When authenticating via a proof-request that uses the names array to specify attributes that must come from the same credential, the token issued by vc-authn does not include those claims in the token response.

This is incorrect, and should be fixed as it makes it impossible for clients to receive and inspect the attributes coming from the VC.

I am not sure whether this behviour is because of vc-authn or because of how Aca-Py resonds to the proof request, so further investigation is required.

The UI for the QR code page looks outdated and could be improved to look better.

An embedded Vue component, similar to what is used in the vc-visual-verifier, could be used to enhance the page appearance.

An example of a QR code page implementation can be found in identity-kit-poc.

Document the steps required to configure a new integration with vc-authn-oidc using Keycloak.

Steps include:

• IDP configuration in Keycloak
  • this includes VC mappers
• client configuration in vc-authn-oidc database
  • this should only reference the fields/values required, the mode to apply the configurations may vary depending also on #85
• proof-request configuration
  • highlight proof-request structure, the mode to apply configurations may vary

I was trying to receive the access token from the token endpoint then I have received this one in response

{"request":{"configuration":{"authorizationEndpoint":"https:\/\/controller.vc.identity.ky\/vc\/connect\/authorize","tokenEndpoint":"https:\/\/controller.vc.identity.ky\/vc\/connect\/token"},"clientId":"app-auth","nonce":"aeBgbM9fcpwQYk4EQxjOOf0JuXR1QB9k","grantType":"authorization_code","redirectUri":"net.openid.appauthdemo:\/oauth2redirect","authorizationCode":"95b50d0b-a995-4ea2-b360-70a663fecd98","additionalParameters":{}},"token_type":"Bearer","access_token":"invalid","id_token":"eyJhbGciOiJSUzI1NiIsImtpZCI6ImI1NDU3MDhhNjBlNzIyODJhZDU4NTFiYTk0YmQwYmY4IiwidHlwIjoiSldUIn0.eyJuYmYiOjE2MDA0MjIwMjEsImV4cCI6MTYwMDQzMjAyMSwiaXNzIjoiaHR0cHM6Ly9jb250cm9sbGVyLnZjLmlkZW50aXR5Lmt5IiwiYXVkIjoiYXBwLWF1dGgiLCJwcmVzX3JlcV9jb25mX2lkIjoidmVyaWZpZWQtZW1haWwiLCJhY3IiOiJ2Y19hdXRobiIsIm5vbmNlIjoiYWVCZ2JNOWZjcHdRWWs0RVF4ak9PZjBKdVhSMVFCOWsiLCJlbWFpbCI6Imxva2VuYXRoQGtsaXpvcy5jb20iLCJzdWIiOiJsb2tlbmF0aEBrbGl6b3MuY29tIiwiaWF0IjoxNjAwNDIyMDIxfQ.fvQG3mFQ-PYV7WUWiW2HjRMU228n6TL2ZCl5Tu8iWmt9V2dAVmH_s4kV2uF6pg20tqMx6pj6JzTI55MLnCkRvr0WhMh459850GiU_BK1q-_g_3CWFaHi1XNssQVJJ9L4ChGTqM41e2RKIpzGCgdIE1ZLfXOwQdx08H-35fTSxP_Zj3UEqYfayxHjhujsVKg7Y6v-wd6D1d_TH3CHaVRQBqDPVhU24y0_tex_gozXL-_UYCZ1KDuYDbLd1Djmk1TnA18m3wcdniBlDUzlLGDjfpO294PBJvO7py1h_WFRps-bZJvSdFDWyjfDpfXmOO9Jf9aEft2D2IC3ZB8HctTxtA","additionalParameters":{}}

So here the access token is invalid, after serching on the code i have found the the access token is hard-coded as invilid in the tokenEndpointResult.cs file line no. 71.

await context.Response.WriteJsonAsync( new { access_token = "invalid", id_token = token, token_type = "Bearer" });

So, without this access_token I can't use the user-info endpoint, is there any way to access the user-info endpoint.

vc-authn currently only supports basic claim filter/restrictions - as per the AttributeFIlter model used in both RequestedAttributes and RequestedPredicates.

We need to be supporting other types of restrictions, such as restricting claims by value.

