Create a presentation request
Once you have set up an OIDC Client, you can create a presentation request to obtain and verify information from a credential that’s being held in a mobile wallet. This can be used as a basic authentication mechanism in addition to more advanced use-cases like granular validation of specific information in the context of another application.
Prerequisites
You need the following in order to proceed with this tutorial:
Access to MATTR VII APIs. If you’re experiencing any difficulties, contact us.
Setup an OIDC Verifier.
Configure an OIDC Client.
Download the MATTR Wallet app and have it set up with a PIN.
A signed Web Credential that matches the
type
and the Issuer’s identifier (DID) as per the presentation request template.
Receive the credential claims
Use the OIDC Credential Verifier id
to create an OpenID Connect Authentication Request.
Construct the following URL to open the presentation request screen, it will present either a QR code (on desktop) or a deep link (mobile view-ports):
1https://YOUR_TENANT_URL/ext/oidc/v1/verifiers/41458e5a-9092-40b7-9a26-d4eb43c5792f/authorize
2 ?client_id=BumzBH9-EGGJfZHwkg7mq
3 &scope=openid openid_credential_presentation
4 &response_type=code
5 &redirect_uri=https://localhost:9000/callback
Provide the client_id
obtained from the Configure a Client step.
Set the scope
to openid openid_credential_presentation
.
Set redirect_uri
to the encoded URL that will obtain the Credential claims from the token.
Scan the QR code
Use the wallet to process the Presentation Request. The wallet app will step you through how to select a matching credential and respond with a Credential Presentation.
If the wallet cannot find a matching credential ensure you have issued one and the Presentation Request Template references the Issuer DID and
type
of that Credential.
Obtain claims
Upon successful presentation, the browser will redirect to the redirect_uri
provided in the authorisation request, with a code
query parameter:
1https://localhost:9000/callback/?code=oGRCuRMt44-ty8cw
Obtain the credential information by requesting the token from the OpenID Provider as follows.
1POST https://YOUR_TENANT_URL/ext/oidc/v1/verifiers/41458e5a-9092-40b7-9a26-d4eb43c5792f/token
Request
1client_id=BumzBH9-EGGJfZHwkg7mq
2 &client_secret=njsF2zIk_5ie9tV5S6JZ8mYPwySVUVDuawv-CQQWKQINLlpttoVKUPI8Zpu14Xb5q61xc-AsCslJBcWjlwf-GR
3 &grant_type=authorization_code
4 &redirect_uri=https://localhost:9000/callback
5 &code=oGRCuRMt44-ty8cw
Provide the client_id
and client_secret
as obtained from the Configure a Client step.
Set the redirect_uri
the same as was used in the Authorization Request.
The code
is the code as provided to the redirected url.
Response
1{
2 "access_token": "KrrFP8GUeddJJtj7EF-4ugdvCl-dDdWwOqvAbvYsmfy",
3 "expires_in": 3600,
4 "id_token": "...",
5 "scope": "openid",
6 "token_type": "Bearer"
7}
Obtain the claim values from the id_token
JWT. Using a service like https://jwt.io/ to view the JWT is the easiest way to do this.
Revoked credentials
If an Issuer has revoked the credential the OIDC Credential Verifier will return an OpenID Connect/OAuth2 error response in the redirect url:
1?error=access_denied
2&error_description=Failed%20to%20verify%20presentation