Giter Club home page Giter Club logo

oid4vc-demo's Introduction

Sphereon


Configurable OID4VC Issuer and Verifier Demo with branding support


This is a fully configurable demo to showcase our OpenID for Verifiable Credentials libraries and components.

It shows how OID4VC technologies, like SIOPv2 (peer to peer authentication), OID4VP (Verification), OID4VCI (Issuance) end Presentation Exchange (requirements by verifiers) work. You can create your own screen sequences, branding and credential types.

Please note that this is a demo and not intended as production code.

Overview

In this document we're going to show you step by step what you have to do to setup your own VCI demo.

The demo consists of 2 components, which can be found in the packages folder.

  • The agent using our SSI-SDK, responsible for key-management, DIDs, Presentation Exchange storage, Issuer Metadata Storage, as well as actual issuance and verification of Credentials. It can handle multiple issuer configurations as well as Verifiers/Presentation definitions at the same time, although the frontends only will use one
  • A Demo frontend, allowing you to fill out simple form(s), or using a wallet, to supply some information, which then will be used to issue a credential containing that information. The screens are configurable and you can create your own sequences. You can also change the look and feel and thus apply branding. This code can be exported and run on a regular webserver if you want. It is a frontend communicating with the agent, using some of our OID4VC SSI-SDK plugins.

The Demo is using code from our SSI-SDK, providing 11 modules for OID4VC, QR code generation, as well as Issuance branding. Integrating these technologies with a Key Management System, DID methods etc. The OID4VC modules in the SDK in turn are using our less opinionated lower-level libraries, allowing people to integrate OID4VC functionalities that do not desire full agent functionality, or have their own agent support, like for instance Aries Framework Javascript. Obviously integrating the low-level libraries will be a bit more work, but does bring flexibility. The most prominent low-level libraries are:

Wallet Prerequisites

You will need an OID4VC capable wallet, that supports SIOPv2, OID4VP, OID4VCI and Presentation Exchange. You can use our Open-Source wallet from the stores. You can see our Wallet demo instructions Here is a list of wallet's with above-mentioned capabilities:

A scenario for fetching a credential. Note that since the process is dynamic, your setup might be a little different, but the main parts will stay the same.

To fetch a credential

And a scenario for using Verifiable Credential(s) For OID4VP flow: OID4VP flow

Step by Step instructions

In the next chapters we're going to show you how to setup the agent module, oid4vci-demo-front-end and a brief introduction on how credential branding actually works.

Linux

Docker

Make sure to have a default Docker installation

Clone repository

  • Clone the repository:
git clone [email protected]:Sphereon-Opensource/OID4VC-demo.git

Install the configuration files

We maintain Docker a setup for building and testing in directory docker/compose/build. We have created a script to install and patch the agent configurations for you required to build and run the Docker containers.

To run this script, you need to have jq installed on your machine. To install it, you can run:

sudo apt install jq
# to ensure that you have installed jq correctly, you can run the following.
jq -V

It's located here: docker/compose/build/install-configs.sh <ecosystem> <agent host address>.

IMPORTANT: The host address should be either a DNS host or a LAN IP that is reachable for your mobile devices running SSI wallet software. For example:

./install-configs.sh sphereon http://192.168.x.x:5000

The install-configs.sh script will set up the environment for your containers using the .env.examples files from packages/**src/.env.example and put them in the directories under docker/compose/build:

oid4vci-demo-frontend/.env.local
oid4vp-demo-frontend/.env.local
agent/.env.local

(The .env.local files are copied and patched from the packages/**/src/.env.example files)

Please ensure that you execute the script and docker compose commands with ./docker/compose/build as working directory and have correctly set up your environment variables as outlined in the documentation for Setting up the agent and Setting up the VCI frontend.

The current example for ecosystem "sphereon" loads the folder packages/agent/conf/demos/sphereon as your base configuration folder. All ecosystems present in packages/agent/conf/demos can be installed using the install-configs.sh script.

To build and run the Docker containers, execute the following commands from within the respective directory:

Build the image and run the container

docker compose build # This builds the Docker images
docker compose up -d # This starts the Docker containers, this will require the .env & config files to be installed

The building process may take a few minutes. Once you execute the docker compose up command, three services will start: ssi-agent, oid4vci-demo-frontend, and oid4vp-frontend.

