Caution
OpenID Wallet authenticator is experimental and should not be used in production scenarios.
OpenID Wallet authenticator acts as a Verifier in the verifiable credentials world. Other specifications might refer to Verifier as a relying party. OpenID Wallet authenticator is able to ask for verifiable credentials and then verify the ones it receives. The credentials will be typically provided by a digital wallet. This authenticator is compatible with the Curity Demo Wallet.
wallet-invocation-url-prefix
signing-key
signature-algorithm
authorization-request-time-to-live
request-object-time-to-live
client
presentation-definition
A valid configuration could look like this:
<config xmlns="http://tail-f.com/ns/config/1.0"> <profiles xmlns="https://curity.se/ns/conf/base"> <profile> <id>oauth</id> <type xmlns:auth="https://curity.se/ns/conf/profile/authentication">auth:authentication-service</type> <settings> <authentication-service xmlns="https://curity.se/ns/conf/profile/authentication"> <authenticators> <authenticator> <id>my-openid-wallet-authenticator</id> <openid-wallet xmlns="https://curity.se/ns/conf/authenticators/openid-wallet"> <wallet-invocation-url-prefix>https://wallet.example.com</wallet-invocation-url-prefix> <signing-key> <id>wallet-authenticator-signing-key</id> </signing-key> <signature-algorithm>RS256</signature-algorithm> <authorization-request-time-to-live>30</authorization-request-time-to-live> <request-object-time-to-live>300</request-object-time-to-live> <client> <client-id>openid-wallet-authenticator-client</client-id> <pre-registered /> </client> <presentation-definition> <name>University Degree Verification</name> <purpose>Present credentials that verify user's graduation.</purpose> <input-descriptor> <name>University Degree</name> <purpose>To verify that user has graduated from a university.</purpose> <constraints> <credential-type>UniversityDegreeCredential</credential-type> </constraints> </input-descriptor> </presentation-definition> </openid-wallet> </authenticator> </authenticators> </authentication-service> </settings> </profile> </profiles> </config>
The OpenID Wallet authenticator publishes the configured signing-key in the form of a JSON Web Key Set on the anonymous endpoint of the authenticator, under the /jwks subpath. For example, if an authenticator with ID my-openid-wallet-authenticator is configured on an authentication profile that has the anonymous endpoint mapped on /authenticate/anonymous, then the signing key is published on the path /authenticate/anonymous/my-openid-wallet-authenticator/jwks.
/jwks
my-openid-wallet-authenticator
/authenticate/anonymous
/authenticate/anonymous/my-openid-wallet-authenticator/jwks
This endpoint is typically called by a wallet when the pre-registered client_id_scheme is used in presentation requests and the wallet wants to verify the received presentation request.
pre-registered
client_id_scheme
Please visit The Curity Resource Library for further information about verifiable credentials and other related topics.