Set up an OIDC Credential Verifier
Introduction
The OIDC Bridge Extension requires an OIDC Credential Verifier to be set up so that an OIDC client can initiate a request that the Mobile Wallet App can understand and respond to with credential data.
This guide will step through how that can be achieved by setting up the OIDC Credential Verifier.
Prerequisites
You need the following in order to proceed with this tutorial:
Access to the MATTR Platform APIs. If you’re experiencing difficulty, contact us.
Know the DID (Decentralized Identifier) to use for receiving Credentials, take a look at tenant setup.
A presentation request template configured in your tenant and know the
id.Download the MATTR Wallet app and have it set up with a PIN.
Have a cerifiable credential in the mobile wallet app that you know the exact subject claims for. Go to issue a credential using OIDC Bridge.
The OIDC Credential Verifier
The OIDC Credential Verifier is designed for an OIDC Client application to request a Credential.
Create an OIDC Credential Verifier
Create an OIDC Credential Verifier by providing a payload:
1POST https://YOUR_TENANT_URL/ext/oidc/v1/verifiersRequest
1{
2 "verifierDid": "did:web:example.com",
3 "presentationTemplateId": "364b6a1b-3600-4927-a6ac-4d66aa6bbac3",
4 "claimMappings": [
5 {
6 "jsonLdFqn": "http://schema.org/givenName",
7 "oidcClaim": "given_name"
8 },
9 {
10 "jsonLdFqn": "http://schema.org/familyName",
11 "oidcClaim": "family_name"
12 },
13 {
14 "jsonLdFqn": "http://schema.org/educationalCredentialAwarded",
15 "oidcClaim": "https://tenant.vii.mattr.global/educationalCredentialAwarded"
16 }
17 ],
18 "includePresentation": true
19}
Make sure to use http:// and not https:// when entering jsonLdFqn values for schema.org. Otherwise you may not get the claims returned in your ID Token.
The verifierDid specifies the DID where the verifiable presentation will be sent to.
The presentationTemplateId references the request template that defines what type of credential is being requested.
The claimMappings defines the mapping for the presented credential claims from JSON-LD terms to OpenID Connect terms. The JSON-LD claims defined in a JSON-LD Verifiable Credential can be mapped to OpenID Connect claims which are functionally equivalent.
As part of verifying a credential, the OIDC client initiates the request expecting a standard OIDC ID Token, however as the Mobile Wallet provides the credential to the platform in JSON-LD terms, the Platform translates the claims from the verifiable credential into OpenID Connect ID Token claims.
Currently the platform only supports schema.org for data vocabularies.
The standard OIDC claims are already mapped for you on the Common Credential to OIDC Claim mappings page, so you can copy & paste into your payload.
jsonLdFqnis the fully qualified JSON-LD term.oidcTermis the OIDC claim name.
includePresentation is an optional field. It has a boolean value which is set to false by default. If set to true, the generated id_token will include the original presentation from the wallet.
Response
1{
2 "id": "41458e5a-9092-40b7-9a26-d4eb43c5792f",
3 "verifierDid": "did:web:example.com",
4 "presentationTemplateId": "364b6a1b-3600-4927-a6ac-4d66aa6bbac3",
5 "claimMappings": [
6 {
7 "jsonLdFqn": "http://schema.org/givenName",
8 "oidcClaim": "given_name"
9 },
10 {
11 "jsonLdFqn": "http://schema.org/familyName",
12 "oidcClaim": "family_name"
13 },
14 {
15 "jsonLdFqn": "http://schema.org/educationalCredentialAwarded",
16 "oidcClaim": "schema.org/educationalCredentialAwarded"
17 }
18 ],
19 "includePresentation": true
20}
The verifier can be resolved publicly from your tenant by the verifierId.
1GET https://YOUR_TENANT_URL/ext/oidc/v1/verifiers/41458e5a-9092-40b7-9a26-d4eb43c5792f/.well-known/openid-configurationThe Authorization header is not required as it is intended for OIDC Client applications to resolve.