Experimental

OpenID Wallet

Caution

OpenID Wallet authenticator is experimental and should not be used in production scenarios.

OpenID Wallet authenticator acts as a Verifier in the verifiable credentials world. Other specifications might refer to Verifier as a relying party. OpenID Wallet authenticator is able to ask for verifiable credentials and then verify the ones it receives. The credentials will be typically provided by a digital wallet. This authenticator is compatible with the Curity Demo Wallet.

A typical flow would look like this:
  1. An authentication flow is started on the Curity Identity Server and the OpenID Wallet authenticator is selected.
  2. The authenticator displays a QR code to be scanned by a wallet. The QR code embeds a request for presenting verifiable credentials.
  3. The user scans the QR code using their wallet.
  4. The user uses their wallet to present credentials to the authenticator while the authenticator displays the “waiting for wallet” page.
  5. The credentials are sent to the authenticator. The authenticator verifies the credentials and the authentication process succeeds or fails.

Configuring OpenID Wallet Authenticator

OpenID Wallet authenticator requires a number of items to be configured:
  • wallet-invocation-url-prefix - the prefix that will be used to invoke the wallet. The authenticator will use this to build URLs and embed them in the QR codes and the “same device” button on the authenticator’s launch page.
  • signing-key - a reference to a signing key. This key will be used to sign requests sent to a wallet.
  • signature-algorithm - the algorithm to be used when signing requests with the signing key.
  • authorization-request-time-to-live - the maximum amount of time the QR code displayed on the authenticator’s launch page is valid in seconds. This will be typically a short time (e.g. 30s) for security reasons.
  • request-object-time-to-live - the maximum amount of time the presentation request is valid in seconds. Presentation requests are received by wallets and this configuration setting controls how much time a wallet has to retrieve the request from the authenticator. This setting has to be long enough for the user to complete the flow in a wallet (e.g. 5 minutes).
  • client - a group of client related settings. The authenticator acts as a client to the wallet.
  • presentation-definition - a group of settings related to presentation requests. This section configures what credentials this authenticator accepts from wallets for successful authentication.

A valid configuration could look like this:

<config xmlns="http://tail-f.com/ns/config/1.0">
  <profiles xmlns="https://curity.se/ns/conf/base">
    <profile>
      <id>oauth</id>
      <type xmlns:auth="https://curity.se/ns/conf/profile/authentication">auth:authentication-service</type>
      <settings>
        <authentication-service xmlns="https://curity.se/ns/conf/profile/authentication">
          <authenticators>
            <authenticator>
              <id>my-openid-wallet-authenticator</id>
              <openid-wallet xmlns="https://curity.se/ns/conf/authenticators/openid-wallet">
                <wallet-invocation-url-prefix>https://wallet.example.com</wallet-invocation-url-prefix>
                <signing-key>
                  <id>wallet-authenticator-signing-key</id>
                </signing-key>
                <signature-algorithm>RS256</signature-algorithm>
                <authorization-request-time-to-live>30</authorization-request-time-to-live>
                <request-object-time-to-live>300</request-object-time-to-live>
                <client>
                  <client-id>openid-wallet-authenticator-client</client-id>
                  <pre-registered />
                </client>
                <presentation-definition>
                  <name>University Degree Verification</name>
                  <purpose>Present credentials that verify user's graduation.</purpose>
                  <input-descriptor>
                    <name>University Degree</name>
                    <purpose>To verify that user has graduated from a university.</purpose>
                    <constraints>
                      <credential-type>UniversityDegreeCredential</credential-type>
                    </constraints>
                  </input-descriptor>
                </presentation-definition>
              </openid-wallet>
            </authenticator>
          </authenticators>
        </authentication-service>
      </settings>
    </profile>
  </profiles>
</config>

Anonymous JWKS Endpoint

The OpenID Wallet authenticator publishes the configured signing-key in the form of a JSON Web Key Set on the anonymous endpoint of the authenticator, under the /jwks subpath. For example, if an authenticator with ID my-openid-wallet-authenticator is configured on an authentication profile that has the anonymous endpoint mapped on /authenticate/anonymous, then the signing key is published on the path /authenticate/anonymous/my-openid-wallet-authenticator/jwks.

This endpoint is typically called by a wallet when the pre-registered client_id_scheme is used in presentation requests and the wallet wants to verify the received presentation request.

Further Reading

Please visit The Curity Resource Library for further information about verifiable credentials and other related topics.