Additionally, it would be good to support the newer restriction syntax that uses an array of claims that share the same restrictions, as it simplifies configuration.

TL;DR

Topics greatly improve the discoverability of repos; please add the short code from the table below to the topics of your repo so that ministries can use GitHub's search to find out what repos belong to them and other visitors can find useful content (and reuse it!).

Why Topic

In short order we'll add our 800th repo. This large number clearly demonstrates the success of using GitHub and our Open Source initiative. This huge success means its critical that we work to make our content as discoverable as possible; Through discoverability, we promote code reuse across a large decentralized organization like the Government of British Columbia as well as allow ministries to find the repos they own.

What to do

Below is a table of abbreviation a.k.a short codes for each ministry; they're the ones used in all @gov.bc.ca email addresses. Please add the short codes of the ministry or organization that "owns" this repo as a topic.

That's in, you're done!!!

How to use

Once topics are added, you can use them in GitHub's search. For example, enter something like org:bcgov topic:citz to find all the repos that belong to Citizens' Services. You can refine this search by adding key words specific to a subject you're interested in. To learn more about searching through repos check out GitHub's doc on searching.

Pro Tip 🤓

• If your org is not in the list below, or the table contains errors, please create an issue here.

• While you're doing this, add additional topics that would help someone searching for "something". These can be the language used javascript or R; something like opendata or data for data only repos; or any other key words that are useful.

• Add a meaningful description to your repo. This is hugely valuable to people looking through our repositories.

• If your application is live, add the production URL.

Ministry Short Codes

NOTE See an error or omission? Please create an issue here to get it remedied.

Can I use this solution to authenticate LDAP or Azure Active Directory users?

When authenticating using a credential that has been revoked, it appears that vc-authn-oidc will consider the proof-request satisfied also when presenting a revoked credential.

Based on this code in aries-cloudagent-python it appears that when a proof is presented without specifying the validity interval for a credential, the default behaviour is to consider the credential valid up until the moment the proof-request is processed.

This would imply that a revoked credential should immediately stop being considered as valid source of proof to satisfy the presentation, however the current behaviour of vc-authn indicates this may not be true.

See the Slack OAuth 2.0 API. Investigate using vc-authn-oidc with that and figure out how it can be used:

• who would host the VC containers?
• how would the proof request get defined?
• What is the configuration flow?
• What docs would be helpful to support this to enable fast deployment and scale?

Using the trinsic wallet on Iphone, I successfully present my email credential to the IIW service and then received an error notice to which I accepted the option to copy the message to my clipboard:

[{"Data":"{\"protected\":\"eyJlbmMiOiJ4Y2hhY2hhMjBwb2x5MTMwNV9pZXRmIiwidHlwIjoiSldNLzEuMCIsImFsZyI6IkF1dGhjcnlwdCIsInJlY2lwaWVudHMiOlt7ImVuY3J5cHRlZF9rZXkiOiI1STVodUJNaXp2ZlNIOTZNRU55S2JlVDhQUC1fbjhYcWoxX3l5RGtyZGl6cHNkUGZyR0VkOGcyYnY4N1hDakRnIiwiaGVhZGVyIjp7ImtpZCI6IkFRUnlkTHcySGtEQ1R4anFRZHhpa0M3MVBiN01LcjNYNVdtTW1KSFJtRU5DIiwiaXYiOiJuNG9fX3lnMkdVZ0d5dU03eTVrQ2VjMkg3b1VoNW0yTiIsInNlbmRlciI6IjhKdXFEWjVHVTlMYW1Ha1RZMW5kMnRpb1FBdW5hUWlXbnhQN21qcDRTWFpUcThyLXpIM2lOX2NTWUp6Q2pFR2RVd3VaRjVhWHowekJnLUd5dUllcm8zMnJzdTBYam1lQmIybjJKVEQ2RW9laWlsMVFKLUtmV1FsRjVjWT0ifX1dfQ==\",\"iv\":\"6oJblG9dFkT1sC66\",\"ciphertext\":\"5uaEDvrA06yezULHFG1uNwwbEWLumCXMBqY9BZpkCK3aqJZ_5Bg_SsJTaid6WqKkGLfGu8K9z0PW1zc3TeF-Y6qZ60w3LkEjtJ5hUzoMbkB22O4qfT4rW8SFQ6XhIaM7vQxq1VclBqrNgAz6J5dK41RivYDWYhyOdfOwYhoZ5KUVVHmG8aYZ7wmXqQnqTGmc7ooGVTi2KqNX9oteQRLgboziwa-Loseyxlgx6iboiHFHSsktaTsSKO30QBhFzNLlZGs=\",\"tag\":\"-mSS-QjIK48PyhqLMgUydw==\"}","Timestamp":1617570368,"@id":"a80f354c-2fbb-428a-8259-9bfb7d85bdce","@type":null}]

