/images/resources/howtos/advanced/verifiable-credentials/wallet/curity-howto-wallet.png

Run Verifiable Credentials Demo Wallet

On this page

Verifiable credentials are pieces of information that users can request and store in a wallet. Users can load a stored verifiable credential from the wallet to prove some assertions, e.g. their identities.

There are two protocols under way for issuing and presenting verifiable credentials that build on top of OAuth 2.0: OpenID4VCI and OpenID4VP. This tutorial explains how to run a visual online demo wallet to understand the user experience and benefits that these protocols enable. It describes how you can obtain a verifiable credential from an issuer using Curity's demo wallet. It also demonstrates how you can use such a credential as part of an authentication process using plain OAuth 2.0.

Using Verifiable Credentials

The end-to-end flow in this tutorial involves three systems:

  • Wallet
  • Credential issuer
  • Verifier

This tutorial uses Curity's demo wallet as the wallet, Curity's demo instance at https://login-demo.curity.io as the credential issuer and OAuth Tools as the verifier.

Download a Verifiable Credential

In principle, there are two ways to obtain a verifiable credential from a credential issuer in OpenID4VCI:

In the first case, a service commonly renders a QR code or link that invokes a wallet whereas in the second case you open the wallet and select a credential manually. This tutorial shows how to run a wallet-initiated flow.

Navigate to the Demo Wallet. When you open the wallet for the first time, it is empty. It simply does not contain any credentials yet. Simply click the button Get my first credential to fetch a credential.

No credential in the wallet

The demo wallet comes with a pre-configured credential issuer, Curity's demo instance, that you can test with. Let the wallet fetch the supported credentials from this issuer. Click the button View supported credentials to list all the supported credentials from the pre-configured issuer. Study the list.

List of credential issuers

How does the wallet get the list of supported credentials?

In the background, the wallet loads the credential issuer metadata of the pre-configured issuer. This metadata resides at the well-known endpoint of the credential issuer at https://login-demo.curity.io/oauth/v2/oauth-anonymous/.well-known/openid-credential-issuer. It includes, among other details, a list of the supported credentials with all the fields and display details for each of them.

Get a verifiable credential that represents a university degree. Scroll down to the pink box that says University Degree Credential. Click the button Get Credential. Request the university degree credential by clicking Request Credential.

List of supported credentials includes University Degree Credential
Request University Degree Credential

The wallet requests a credential from the demo credential issuer. As part of the flow, you need to authenticate so that the credential issuer returns the correct credential (your credential). The demo system only simulates user authentication by requiring a username. You can choose any name, e.g. demouser.

Login screen with username

After you authenticate, the wallet downloads your university degree credential.

Save University Degree Credential

Demo System

The demo system issues verifiable credentials for demonstration purposes only. That is, they contain hard-coded values and are not related to the username that you entered during authentication.

Store the credential.

  • Enter My University Degree as the name.
  • Click Save Credential. The demo wallet stores the credential in your browser's local storage.
  • Click View my credentials.

Congratulations, you got your first credential!

Now, if you want to try it again with the same or a different credential, you can click on the house-symbol in the bottom menu to get to the list of issuers. Repeat the steps from above with the pre-configured issuer.

Open list of credential issuers

You can delete the items in the local storage in your browser to reset the wallet.

Asserted Attributes

In many use cases verifiable credentials allow a user to authenticate and provide true proofs of identity to multiple verifiers, since a common trusted authority asserted the attributes.

You now have one or more verifiable credentials that you can present to a verifier.

Present a Verifiable Credential

To present a credential, you need to trigger an authentication flow. You can use OAuth Tools and the Curity Playground for that purpose. By default, the Curity Playground integrates with Curity's demo instance and the demo wallet. Open OAuth Tools in a new window.

Demo code flow in OAuth.Tools

Select Demo: Code Flow from the menu to the left. Scroll down and click the green button ► Run.

You get a prompt to select an authentication method. Select wallet from the list.

Screen with several login options
Screen to start wallet

Then, click the button Start your wallet on this device. The demo wallet opens in a separate tab. It asks for an academic credential.

Select credential

Select an appropriate credential. The university degree credential that you previously downloaded fulfills the requirements. From the drop-down menu select My University Degree. Click Accept and continue.

Navigate back to OAuth Tools and continue with the OAuth flow.

  • Scroll down to Redeem Authorization Code.
  • Click Redeem code.
  • OAuth Tools fetches the tokens.

Congratulations, you used your university degree credential to log in!

Strong Proofs

When the user authenticates with a verifiable credential from a trusted authority, the verifying application receives strong proofs about users in a zero delay manner.

Simple Integration

If you are already using OAuth, you can add support for user authentication with verifiable credentials without code changes. In the Curity Identity Server, you can simply configure an OpenID Wallet authenticator. You can use Claims From Authentication to issue verifiable credentials to tokens. There is no need to implement any new protocol for your apps or APIs to receive the asserted attributes from verifiable credentials as they can continue to consume the tokens as usual.

Conclusion

The demo wallet visualizes the roles involved in end-to-end flows with verifiable credentials. First, users install wallets on their mobile devices. Next, users download verifiable credentials from issuers and store them in their wallet. From that point on, users can present their credentials to verifiers. Finally, applications that already use OAuth can become verifiers just by activating a wallet based authentication method. If the application trusts the credential issuer, they can receive and use strong user proofs in real time.

Join our Newsletter

Get the latest on identity management, API Security and authentication straight to your inbox.

Start Free Trial

Try the Curity Identity Server for Free. Get up and running in 10 minutes.

Start Free Trial