You should now be able to go to http://localhost:5001 and http://localhost:5002 respectively to test the issuer and verifier demo's.

Please note that you might have to configure your docker environment to expose the host.docker.internal like the image below. If you cannot make that work you could adjust the config/docker and docker/compose/build/**/.env* files to suit your needs.

To build the images without docker-compose you can also just use "docker build" in the project root directory with some parameters:

docker build -f ./docker/Dockerfile -t oid4vc-demo-ssi-agent:latest --build-arg="PACKAGE_PATH=packages/agent" --build-arg="NODE_SCRIPT=start:dev" .
docker build -f ./docker/Dockerfile -t oid4vci-demo-frontend:latest --build-arg="PACKAGE_PATH=packages/oid4vci-demo-frontend" --build-arg="NODE_SCRIPT=start:prod" .
docker build -f ./docker/Dockerfile -t oid4vp-demo-frontend:latest --build-arg="PACKAGE_PATH=packages/oid4vp-demo-frontend" --build-arg="NODE_SCRIPT=start:prod" .

Windows

Docker Desktop (WSL2)

Make sure to have an installation of Docker Desktop with the default options (recommended WSL2)

Clone repository

  • Clone the repository:
# to not mess up the LF -> CRLF in the bash script
git config --global core.autocrlf false
git clone [email protected]:Sphereon-Opensource/OID4VC-demo.git

Install the configuration files

We maintain Docker a setup for building and testing in directory docker/compose/build. We have created a script to install and patch the agent configurations for you required to build and run the Docker containers.

To build and run the Docker containers, execute the following commands from within the respective directory:

Build the image and run the container

  • DOS shell:
cd .\OID4VC-demo\docker\compose\build
docker compose build
docker run --name ubuntu-temp --rm -v C:/<path>/OID4VC-demo:/OID4VC-demo -w /OID4VC-demo/docker/compose/build ubuntu /bin/bash -c "apt update && apt install -y jq && ./install-configs.sh 'sphereon' 'http://192.168.x.x:5000'"
docker compose up -d
  • make sure you do unmount the config & env files before running the install-configs.sh again
docker compose down

oid4vc-demo's People

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar

Forkers

bozzzzo andylim-duo dizme y12studio

oid4vc-demo's Issues

OID4VP issue

Hello.
I was following the demo instructions and I can issue VC without any issues, but when I try to test the second part OID4VP and I scan the QR to sign in, once i select credential in the wallet, the share button is disabled.

Unable to resolve DID document for did:web:dbc2023.test4.sphereon.com

First of all thanks for all your work .
I have some issue regarding the :OID4VC-demo
Im using: Sphereon Wallet
I have followed the instruction for: docker/compose/build/install-configs.sh
and set correctly the 3 services: ssi-agent, oid4vci-demo-frontend, and oid4vp-frontend.
When i try to scan the qr code for getting a credential or for authenticate i get this error :
ERROR:
unable to retrive information . Error: resolver_error :Unable to resolve DID document for did:web:dbc2023.test4.sphereon.com:notFound,resolver_error:DID must resolve to a valid https URL containing a JSON document:TypeError Network request failed

What im doing wrong ?
Another thing that i dont understand is how the did is connected with the wallet , im sorry im new in this and its really hard to understand the whole process.
when im scan the qr code for authentication (with Sphereon Wallet ) how the wallet is refered to :did:web:dbc2023.test4.sphereon.com

Thanks a lot for your response !
WhatsApp Image 2024-03-20 at 10 23 10
WhatsApp Image 2024-03-20 at 10 27 00

Demo issuer fails with gateway timeout

I'm seeing frequent 504 gateway timeout errors with the demo issuer.

Steps:

The app shows "Getting information...". After 30 secs or so, it shows an error popup with "Unable to retrieve information. Error: ...504 Gateway Time-out" (error body is in HTML, with tags showing).

610E05E7-44BD-4E24-B8A3-3D58B5531C00_1_101_o

Errors in SIOP flow using Sphereom Wallet

Hello! For educational and self-learning purposes I started to build my own rudimentary implementation of a Relying Party that uses SIOP protocol.
I am using the latest version of Sphereom Wallet and this demo branched off of main in parallel with my custom implementation.