As I had hoped this message is encrypted but it is interesting that I was given the option to do so if I was not given instructions on who to report this too (presumably as they would have the authority / key(s) to decrypt it if necessary). I wonder if I should report this to Trinsic as a UX improvement, assuming this is on their side...?

Good news is, I then proceeded to the wallet and noticed the pending acceptance offer was in fact there. Then I was able to accept the credential without issue.

The swagger UI exposed by the vc-authn controller does not seem to be requiring the api key to be passed along in the requests to manage the presentation request configurations.

The functionality is already available in the code, so we need to check whether it has been misconfigured or it is broken and requires fixing.

In the /demo/Running-In-Play-With-Docker.md instructions provide a quick copy paste to get everything running, but the final script command is misspelt.

git clone https://github.com/bcgov/vc-authn-oidc
cd vc-authn-oidc
cd demo
./PWDrun

The script file name in the repo is PWDRun.

But I noticed also that the down script is named PWDdown so this may alternatively be a case of the script file name being inconsistent with an intended naming style.

When using the discovery document at .well-known/openid-configuration to configure and OIDC client, the default IdentityServer4 endpoints will be returned, however the VC Identity Provider uses endpoints with the prefix /vc/: this should be documented better as it has tripped a few users.

If it is possible to consolidate the endpoints so hat the standard naming convention is respected it would also be great, but I am not sure whether that is possible.

Improved documentation for:

• using vc-authn as OIDC provider directly
• integrating vc-authn with Keycloak
• presentation configurations

The project is still using .NET Core 2.2 and outdated version of dependencies.

Determine effort to upgrade to .NET Core 3.0 and to upgrade all the project dependencies.

Hi. My controller give me this error:

An exception occurred while iterating over the results of a query for context type 
'IdentityServer4.EntityFramework.DbContexts.PersistedGrantDbContext'.
Npgsql.PostgresException (0x80004005): 42703: column p.ConsumedTime does not exist.

After wallet sending proof succesfully, i also get this error in controller:

[13:01:52 DBG] Creating Claims list for presentation record id : test-request-config
[13:01:52 INF] {"Details": "System.NullReferenceException: Object reference not set to an instance of an object.\n   at VCAuthn.IdentityServer.Endpoints.TokenEndpoint.TokenEndpointResult.GetClaims()\n   at VCAuthn.IdentityServer.Endpoints.TokenEndpoint.TokenEndpointResult.ExecuteAsync(HttpContext context) in /app/VCAuthn/IdentityServer/Endpoints/TokenEndpoint/TokenEndpointResult.cs:line 49\n   at IdentityServer4.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IEndpointRouter router, IUserSession session, IEventService events, IBackChannelLogoutService backChannelLogoutService)", "Category": "Error", "Name": "Unhandled Exception", "EventType": "Error", "Id": 3000, "Message": "Object reference not set to an instance of an object.", "ActivityId": "0HM4I7L89CEJA:00000001", "TimeStamp": "2020-11-27T13:01:52.0000000Z", "ProcessId": 1, "LocalIpAddress": "::ffff:10.129.0.57:8080", "RemoteIpAddress": "35.182.153.45", "$type": "UnhandledExceptionEvent"}
[13:01:52 FTL] Unhandled exception: Object reference not set to an instance of an object.
System.NullReferenceException: Object reference not set to an instance of an object.
   at VCAuthn.IdentityServer.Endpoints.TokenEndpoint.TokenEndpointResult.GetClaims()
   at VCAuthn.IdentityServer.Endpoints.TokenEndpoint.TokenEndpointResult.ExecuteAsync(HttpContext context) in /app/VCAuthn/IdentityServer/Endpoints/TokenEndpoint/TokenEndpointResult.cs:line 49
   at IdentityServer4.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IEndpointRouter router, IUserSession session, IEventService events, IBackChannelLogoutService backChannelLogoutService)

I confirm that test-request-config is in the database.

