the wallet application will send the response back to the MATTR VII tenant, which will then return the verification results to your verifier application and redirect the user back to the configured redirect URI. In this part of the tutorial you will build the capability to handle this redirect and display the verification results in your application.
Test the end-to-end workflow
- Run the app.
- Select the Request credentials button.
You should be redirected to a compliant wallet application, where you will see the verification request details and choose what mDoc to present for verification. - Use the wallet application to present the requested mDoc.
You will be redirected back to the verifier application where you will see the verification results.
You should see a result similar to the following:
- The verifier app starts a presentation session and gets redirected.
- The user is redirected to a compliant wallet application.
- The user provides their consent to share the requested information.
- The wallet application sends the response back to the MATTR VII tenant.
- The MATTR VII tenant redirects the user back to the verifier app with the verification results.
- The verifier app fetches the result and presents the result to user.
Congratulations! Your verifier application can now verify mDocs presented from a compliant wallet installed on the same mobile device.
Summary
You have just used the mDocs Mobile Verifier SDKs to build an application that can verify an mDoc presented from a compliant wallet on the same device using a remote presentation workflow as per OID4VP and ISO/IEC 18013-7 Annex B.
This was achieved by building the following capabilities into the application:
- Initialize the SDK, so that your application can use its functions and classes.
- Request an mDoc for verification from a compliant wallet application.
- Display verification results in your verifier application.
What’s next?
- You can check out the SDKs reference documentation to learn more about available functions and classes: