Verifiable Credential Identity Provider for OpenID Connect. This is an implementation of the verifiable credential system for 2060.
This is a demo for deploying an authentication system with Keycloak using an identity provider. The complete system will allow validation of any credential created for the purpose of enabling authentication and thus permitting access to any required system.
Using a vc auth system for issuing Verifiable Credentials has many benefits:
- security: For years, there has been a quest for an identity control method for authenticating users, sensitive data, and other transactions. This implementation aims to achieve an approach to the world envisioned for 2060, providing verifiable credentials that ensure the identity of the credential holder.
A conversational DIDComm service is probably the most secure way of delivering Verifiable Credentials.
hen, as soon as you've got you Verifiable Credential, you can use it to identify yourself and access passwordless services.
If you loose you cellphone or delete the App, then can restore your Identity by simply re-connecting to the same Registry service, verifying your face, and recover your Verifiable Credential.
- A bash-compatible shell such as Git Bash
- Docker
- Ngrok token (optional, required for local development)
- Kubernetes (for deployment)
In this initial demo, we will first approach a deployment in a local environment to validate some of the behaviors that the VC Auth system manages for presenting verifiable credentials generated by 2060 Note: Please keep in mind that this is an adaptation of the VC Auth project, which includes a wide range of configurable options and customizations as desired. Detailed information regarding its configuration can be found within the project itself.
Each developer must apply for an Ngrok token here. Then place the token into the .env-dev file within the docker directory.
NGROK_AUTHTOKEN=<your token here>
Open a shell in the docker folder and run the following commands:
./manage start: this will start the project. Follow the script prompts to select the appropriate runtime options: they will be saved in anenvfile for the next execution.- To reset everything (including removing container data and selected options in the
envfile) execute./manage rm.
A list of all available commands is visible by executing ./manage -h.
In order to use the VC OIDC authentication, a couple of extra steps are required:
Note: If you wish to use the default example for quick deployment purposes, please note that by default, the system is creating default values in order to validate the demo when using the command ./manage start. This will generate the necessary values for proper usage and deployment of this demo. Alternatively, if you prefer to customize the credential to be used and set up your own, please refer to the following information.
| Name | Description | Value |
|---|---|---|
ver_config_id |
String value responsible for identifying the variable pres_req_conf_id, which is sent from the frontend to identify the configuration to apply |
email |
subject_identifier |
See here for further details. | |
include_v1_attributes |
Optional field defaulting to false. Boolean value responsible for enabling the independent sending of credential | |
generate_consistent_identifier |
See here for further details. | |
requested_credentials |
Contains the details on the presentation request | |
credentialDefinitionId |
It contains the ID of the credential required for authentication | |
attributes |
This is an array containing all the attributes required for the given credential |
In this exercise, we are utilizing the theme proposed for Keycloak by 2060. It is crucial to ensure that the appropriate parameters are set in Keycloak's environment variables. Two parameters are provided for its proper functioning: the first one, KC_HOLOGRAM (recommended), enables the system to detect the associated identity provider for 2060. Additionally, there is an optional parameter named KC_HOLOGRAM_AUTH (optional), which allows us to specify the authentication behavior of the identity provider. This parameter is useful in scenarios where disabling email or VC auth might be required, or simply allowing the normal flow if this is not necessary.
Suggested default values:
- KC_HOLOGRAM: "vc-authn"
- KC_HOLOGRAM_AUTH: ""
For more information regarding the possible configuration states, please refer to the project 2060-auth-theme
Demo service for 2060 testing.
Click the link for chatbot demo.
Go to contextual menu, select New Email Address and complete the process by accept the offered credential.
The frontend employed is an example available in 2060 for the proper implementation and validation of the system. It is important to bear in mind that the frontend dashboard is designed to manage a service deployment in 2060 that is under construction
Finally, to start enjoying the demo, it's important to go to the following URL and click on the Log In button to validate the use of the authentication system provided in this demo.
http://localhost:8080/
Once the selected authentication method is QR validation, you should go to the Scan section presented in the app. This will allow the QR code to be scanned and validated to verify the user's credential. Keep in mind that the system allows you to select from various credentials that meet the required criteria if you have more than one credential.
The process will continue on the website where you are authenticating. The system will prompt you to complete the user creation details. In this case, it will automatically retrieve data from the credential to populate the system, and you will only need to fill in the fields for your first name and last name
Finally, you can validate the created user by accessing Keycloak using the URL http://localhost:8880/auth/. There, you can log into the system using the appropriate authentication credentials (by default, admin is configured for both username and password). Select the realm vc-atuhn, and under the user section, you will be able to observe the newly created user.