The issue I am facing is on the wallet side, after scanning the QR code and getting the Auth Request, the Wallet Application shows the following error:

Unable to retrieve information.
Error: Request claims can't have 'presentation_definition' and 'presentation_definition_uri'

I started using my own implementation until I got stuck, then I turned to the Demo example, when I also got stuck with the same issue.
There seems to be a discrepancy between the SIOP Draft version the App uses and the one the Demo uses, but I am not being able to detect it.
The QR code renders this link:

openid://?request_uri=http%3A%2F%2F192.168.1.36%3A5003%2Fsiop%2Fdefinitions%2FsphereonGuest%2Fauth-requests%2F4446e50e-b54b-4293-8bfe-cbeba8722d06

And the result of that request uri looks like this:

JWT Encoded 
eyJhbGciOiJFUzI1NksiLCJraWQiOiJkaWQ6andrOmV5SmhiR2NpT2lKRlV6STFOa3NpTENKMWMyVWlPaUp6YVdjaUxDSnJkSGtpT2lKRlF5SXNJbU55ZGlJNkluTmxZM0F5TlRack1TSXNJbmdpT2lJMlNsUXhNa2RLYlU1S09XVkdPWHA0TjE5SFFtMVNla1I0VGpWNmVqRXhhRkZQTW5Sc1RFVXRaV0ZSSWl3aWVTSTZJbEIxVGxab0xWZHlTaTA1YjNSTWRrcFRXRTVZVFZGcE0zbzVjakZ3Um1zNFgwOVRkRTAyYW1oeWJFVWlmUSMwIiwidHlwIjoiSldUIn0.eyJpYXQiOjE3MTA4NzE4NDYsImV4cCI6MTcxMDg3MTk2NiwicmVzcG9uc2VfdHlwZSI6InZwX3Rva2VuIiwic2NvcGUiOiJvcGVuaWQiLCJjbGllbnRfaWQiOiJkaWQ6andrOmV5SmhiR2NpT2lKRlV6STFOa3NpTENKMWMyVWlPaUp6YVdjaUxDSnJkSGtpT2lKRlF5SXNJbU55ZGlJNkluTmxZM0F5TlRack1TSXNJbmdpT2lJMlNsUXhNa2RLYlU1S09XVkdPWHA0TjE5SFFtMVNla1I0VGpWNmVqRXhhRkZQTW5Sc1RFVXRaV0ZSSWl3aWVTSTZJbEIxVGxab0xWZHlTaTA1YjNSTWRrcFRXRTVZVFZGcE0zbzVjakZ3Um1zNFgwOVRkRTAyYW1oeWJFVWlmUSIsInJlc3BvbnNlX3VyaSI6Imh0dHA6Ly8xOTIuMTY4LjEuMzY6NTAwMy9zaW9wL2RlZmluaXRpb25zL3NwaGVyZW9uR3Vlc3QvYXV0aC1yZXNwb25zZXMvNDQ0NmU1MGUtYjU0Yi00MjkzLThiZmUtY2JlYmE4NzIyZDA2IiwicmVzcG9uc2VfbW9kZSI6InBvc3QiLCJub25jZSI6ImYxOThiOWYyLWJmOWItNDA4ZS1iZDM4LTE4OWMyOTZiOWY5MSIsInN0YXRlIjoiNDQ0NmU1MGUtYjU0Yi00MjkzLThiZmUtY2JlYmE4NzIyZDA2IiwiY2xpZW50X21ldGFkYXRhIjp7ImlkX3Rva2VuX3NpZ25pbmdfYWxnX3ZhbHVlc19zdXBwb3J0ZWQiOlsiRWREU0EiLCJFUzI1NiIsIkVTMjU2SyJdLCJyZXF1ZXN0X29iamVjdF9zaWduaW5nX2FsZ192YWx1ZXNfc3VwcG9ydGVkIjpbIkVkRFNBIiwiRVMyNTYiLCJFUzI1NksiXSwicmVzcG9uc2VfdHlwZXNfc3VwcG9ydGVkIjpbImlkX3Rva2VuIl0