Manually request a credential presentation

Introduction

Once you have set up an OIDC Client, you can initiate a presentation request to obtain and verify information from a credential that’s being held in a mobile wallet. This can be used as a basic authentication mechanism in addition to more advanced use-cases like granular validation of specific information in the context of another application.

Prerequisites

You need the following in order to proceed with this tutorial:

Access to the MATTR Platform APIs. If you’re experiencing difficulty, contact us.
Complete the setup of an OIDC Client.
Download the MATTR Wallet app and have it set up with a PIN.

Have a verifiable credential in the mobile wallet app that matches the type and the Issuer’s identifier (DID) as per the presentation request template.

Receive the credential claims

Use the OIDC Credential Verifier id to create an OpenID Connect Authentication Request. Construct the following URL to open the presentation request screen, it will present either a QR code (on desktop) or a deep link (mobile view-ports).

Authentication Request

httpCopy to clipboard. 
https://YOUR_TENANT_URL/ext/oidc/v1/verifiers/41458e5a-9092-40b7-9a26-d4eb43c5792f/authorize
  ?client_id=BumzBH9-EGGJfZHwkg7mq
  &scope=openid openid_credential_presentation
  &response_type=code
  &redirect_uri=https://localhost:9000/callback

Provide the client_id as obtained from the Configure a Client step.

Set the scope to openid openid_credential_presentation.

Point redirect_uri to the encoded URL that will carry on to obtain the Credential claims from the token.

Scan the QR code

Use the Mobile Wallet to process the Presentation Request.

The wallet app will step you through how to select a matching Credential and provide a Credential Presentation.

If the wallet cannot find a matching credential ensure you have issued one and the Presentation Request Template references the Issuer DID and Type of that Credential.

Obtain claims from token

On successful presentation, the browser will redirect to the redirect_uri provided in the authorize request, with a code query parameter added.

httpCopy to clipboard. 
https://localhost:9000/callback/?code=oGRCuRMt44-ty8cw

Obtain the credential information by requesting the token from the OpenID Provider as follows.

httpCopy to clipboard. 
POST https://YOUR_TENANT_URL/ext/oidc/v1/verifiers/41458e5a-9092-40b7-9a26-d4eb43c5792f/token

Request

httpCopy to clipboard. 
client_id=BumzBH9-EGGJfZHwkg7mq
  &client_secret=njsF2zIk_5ie9tV5S6JZ8mYPwySVUVDuawv-CQQWKQINLlpttoVKUPI8Zpu14Xb5q61xc-AsCslJBcWjlwf-GR
  &grant_type=authorization_code
  &redirect_uri=https://localhost:9000/callback
  &code=oGRCuRMt44-ty8cw

Provide the client_id and client_secret as obtained from the Configure a Client step.

Set the redirect_uri the same as was used in the Authorization Request.

The code is the code as provided to the redirected url.

Response

jsonCopy to clipboard. 
{
  "access_token": "KrrFP8GUeddJJtj7EF-4ugdvCl-dDdWwOqvAbvYsmfy",
  "expires_in": 3600,
  "id_token": "...",
  "scope": "openid",
  "token_type": "Bearer"
}

Obtain the claim values from the id_token JWT. Using a service like https://jwt.io/ to view the JWT is the easiest way to do this.

Revoked credentials

If an Issuer has revoked the credential the Platform will automatically detect this and the OIDC Credential Verifier will return an OpenID Connect/OAuth2 error response in the redirect url.

httpCopy to clipboard. 
?error=access_denied
&error_description=Failed%20to%20verify%20presentation