Run Verifiable Credentials Demo Wallet

Verifiable credentials are pieces of information that users can request and store in a wallet. Users can load a stored verifiable credential from the wallet to prove some assertions, e.g. their identities.

There are two protocols under way for issuing and presenting verifiable credentials that build on top of OAuth 2.0: OpenID4VCI and OpenID4VP. This tutorial explains how to run a visual online demo wallet to understand the user experience and benefits that these protocols enable. It describes how you can obtain a verifiable credential from an issuer using Curity's demo wallet. It also demonstrates how you can use such a credential as part of an authentication process using plain OAuth 2.0.

Using Verifiable Credentials

The end-to-end flow in this tutorial involves three systems:

• Wallet
• Credential issuer
• Verifier

This tutorial uses Curity's demo wallet as the wallet, Curity's demo instance at https://login-demo.curity.io as the credential issuer and OAuth Tools as the verifier.

Download a Verifiable Credential

In principle, there are two ways to obtain a verifiable credential from a credential issuer in OpenID4VCI:

• Issuer Initiated
• Wallet Initiated

In the first case, a service commonly renders a QR code or link that invokes a wallet whereas in the second case you open the wallet and select a credential manually. This tutorial shows how to run a wallet-initiated flow.

Navigate to the Demo Wallet. When you open the wallet for the first time, it is empty. It simply does not contain any credentials yet. Simply click the button Get my first credential to fetch a credential.

The demo wallet comes with a pre-configured credential issuer, Curity's demo instance, that you can test with. Let the wallet fetch the supported credentials from this issuer. Click the button View supported credentials to list all the supported credentials from the pre-configured issuer. Study the list.

Get a verifiable credential that represents a university degree. Scroll down to the pink box that says University Degree Credential. Click the button Get Credential. Request the university degree credential by clicking Request Credential.

The wallet requests a credential from the demo credential issuer. As part of the flow, you need to authenticate so that the credential issuer returns the correct credential (your credential). The demo system only simulates user authentication by requiring a username. You can choose any name, e.g. demouser.

After you authenticate, the wallet downloads your university degree credential.

Store the credential.

• Enter My University Degree as the name.
• Click Save Credential. The demo wallet stores the credential in your browser's local storage.
• Click View my credentials.

Congratulations, you got your first credential!

Now, if you want to try it again with the same or a different credential, you can click on the house-symbol in the bottom menu to get to the list of issuers. Repeat the steps from above with the pre-configured issuer.

You can delete the items in the local storage in your browser to reset the wallet.

You now have one or more verifiable credentials that you can present to a verifier.

Present a Verifiable Credential

To present a credential, you need to trigger an authentication flow. You can use OAuth Tools and the Curity Playground for that purpose. By default, the Curity Playground integrates with Curity's demo instance and the demo wallet. Open OAuth Tools in a new window.

Select Demo: Code Flow from the menu to the left. Scroll down and click the green button ► Run.

You get a prompt to select an authentication method. Select wallet from the list.

Then, click the button Start your wallet on this device. The demo wallet opens in a separate tab. It asks for an academic credential.

Select an appropriate credential. The university degree credential that you previously downloaded fulfills the requirements. From the drop-down menu select My University Degree. Click Accept and continue.

Navigate back to OAuth Tools and continue with the OAuth flow.

• Scroll down to Redeem Authorization Code.
• Click Redeem code.
• OAuth Tools fetches the tokens.

Congratulations, you used your university degree credential to log in!

Simple Integration

If you are already using OAuth, you can add support for user authentication with verifiable credentials without code changes. In the Curity Identity Server, you can simply configure an OpenID Wallet authenticator. You can use Claims From Authentication to issue verifiable credentials to tokens. There is no need to implement any new protocol for your apps or APIs to receive the asserted attributes from verifiable credentials as they can continue to consume the tokens as usual.

Conclusion

The demo wallet visualizes the roles involved in end-to-end flows with verifiable credentials. First, users install wallets on their mobile devices. Next, users download verifiable credentials from issuers and store them in their wallet. From that point on, users can present their credentials to verifiers. Finally, applications that already use OAuth can become verifiers just by activating a wallet based authentication method. If the application trusts the credential issuer, they can receive and use strong user proofs in real time.