sInNjb3Blc19zdXBwb3J0ZWQiOlsib3BlbmlkIGRpZF9hdXRobiJdLCJzdWJqZWN0X3R5cGVzX3N1cHBvcnRlZCI6WyJwYWlyd2lzZSJdLCJzdWJqZWN0X3N5bnRheF90eXBlc19zdXBwb3J0ZWQiOlsiZGlkOmlvbiIsImRpZDp3ZWIiLCJkaWQ6andrIl0sInZwX2Zvcm1hdHMiOnsiand0X3ZjIjp7ImFsZyI6WyJFZERTQSIsIkVTMjU2SyJdfSwiand0X3ZwIjp7ImFsZyI6WyJFUzI1NksiLCJFZERTQSJdfX19LCJwcmVzZW50YXRpb25fZGVmaW5pdGlvbiI6eyJpZCI6InNwaGVyZW9uR3Vlc3QiLCJwdXJwb3NlIjoiV2Ugd2FudCB0byBrbm93IHlvdXIgbmFtZSBhbmQgZS1tYWlsIGFkZHJlc3MgKHdpbGwgbm90IGJlIHN0b3JlZCkiLCJpbnB1dF9kZXNjcmlwdG9ycyI6W3siaWQiOiJjMjgzNGQwZS0zYzk1LTQ3MjEtYjIxYS00MGUzZDdlYTI1NDkiLCJuYW1lIjoiREJDIERJSVAgaW50ZXJvcCIsInB1cnBvc2UiOiJUbyBpc3N1ZSBhIG5ldyBjcmVkZW50aWFsIHlvdXIgREJDIERJSVAgR3Vlc3QgY3JlZGVudGlhbCBpcyByZXF1aXJlZC4iLCJjb25zdHJhaW50cyI6eyJmaWVsZHMiOlt7InBhdGgiOlsiJC5jcmVkZW50aWFsU3ViamVjdC5uYW1lIiwiJC52Yy5jcmVkZW50aWFsU3ViamVjdC5uYW1lIl0sImZpbHRlciI6eyJ0eXBlIjoic3RyaW5nIiwicGF0dGVybiI6Il5EQkMuKiQifX1dfX1dfSwibmJmIjoxNzEwODcxODQ2LCJqdGkiOiI3OTlmZTk5Yi0wMTM3LTQ2MjMtOTc5My0xMTQwZjcyMTZjYTEiLCJpc3MiOiJkaWQ6andrOmV5SmhiR2NpT2lKRlV6STFOa3NpTENKMWMyVWlPaUp6YVdjaUxDSnJkSGtpT2lKRlF5SXNJbU55ZGlJNkluTmxZM0F5TlRack1TSXNJbmdpT2lJMlNsUXhNa2RLYlU1S09XVkdPWHA0TjE5SFFtMVNla1I0VGpWNmVqRXhhRkZQTW5Sc1RFVXRaV0ZSSWl3aWVTSTZJbEIxVGxab0xWZHlTaTA1YjNSTWRrcFRXRTVZVFZGcE0zbzVjakZ3Um1zNFgwOVRkRTAyYW1oeWJFVWlmUSIsInN1YiI6ImRpZDpqd2s6ZXlKaGJHY2lPaUpGVXpJMU5rc2lMQ0oxYzJVaU9pSnphV2NpTENKcmRIa2lPaUpGUXlJc0ltTnlkaUk2SW5ObFkzQXlOVFpyTVNJc0luZ2lPaUkyU2xReE1rZEtiVTVLT1dWR09YcDROMTlIUW0xU2VrUjRUalY2ZWpFeGFGRlBNblJzVEVVdFpXRlJJaXdpZVNJNklsQjFUbFpvTFZkeVNpMDViM1JNZGtwVFdFNVlUVkZwTTNvNWNqRndSbXM0WDA5VGRFMDJhbWh5YkVVaWZRIn0.H_EhUZtxipr_xUqyIyt1O_bnxWuEwkCbwhPQTU9PmOFox6RYkgUQhiwh48_0yPfg_50XA6gvJEKaCMsohv4VtA
JSON Payload (header and signature skipped for convenience) 
{
  "iat": 1710871846,
  "exp": 1710871966,
  "response_type": "vp_token",
  "scope": "openid",
  "client_id": "did:jwk:eyJhbGciOiJFUzI1NksiLCJ1c2UiOiJzaWciLCJrdHkiOiJFQyIsImNydiI6InNlY3AyNTZrMSIsIngiOiI2SlQxMkdKbU5KOWVGOXp4N19HQm1SekR4TjV6ejExaFFPMnRsTEUtZWFRIiwieSI6IlB1TlZoLVdySi05b3RMdkpTWE5YTVFpM3o5cjFwRms4X09TdE02amhybEUifQ",
  "response_uri": "http://192.168.1.36:5003/siop/definitions/sphereonGuest/auth-responses/4446e50e-b54b-4293-8bfe-cbeba8722d06",
