Issue a Credential using OIDC Bridge
This guide will step through how to issue a credential to the MATTR Wallet once the MATTR tenant has been configured for Verifiable Credential issuance using an OpenID Connect Provider.
You need the following in order to proceed with this tutorial:
Access to MATTR VII APIs. If you’re experiencing difficulty, contact us.
The DID (Decentralized ID) to use for issuing credentials. Take a look at Tenant Setup for more information.
A correctly-configured OpenID Provider (OP). Have the
client_secretclose at hand.
Set up an OIDC Credential Issuer and have the
Download the MATTR Wallet and have it set up with a PIN.
If you’re experiencing any difficulties please contact us.
Configure Auth0 OIDC Provider
Open your Auth0 application and navigate to the ‘Settings’ tab.
Update the ‘Allowed Callback URLs’ to include the
callbackUrl from the OIDC Credential Issuer you have created.
Embed in a QR Code
A common way to allow a mobile wallet user to reference the issuer is to encode the
openid:// URL within a QR code.
Remember the issuer is long-lived and can be referenced by many clients. You could even print out the QR code.
There are many QR generation services available which may be useful at this point:
MATTR is not affiliated with any of these service providers and cannot vouch for their offerings.
Make sure to make the QR a decent size to be resolvable by a phone camera, 200px square is a fine.
Let’s use an API service to generate the QR code:
Try it out
At this stage you should be able to open the MATTR Wallet, tap ‘Scan’, and point the camera at the QR code.
You will now see the Credential Offer on screen.
You should see that the offer has been sent from a verified domain (your MATTR tenant).
Tap ‘View’ to see the particulars of the offer.
Tap ‘Proceed’ to move to the next step.
Upon end-user acceptance of the offer:
The MATTR Wallet retrieves the
/.well-known/openid-configurationmetadata values from the OIDC Issuer you configured.
The MATTR Wallet creates a unique DID to be used for this interaction.
The MATTR Wallet opens a WebView and navigate to the
/authorizeendpoint for the OIDC Issuer (the unique DID is included in this request).
The OIDC Issuer redirects the end user to the configured federated provider within the WebView.
The Federated Provider presents a login screen.
Following successful end-user authentication via the federated provider:
The ID Token from the federated provider is passed to the OIDC Issuer.
The claims provided within the ID Token are used to create the credential (including the unique subject DID created above).
Finally, the credential is passed to the MATTR Wallet wherein you can tap ‘View’ to inspect its contents.
This subject-bound Verifiable Credential is now saved in the MATTR Wallet and able to be presented to any requesting party. Such a presentation will usually also evidence ownership of the DID named as subject.
The issued credential will support revocation. For more information please see the credential revocation overview.
The metadata for the issued credential is held in a registry and can be retrieved via the list credentials endpoint. The
tagin the credential metadata will be set to the
subvalue of the ID token of the federated provider.
For more information on holding the credential in a registry, please see Hold a Credential in a Registry.
You may encounter some technical difficulties while running this tutorial. Below are a few common problems and their solutions.
The App opens but refuses to show the credential being offered
Check that you have encoded the Issuer Id correctly in the QR code
Your phone will need public internet access. Check it can access common websites.
Check that you can open the exact URL embedded in the code
Scanning the QR code using the phone’s camera doesn’t open the app (opens Google search or tries to load in the browser and fails)
Make sure you have the MATTR Wallet set up with a PIN
Make sure the QR is large enough to be read by your phone; try creating a larger QR Code (say 300 x 300 px)