My installation is on Openshift.

No Project Lifecycle Badge found in your readme!

Hello! I scanned your readme and could not find a project lifecycle badge. A project lifecycle badge will provide contributors to your project as well as other stakeholders (platform services, executive) insight into the lifecycle of your repository.

What is a Project Lifecycle Badge?

It is a simple image that neatly describes your project's stage in its lifecycle. More information can be found in the project lifecycle badges documentation.

What do I need to do?

I suggest you make a PR into your README.md and add a project lifecycle badge near the top where it is easy for your users to pick it up :). Once it is merged feel free to close this issue. I will not open up a new one :)

The DemoInstructions.md link to a "mock BC Government service ("Access to Audio")" that is down:

Application is not available
The application is currently not serving requests at this endpoint. It may not have been started or is still starting.

Based on the plan for Safe Entry, we'll have a need for multi-use QR codes that people print and display. The current process (I think) is:

• Generate the proof request
• Store it in a database, returning a UUID for the request
• Display the UUID as part of the QR code
• When the QR code is processed the URL resolves to the UUID and then the proof request
• Send the proof request to the agent

Propose we make two changes:

• Alter the URL resolution process inject the nonce into the proof request during the resolution process, just before sending it to the agent.
  • This should be done for all proof requests, single or multi-use
• Add and flag when creating a proof request, enabling it to be a multi-use request suitable for printing and handle the UUID and proof request records in the database to be handled appropriately.

NOTE: There is a separate issue #61 where I suggest in a note that we eliminate the statefulness of the solution. This feature WOULD require statefullness, as this QR code would have to last across pod reboots. As such, I'll probably remove that comment.

For my app I only want to use verified credential access, so can I stop the keycloak service to ask from username and password

Network security policy added to oidc-controller build, needs to be added to deployment configurations as well. See https://github.com/bcgov/Family-Protection-Order as reference.

after the scan QR code I have error.
isAxiosError.js:10 GET https://8ead-95-70-244-247.ngrok.io/vc/connect/poll?pid=af9fd457-d177-45fb-9281-f5e48e0f581b 400

Switch to using the names array when declaring attribute/predicate restrictions in a proof-request in order to be able to specify that multiple claims need to be coming from the same credential.

Tweaks and improvements to the QR code page. See here for inspiration.

Hi. Just a report.

Following DemoInstructions.md, I accessed to the following url by clicking a link in "Use the Verifiable Credential Identity Provider" section.
https://csb-audio.pathfinder.gov.bc.ca/

The service responded with the below error page (the HTTP status code was 503, not 404).

I'm not sure if this is temporary, but if not, we have to amend the link.

From where are we getting the user var and user.email from???

@esune

I cloned git repo and executed

./mange buld but failing at 6th step.

Error

/usr/share/dotnet/sdk/3.1.413/NuGet.targets(128,5): error : Unable to load the service index for source https://api.nuget.org/v3/index.jon. [/app/VCAuthn.sln]
/usr/share/dotnet/sdk/3.1.413/NuGet.targets(128,5): error :   The HTTP request to 'GET https://api.nuget.org/v3/index.json' has timed ou after 100000ms. [/app/VCAuthn.sln]
The command '/bin/sh -c dotnet restore' returned a non-zero code: 1

Tried Solution

• Created NuGet.config file with proxy url under /usr/share/dotnet/sdk/3.1.413 but didn't helped.

NuGet.Config File

<configuration>
	<config>
		<add key="http_proxy" value="url" />
		<add key="https_proxy" value="url" />
	</config>
</configuration>

I believe in the Indy proof request format, the restrictions are an array. Should this be the same here? This would support, for example, the user having several credentials from which to provide a name that are acceptable to the verifier/IdP.

Investigate whether it is possible to embed the QR code authentication page into a parent webpage, and complete the authentication flow without this way without fully redirecting to the IdP and then back to the resource.