  "response_mode": "post",
  "nonce": "f198b9f2-bf9b-408e-bd38-189c296b9f91",
  "state": "4446e50e-b54b-4293-8bfe-cbeba8722d06",
  "client_metadata": {
    "id_token_signing_alg_values_supported": [
      "EdDSA",
      "ES256",
      "ES256K"
    ],
    "request_object_signing_alg_values_supported": [
      "EdDSA",
      "ES256",
      "ES256K"
    ],
    "response_types_supported": [
      "id_token"
    ],
    "scopes_supported": [
      "openid did_authn"
    ],
    "subject_types_supported": [
      "pairwise"
    ],
    "subject_syntax_types_supported": [
      "did:ion",
      "did:web",
      "did:jwk"
    ],
    "vp_formats": {
      "jwt_vc": {
        "alg": [
          "EdDSA",
          "ES256K"
        ]
      },
      "jwt_vp": {
        "alg": [
          "ES256K",
          "EdDSA"
        ]
      }
    }
  },
  "presentation_definition": {
    "id": "sphereonGuest",
    "purpose": "We want to know your name and e-mail address (will not be stored)",
    "input_descriptors": [
      {
        "id": "c2834d0e-3c95-4721-b21a-40e3d7ea2549",
        "name": "DBC DIIP interop",
        "purpose": "To issue a new credential your DBC DIIP Guest credential is required.",
        "constraints": {
          "fields": [
            {
              "path": [
                "$.credentialSubject.name",
                "$.vc.credentialSubject.name"
              ],
              "filter": {
                "type": "string",
                "pattern": "^DBC.*$"
              }
            }
          ]
        }
      }
    ]
  },
  "nbf": 1710871846,
  "jti": "799fe99b-0137-4623-9793-1140f7216ca1",
  "iss": "did:jwk:eyJhbGciOiJFUzI1NksiLCJ1c2UiOiJzaWciLCJrdHkiOiJFQyIsImNydiI6InNlY3AyNTZrMSIsIngiOiI2SlQxMkdKbU5KOWVGOXp4N19HQm1SekR4TjV6ejExaFFPMnRsTEUtZWFRIiwieSI6IlB1TlZoLVdySi05b3RMdkpTWE5YTVFpM3o5cjFwRms4X09TdE02amhybEUifQ",
  "sub": "did:jwk:eyJhbGciOiJFUzI1NksiLCJ1c2UiOiJzaWciLCJrdHkiOiJFQyIsImNydiI6InNlY3AyNTZrMSIsIngiOiI2SlQxMkdKbU5KOWVGOXp4N19HQm1SekR4TjV6ejExaFFPMnRsTEUtZWFRIiwieSI6IlB1TlZoLVdySi05b3RMdkpTWE5YTVFpM3o5cjFwRms4X09TdE02amhybEUifQ"
}

