Process View
The following processes are further detailed on this page:
- Authentication flow
- Issuance flow
- Direct Presentation flow
- IATP Presentation flow
Authentication flow
The authentication flows are either between the wallet and the UI or the wallet and an external system within the same security domain of the wallet.
Frontend
External system
Verifiable Presentation verification flow
Issuance flow
This flow describes the process of exchanging a new credential between two Wallet instances
Presentation Protocol(s)
Different protocols for exchanging Verifiable Presentations between the holder of credentials and the verifier can be used in different scenarios.
Currently three protocols are implemented or are candidates for implementation in the Wallet:
- Direct protocol: a simple protocol for exchaning verifiable presentations
- Identity and Trust Protocol: a protocol based on the Digital Identity Foundations Presentation Exchange specfication
- OpenID 4 Verifiable Presentations: a draft specification from the OpenID foundation
Direct
The direct presentation protocol is a simple flow for presenting a credential to the verifier. Where the control plane of the holder decides which credential(s) to include in the verifiable presentation. The full presentation is shared with the verifier via the Authorization header.
While this is a simple way of presenting credentials to the verifier, there are some drawbacks to this approach:
- HTTP headers are often limited in size by the HTTP server implementations, resulting in maximum header sizes of 8kb (default for Nginx and Apache).
- No authentication of the verifier is executed in this flow.
- No handles for specifying which credential the verifier needs to approve the request.
Identity and Trust Protocol (IATP)
The identity and trust protocol (IATP) defines the flow of requesting and presenting Verifiable Presentations between verifier and holder. This protocol is largely based on the Eclipse Tractus-X IATP, and uses the following wider standards/specifications:
- W3C Decentralized Identifiers (DIDs) v1.0
- W3C Verifiable Credentials Data Model v1.1
- DIF Presentation Exchange 2.0.0
The sequence diagram below shows the interactions between the wallets and control planes of the verifier and holder.
A more detailed explanation of the steps in the sequence diagram is provided in the list below:
- Request a Self Issued ID token targeted at the verifier (audience) with an automatically generated access token for the verifier to request the presentation, with an optional scope to limit the access to certain credentials.
Note: Scopes are currently accepted but not used. - ID token signed with the default key defined in the wallet.
- Data Space Protocol Request with the
id_tokenasBearertoken in theAuthorizationheader. - Verification request with the holder's
id_tokenand a presentation definition according the DIF Presentation Definition specification. - Validation of the holder's
id_token, which additionally requires resolvement of the DID document of the holder to retrieve the public key material used to sign theid_token. - Create a Self Issued ID token targeted at the holder (audience) incorporating the access token from the holder's
id_token. - Retrieve the
"Presentation"service from the holder's DID document to find the service endpoint for requesting the presentation. - Request the presentation at the service endpoint with the presentation definition and the
id_tokenasBearertoken in theAuthorizationheader. - Validate the verifier's
id_tokenand the access token inside theid_token. - Find matching credentials based on the presentation definition and the scope of the access token. And generate a presentation submission according the DIF Presentation Submission specification.
Note: Scopes are currently accepted but not used. - Return the Verifiable Presentation in JWT format accompanied by the pesentation submission.
- Validate the Verifiable Presentation and validate whether it matches the requested presentation definition.
- Return the Verifiable Presentation when all checks are successful.
- Response of the original DSP request.