A2A is a good candidate to experiment with this: once the primary landing page is in place it can be enhanced to test this idea.

If the attempt is successful, document the pattern for reuse/implementation in other applications.

I've read some research papers on SSI and SSI integration with OpenID and, as here SSI is integrated with openID. So can you tell me Why SSI integration with openID is optimal to SSI without openID?

I have successfully implemented vc-auth, architecture but not the next step of my project I was, I want a specific set of the user to get authentication only. As of now, all users can get authenticated, I want to add restriction here.

When presenting credentials to satisfy the proof-request, users only know if/when the verification was successful as they are redirected to the resource that initiated the authentication request. When verification fails, users are left "hanging" on the QR Code page.

It would be nice to display a notification explaining that the presentation request was unsuccessful instead.

As discovered by investigation for #108, it is not possible to use unrestricted proof requests with vc-authn: the proof request is generated correctly, but then the controller throws an error when trying to fetch the claim values for the proof.

The options are:

• do NOT allow unrestricted proof requests to be configured/used in vc-authn: this is acceptable, based on the use cases that vc-authn is usually used for, as self-attested attributes are somewhat bound to limited/insecure scenarios. In this case, update the controller code to reject unrestricted proof configurations and update the documentation to reflect the change
• handle correctly also proof-requests containing unrestricted claims: the agent (aca-py) supports this so it would be consistent with the capabilities it provides

When generating a proof-request using the names array in the configuration, the resulting aca-py proof payload is invalid and looks like this:

{
    "name": "accredited-lawyer",
    "version": "1.4.0",
    "nonce": "781704335882179810270393",
    "requested_attributes": {
        "612d35ac-ccff-4a6c-95f0-96fa0528f817": {
            "name": null,
            "restrictions": [
                {
                    "schema_name": "Member Certificate",
                    "schema_version": "1.0.0",
                    "issuer_did": "RznYFPVhHpYZgsn4Hu3StV"
                },
                {
                    "schema_name": "Member Card",
                    "schema_version": "1.4.0",
                    "issuer_did": "UUHA3oknprvKrpa7a6sncK"
                }
            ]
        }
    },
    "requested_predicates": {},
    "non_revoked": {
        "from": 0,
        "to": 1604604551
    }
}

Note how the restriction uses the name attribute (set to null) rather than names.

After successfully responding to a proof-request, vc-authn will compile a JWT which contains all of the attribute values that were received when responding to the proof-request.

It would be best to wrap all of those attributes in an object (e.g.: presented_attribute_values) in order to facilitate integration with third-party AIM systems such as Keycloak. This would only require setting-up the IdP mappers once, to support pres_req_conf_id and presented_attributes_values and delegate to each client which attributes to process.

In the current state, when a new proof-request needs to be processed by the IdP, new mappers for the new claims will need to be set-up each time.

following the instructions under demo and configuring my setup to use http://test.bcovrin.vonx.io as the ledger, I am able to present a QR code "to initiate the Verifiable Credential exchange". However, using the streetcred app it says its an invalid QR code (I have a credential from Email Verification Service).

Which wallet should I be using and which DIDComm protocol(s) does the wallet need to support to complete the flow outlined by vc-authn-oidc?

When a proof-request fails, a message highlighting the various possible causes could be displayed.

In general, a proof verification sent by a mobile wallet could fail because of:

• missing attributes
• credential has been revoked

While iterating through following demo instructions using the Trinsic Wallet:

https://github.com/bcgov/vc-authn-oidc/blob/master/docs/DemoInstructions.md

the "Get a verifiable email credential" section does not specify which network you should be using! For example, when I try the Sovrin production network - wallet default - I am able to get the connection added but not the pending credential offer! I get a network mismatch error. My assumption was to use BCovrin since its a BC related demo but that didn't work either.

It is currently necessary to add a new IDP to Keycloak every time that a new proof configuration is added, in order for the "login with" button to correctly pass the pres_req_id query parameter to the controller, with the appropriate configuration id.

This means that a new client redirect URI matching the new IDP url needs to be added to the vc-authn controller database.

