Set up an OIDC Credential Verifier

The OIDC Bridge Extension requires setting up an OIDC Credential Verifier on your MATTR VII tenant so that an OIDC client can initiate a request that a digital wallet app can understand and respond to with a verifiable presentation.

Prerequisites

  • Access to MATTR VII APIs. If you’re experiencing any difficulties, contact us.

  • The DID associated with your MATTR VII tenant.

  • The id of a Presentation Request Template available on your tenant.

Request

Make a request of the following structure to create an OIDC Credential Verifier:

http
Copy to clipboard.
1POST https://YOUR_TENANT_URL/ext/oidc/v1/verifiers
json
Copy to clipboard.
1{
2    "verifierDid": "did:web:example.com",
3    "presentationTemplateId": "364b6a1b-3600-4927-a6ac-4d66aa6bbac3",
4    "claimMappings": [
5        {
6            "jsonLdFqn": "http://schema.org/givenName",
7            "oidcClaim": "given_name"
8        },
9        {
10            "jsonLdFqn": "http://schema.org/familyName",
11            "oidcClaim": "family_name"
12        },
13        {
14            "jsonLdFqn": "http://schema.org/educationalCredentialAwarded",
15            "oidcClaim": "https://tenant.vii.mattr.global/educationalCredentialAwarded"
16        }
17    ],
18    "includePresentation": true
19}
  • verifierDid: Specifies the DID where the verifiable presenation will be sent to.

  • presentationTemplateId: References the unique idetnifier of a Presentation Request Template that will be used by this verifier to create presentation requests.

  • claimMappings: As part of verifying a credential, the OIDC client initiates the request expecting a standard OIDC ID Token. However, as the digital wallet provides the credential in JSON-LD terms, these mappings are required to map JSON-LD claims to OpenID Connect terms:

    • jsonLdFqn is the fully qualified JSON-LD term.

    • oidcTerm is the OIDC claim name.

    • Currently the platform only supports schema.org for data vocabularies.

    • Make sure to use http:// and not https:// when entering jsonLdFqn values for schema.org. Otherwise you may not get the claims returned in your ID Token.

    • Standard OIDC claims are available on the Common Credential to OIDC Claim mappings page, so you can just copy & paste into your payload.

  • includePresentation (optional): When set to true, the generated id_token will include the original presentation from the wallet.

Response

json
Copy to clipboard.
1{
2    "id": "41458e5a-9092-40b7-9a26-d4eb43c5792f",
3//... rest of OIDC Verifier
4}

Once created, this OIDC Verifier is publicly available on its /.well-known/openid-configuration path. The Authorization header is not required as it is intended for OIDC Client applications to resolve:

http
Copy to clipboard.
1GET https://YOUR_TENANT_URL/ext/oidc/v1/verifiers/41458e5a-9092-40b7-9a26-d4eb43c5792f/.well-known/openid-configuration

What's next?

Now that your OIDC Verifier is setup, you can continue to configure an OIDC Client.