As you can see, there is no such item like presentation_definition_uri in that payload, so I am not really sure where the problem is.

I would really appreciate help in solving it!
Thanks!

Error when trying to acquire a credential.

Hello, I have been testing the OID4VCI libraries with the issuer front-end available at: https://ssi.sphereon.com/demo/issuer.
I have been trying to request a demo credential (Sphereon Guest Credential) following the guide about OpenID4VCI Client.
Every step goes smoothly until I try to acquire the credential. The error I am encountering is the following:
Error: Retrieving a credential from https://ssi.sphereon.com/pf3/credentials for issuer https://ssi.sphereon.com/pf3 failed with status: 500
I'll let the code I am using in case I am forgetting something.

const client = await OpenID4VCIClient.fromURI({ uri: uri, clientId: 'test-clientID' })
const metadata = await client.retrieveServerMetadata()

//2. Adquire acces token from authorization server endpoint
const accessToken = await client.acquireAccessToken({})

//3. Create DID needed for later proof of possession
const { keys, didDocument } = await did.jwk.generate({
  type: 'secp256k1', // 'P-256', 'P-384', 'X25519', 'secp256k1'
  accept: 'application/did+json',
  secureRandom: () => {
    return crypto.randomBytes(32)
  },
})
const edPrivateKey = await jose.importJWK(keys[0].privateKeyJwk)

async function signCallback(args: Jwt, kid?: string): Promise<string> {
  if (!args.payload.aud) {
    throw Error('aud required')
  } else if (!kid) {
    throw Error('kid required')
  }
  return await new jose.SignJWT({ ...args.payload })
    .setProtectedHeader({ alg: args.header.alg })
    .setIssuedAt(+new Date())
    .setIssuer(kid)
    .setAudience(args.payload.aud)
    .setExpirationTime('2h')
    .sign(edPrivateKey)
}

const callbacks: ProofOfPossessionCallbacks<DIDDocument> = {
  signCallback: signCallback,
}

const credentialResponse = await client.acquireCredentials({
  credentialTypes: 'GuestCredential',
  proofCallbacks: callbacks,
  format: 'jwt_vc_json',
  alg: Alg.ES256K,
  kid: didDocument.verificationMethod[0].id,
  jti: v4(),
})
console.log(credentialResponse.credential)

resolver_error: Unable to resolve DID document for sphereon:ssi-wallet: invalidDid,

I am trying to run the demo environment locally (after making the changes from the readme), and started the manual flow. All goes well, and I get a QR code generated, but when I try to use the Sphereon mobile app to scan the code, I am getting the issue:

resolver_error: Unable to resolve DID document for sphereon:ssi-wallet: invalidDid,

When I do the same with your demo environment https://ssi.sphereon.com/demo/issuer , somehow it works well. And I am trying to understand why it does not work. The mobile app can access the urls.

I also isolated the issue into a postman command:

POST http://IP:5000/sphereon2023/credentials

{"types":["GuestCredential"],"format":"jwt_vc_json","proof":{"proof_type":"jwt","jwt":"eyJ0eXAiOiJvcGVuaWQ0dmNpLXByb29mK2p3dCIsImFsZyI6IkVTMjU2SyIsImtpZCI6ImRpZDpqd2s6ZXlKaGJHY2lPaUpGVXpJMU5rc2lMQ0oxYzJVaU9pSnphV2NpTENKcmRIa2lPaUpGUXlJc0ltTnlkaUk2SW5ObFkzQXlOVFpyTVNJc0luZ2lPaUpqZWxrNVpIa3hibkZpWnpsR1JUVTRhM0JIV2paWFZXaEtSbFZXTW5ORFdUVTRXbFZDWlhSeFJUSlJJaXdpZVNJNklrOUNVR1EwTVZKUVUzbHdjWHB5V2prdFYwdzFkVkpNWVdoT1RtSnNhSFI0TldSWU1scFFSbk5pTkdjaWZRIzAifQ.eyJpYXQiOjE2OTAyNzYzNjUuNDU2LCJleHAiOjE2OTAyNzcwMjUuNDU2LCJhdWQiOiJodHRwOi8vMTAuMC4yLjI6NTAwMC9zcGhlcmVvbjIwMjMiLCJub25jZSI6IjVhMTRjZDdhLTNhYzEtNDQ3OC04YWUzLTEzMzc0MTkwNjFhMCIsImlzcyI6InNwaGVyZW9uOnNzaS13YWxsZXQiLCJqdGkiOiI2OGYwZWEyYS02YWQ4LTQ2MjYtYjAwOC1kZDg0Zjg0YmZmMmUifQ.kqs4HbUlOFwsJEOIRRXmS9Qnva3QLKcb8GuGw4J90QdVySnSmU4ja2Gvdh4Jky5yNN06o0yOy7wp46imAAv3qA"}}

with the result:
{
"error": "invalid_request",
"error_description": "resolver_error: Unable to resolve DID document for sphereon:ssi-wallet: invalidDid, "
}

Any idea?

Thanks!