The options here could be:

• parametrize the allowed URIs, so that they can be set at deployment
• update the vc-authn controller to let the user pick which proof to use to sign in - from a list of "allowable" proof configs

for controller-db Cannot start service controller-db: driver failed programming external connectivity on endpoint vc-authn-oidc_controller-db_1 (bce5da213f86718b0eacbcf17e45adf404a2de31562cb416e6587be9f688a287): Error starting userland proxy: listen tcp 0.0.0.0:5432: bind: address already in use

The above error is thrown and I am unable to proceed, i dont have any other ports occupied outside of what is in the script and VON network.

Adding a new client to a running instance of vc-authn is a process that requires manually inserting rows into the database.

Creating some scripts that can help automating this process would beneficial for both new users onboarding the platform AND for the long-term maintainability of existing deployments.

Additional information on what to look for will be added to the ticket, however the service is built on top of IdentityServer4 so their documentation may be useful as a reference.

On a successful authentication event, vc-authn returns a JWT contaninig all the claims used to fulfill the presentation request. The claims are all returned at the root level of the JWT, making it impossible to distinguish which credentials they are coming from especially when multiple claims using the same name were provided (e.g.: multiple issued dates from different credentials/schemas).

Example of "flat" payload:

{
  "sub": "1234567890",
  "given_name": "John",
  "family_name": "Doe",
  "issued_date": ["1970-01-01", "2000-01-01"]
  "iat": 1516239022
}

To resolve this, it would be good to return the claims in a structured object named after the schema they belong to.

Example of "structured" payload:

{
  "sub": "1234567890",
  "demographics": {
      "given_name": "John",
      "family_name": "Doe"
   },
   "epoch": {
       "issued_date": "1970-01-01"
   },
   "y2k": {
       "issued_date": "2000-01-01"
   }
  "iat": 1516239022
}

I tried Verified Credential Access from keycloaks login page.
However, the following error was displayed in the browser.

{"error":"acapy_call_failed","error_description":"Cannot fetch ACAPy wallet public did"}

I checked if ACAPy wallet is running. It didn't seem to run.

$ docker ps -a
CONTAINER ID        IMAGE                                                         COMMAND                  CREATED             STATUS                      PORTS                              NAMES
7d1234ca71cf        vc-authn-oidc-controller                                      "/bin/bash -c ' echo…"   14 minutes ago      Up 14 minutes               5000/tcp, 0.0.0.0:5000->80/tcp     vc-authn-oidc_controller_1
a50fa6c1dc65        bcgovimages/aries-cloudagent:py36-1.14-1_0.4.5                "/bin/bash -c 'sleep…"   14 minutes ago      Exited (0) 13 minutes ago                                      vc-authn-oidc_aca-py_1
70741c966d76        jboss/keycloak:7.0.0                                          "/opt/jboss/tools/do…"   14 minutes ago      Up 14 minutes               8443/tcp, 0.0.0.0:8180->8080/tcp   vc-authn-oidc_keycloak_1
b69ee126607c        registry.access.redhat.com/rhscl/postgresql-10-rhel7:latest   "container-entrypoin…"   14 minutes ago      Up 14 minutes               5432/tcp                           vc-authn-oidc_keycloak-db_1
c1b7e4b3c00d        registry.access.redhat.com/rhscl/postgresql-10-rhel7:latest   "container-entrypoin…"   14 minutes ago      Up 14 minutes               0.0.0.0:5432->5432/tcp             vc-authn-oidc_controller-db_1
f6084ab97392        registry.access.redhat.com/rhscl/postgresql-10-rhel7:latest   "container-entrypoin…"   14 minutes ago      Up 14 minutes               0.0.0.0:5433->5432/tcp             vc-authn-oidc_wallet-db_1

When I checked the log, it was output as follows.

$ docker logs a50fa6c1dc65

. . . 

2020-03-31 06:27:57,068 aries_cloudagent.config.ledger INFO Fetching genesis transactions from: http://192.168.65.3:9000/genesis
2020-03-31 06:28:01,133 aries_cloudagent.commands.start ERROR Exception during startup:
Traceback (most recent call last):
  File "/home/indy/.pyenv/versions/3.6.9/lib/python3.6/site-packages/aiohttp/connector.py", line 924, in _wrap_create_connection
    await self._loop.create_connection(*args, **kwargs))
  File "/home/indy/.pyenv/versions/3.6.9/lib/python3.6/asyncio/base_events.py", line 794, in create_connection
    raise exceptions[0]
  File "/home/indy/.pyenv/versions/3.6.9/lib/python3.6/asyncio/base_events.py", line 781, in create_connection
    yield from self.sock_connect(sock, address)
  File "/home/indy/.pyenv/versions/3.6.9/lib/python3.6/asyncio/selector_events.py", line 439, in sock_connect
    return (yield from fut)
  File "/home/indy/.pyenv/versions/3.6.9/lib/python3.6/asyncio/selector_events.py", line 469, in _sock_connect_cb
    raise OSError(err, 'Connect call failed %s' % (address,))
ConnectionRefusedError: [Errno 111] Connect call failed ('192.168.65.3', 9000)

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/home/indy/.pyenv/versions/3.6.9/lib/python3.6/site-packages/aries_cloudagent/utils/http.py", line 51, in fetch
    response: ClientResponse = await session.get(url, headers=headers)
  File "/home/indy/.pyenv/versions/3.6.9/lib/python3.6/site-packages/aiohttp/client.py", line 476, in _request
    timeout=real_timeout
  File "/home/indy/.pyenv/versions/3.6.9/lib/python3.6/site-packages/aiohttp/connector.py", line 522, in connect
    proto = await self._create_connection(req, traces, timeout)
  File "/home/indy/.pyenv/versions/3.6.9/lib/python3.6/site-packages/aiohttp/connector.py", line 854, in _create_connection
    req, traces, timeout)
  File "/home/indy/.pyenv/versions/3.6.9/lib/python3.6/site-packages/aiohttp/connector.py", line 992, in _create_direct_connection
    raise last_exc
  File "/home/indy/.pyenv/versions/3.6.9/lib/python3.6/site-packages/aiohttp/connector.py", line 974, in _create_direct_connection
    req=req, client_error=client_error)
  File "/home/indy/.pyenv/versions/3.6.9/lib/python3.6/site-packages/aiohttp/connector.py", line 931, in _wrap_create_connection
    raise client_error(req.connection_key, exc) from exc
aiohttp.client_exceptions.ClientConnectorError: Cannot connect to host 192.168.65.3:9000 ssl:None [Connect call failed ('192.168.65.3', 9000)]

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/home/indy/.pyenv/versions/3.6.9/lib/python3.6/site-packages/aries_cloudagent/config/ledger.py", line 28, in fetch_genesis_transactions
    return await fetch(genesis_url, headers=headers)
  File "/home/indy/.pyenv/versions/3.6.9/lib/python3.6/site-packages/aries_cloudagent/utils/http.py", line 59, in fetch
    raise FetchError("Exceeded maximum fetch attempts") from e
aries_cloudagent.utils.http.FetchError: Exceeded maximum fetch attempts

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/home/indy/.pyenv/versions/3.6.9/lib/python3.6/site-packages/aries_cloudagent/commands/start.py", line 77, in init
    await startup
  File "/home/indy/.pyenv/versions/3.6.9/lib/python3.6/site-packages/aries_cloudagent/commands/start.py", line 27, in start_app
    await conductor.start()
  File "/home/indy/.pyenv/versions/3.6.9/lib/python3.6/site-packages/aries_cloudagent/core/conductor.py", line 144, in start
    await ledger_config(context, public_did)
  File "/home/indy/.pyenv/versions/3.6.9/lib/python3.6/site-packages/aries_cloudagent/config/ledger.py", line 43, in ledger_config
    ] = await fetch_genesis_transactions(context.settings["ledger.genesis_url"])
  File "/home/indy/.pyenv/versions/3.6.9/lib/python3.6/site-packages/aries_cloudagent/config/ledger.py", line 30, in fetch_genesis_transactions
    raise ConfigError("Error retrieving ledger genesis transactions") from e
aries_cloudagent.config.base.ConfigError: Error retrieving ledger genesis transactions

Shutting down

I checked the operation on macOS Catalina Version 10.15.3 .
The command I executed is:

$ cd docker
$ ./manage build
$ ./manage start
$ curl -X POST "http://localhost:5000/api/vc-configs" -H "accept: application/json" -H "X-Api-Key: controller-api-key" -H "Content-Type: application/json-patch+json" -d "{ \"id\": \"test-request-config\", \"subject_identifier\": \"email\", \"configuration\": { \"name\": \"Basic Proof\", \"version\": \"1.0\", \"requested_attributes\": [ { \"name\": \"email\", \"restrictions\": [] }, { \"name\": \"first_name\", \"restrictions\": [] }, { \"name\": \"last_name\", \"restrictions\": [] } ], \"requested_predicates\": [] }}"

Can you tell me if there are any mistakes in the steps I took?

As mentioned in issue #41 (comment - #41 (comment)) see about updating the start script to automagically pick up the ngrok URLs.

This is a bit of bash playing based on some parsing of ngrok data that @esune has done elsewhere in the app. He'll get to it when he gets a chance, or someone else could grab it and ping him for getting started pointers.

Suggestion for cleanup of the "What's being asked for" -

• Get rid "claim" everywhere.
• Collapse the triplet into "Source Credential"
• Make the DID a link that on click pops up the DID
  • could put a link to resolve the DID on the popup.
• Put an "OR" between the triplets.

Something like:

Field: email
Restrictions:
 - Source Credential: verified-email:1.2.2 DID -OR-
 - Source Credential: iiw_attendance:1.2.4 DID -OR-
 - Source Credential: verified_person:1.22 DID

Would have to handle things like no restrictions, restrictions by schema, restrictions by cred def, restrictions by name, restrictions by value, etc.

Start the demo according to the steps, use the django demo, and use the trinsic wallet on the iPhone to scan the QR code displayed on the browser, and the error message will be displayed on the wallet, the message is " Error invalid QR Code".
trinsic wallet app , use the latest version on the app store，
demo code，clone the latest code from master

After navigating to keycloak and clicking on the Verified Credential Access, I am taken to the VCAuth service and given this message:
{"error":"unknown_presentation_record_id","error_description":"Cannot find respective record id"}

I get this error running both the ./manage script and the manual build with docker.

I've uploaded the log messages from this call:

I wonder if I need to configure the ledger? Seems that the genesis transaction file is not found.

log.txt

vc-authn-oidc needs several different configurations to be applied when a new client is registered to authenticate using it.

Currently, the configurations are being set manually in the database: it would be great to have a user interface that allowed users to self-serve and apply their configurations.

There may be different options online, including:

1. https://github.com/IdentityServer/IdentityServer4.Quickstart.UI
2. https://github.com/skoruba/IdentityServer4.Admin
3. https://github.com/brunohbrito/JPProject.IdentityServer4.AdminUI

Investigate capabilities and effort to integrate a UI with vc-authn-oidc.

We'd like to use the OIDC Library Demo in this repo as the basis of a workshop. We'd like the lab to include:

• running the demo locally and on Play with Docker
• using the verified email address credential to access the site
• improve the look and feel of the site.
• Run the demo on BCovrin test ledger by either by default or a command line option
  • Something easier than LEDGER_URL=.... ./manage start, e.g. ./manage start --BCTest
• provide guidance on how the user can change:
  • the presentation request to include the IIWBook verifiable credential
    • Nick is changing that, credential and by the time we get to HGF, it will be a different credential (likely "ConfBook" or something like that.
    • Display on the logged in screen the claims from the credentials

We also plan to add a second challenge at HGF for users that want to replicate the demo using a different Web Framework (other than Django). For that, we'd love to have a markdown doc that points to the key elements of the web framework - e.g. a bullet list of key elements and permalinks to lines of code.

No Project Lifecycle Badge found in your readme!

Hello! I scanned your readme and could not find a project lifecycle badge. A project lifecycle badge will provide contributors to your project as well as other stakeholders (platform services, executive) insight into the lifecycle of your repository.

What is a Project Lifecycle Badge?

It is a simple image that neatly describes your project's stage in its lifecycle. More information can be found in the project lifecycle badges documentation.

What do I need to do?

I suggest you make a PR into your README.md and add a project lifecycle badge near the top where it is easy for your users to pick it up :). Once it is merged feel free to close this issue. I will not open up a new one :)