Bug: Module not found

After a fresh clone and pnpm install I tried to run the project with pnpm run start:dev and got this error:

packages/agent start:dev:     throw new ERR_MODULE_NOT_FOUND(
packages/agent start:dev:           ^
packages/agent start:dev: CustomError: Cannot find module '/home/mimo/Projects/OID4VC-demo/node_modules/.pnpm/@[email protected]/node_modules/@sphereon/did-auth-siop/dist/module/schemas/validation/schemaValidation.js' imported from /home/mimo/Projects/OID4VC-demo/node_modules/.pnpm/@[email protected]/node_modules/@sphereon/did-auth-siop/dist/module/schemas/validation/index.mjs
packages/agent start:dev:     at finalizeResolution (/home/mimo/Projects/OID4VC-demo/node_modules/.pnpm/[email protected]_@[email protected][email protected]/node_modules/ts-node/dist-raw/node-internal-modules-esm-resolve.js:352:11)
packages/agent start:dev:     at moduleResolve (/home/mimo/Projects/OID4VC-demo/node_modules/.pnpm/[email protected]_@[email protected][email protected]/node_modules/ts-node/dist-raw/node-internal-modules-esm-resolve.js:801:10)
packages/agent start:dev:     at Object.defaultResolve (/home/mimo/Projects/OID4VC-demo/node_modules/.pnpm/[email protected]_@[email protected][email protected]/node_modules/ts-node/dist-raw/node-internal-modules-esm-resolve.js:912:11)
packages/agent start:dev:     at /home/mimo/Projects/OID4VC-demo/node_modules/.pnpm/[email protected]_@[email protected][email protected]/node_modules/ts-node/src/esm.ts:218:35
packages/agent start:dev:     at entrypointFallback (/home/mimo/Projects/OID4VC-demo/node_modules/.pnpm/[email protected]_@[email protected][email protected]/node_modules/ts-node/src/esm.ts:168:34)
packages/agent start:dev:     at /home/mimo/Projects/OID4VC-demo/node_modules/.pnpm/[email protected]_@[email protected][email protected]/node_modules/ts-node/src/esm.ts:217:14
packages/agent start:dev:     at addShortCircuitFlag (/home/mimo/Projects/OID4VC-demo/node_modules/.pnpm/[email protected]_@[email protected][email protected]/node_modules/ts-node/src/esm.ts:409:21)
packages/agent start:dev:     at resolve (/home/mimo/Projects/OID4VC-demo/node_modules/.pnpm/[email protected]_@[email protected][email protected]/node_modules/ts-node/src/esm.ts:197:12)
packages/agent start:dev:     at nextResolve (node:internal/modules/esm/loader:163:28)
packages/agent start:dev:     at ESMLoader.resolve (node:internal/modules/esm/loader:835:30)
packages/agent start:dev: Failed
/home/mimo/Projects/OID4VC-demo/packages/agent:
 ERR_PNPM_RECURSIVE_RUN_FIRST_FAIL  @sphereon/[email protected] start:dev: `node --experimental-specifier-resolution=node --loader ts-node/esm src/agent.ts`
Exit status 1
 ELIFECYCLE  Command failed with exit code 1.

I tried to run the pnpm install with the --frozen-lockfile parameter, but this returned me this error:

ERR_PNPM_LOCKFILE_CONFIG_MISMATCH  Cannot proceed with the frozen installation. The current "overrides" configuration doesn't match the value found in the lockfile

Errors in VC Issuance with Wallet (SIOP) & VC Presentation

Overview:

In attempting to use the OID4VC-demo for VC issuance and presentation with the Sphereon wallet, I've hit two major roadblocks:

  • Failure in VC issuance through the wallet("Use your wallet option")
  • Errors in VC presentation for authentication.

Here are details of the two issues.

Issues Encountered:

Issue 1: Error During VC Issuance with Wallet (SIOP) Option

Steps to Reproduce:

Initiated the agent, frontend-vci, and frontend-vp containers as per the provided instructions.
Attempted VC issuance using the "Use your wallet" option on the credential issuer interface.

Expected Behavior:

Smooth integration and interaction between the Sphereon wallet and the OID4VC-demo to issue the VC.

Actual Behavior:

Error seen on Sphereon wallet:
Unable to present credentials: Error: Error 500: {"error": "Could not verify auth status"}.

Error seen on Agent container(oid4vc-demo-ssi-agent):
2024-02-18 17:35:38 Authorization Response (siop-sessions 2024-02-18 17:35:38 { 2024-02-18 17:35:38   "expires_in": "300", 2024-02-18 17:35:38   "state": "034a3a98-89a6-4e66-8cac-166e7c113571", 2024-02-18 17:35:38   "presentation_submission": "{\"id\":\"l5QeJMoMqFTnQCjy5O85g\",\"definition_id\":\"sphereonWalletIdentity\",\"descriptor_map\":[{\"id\":\"ace7aff1-0234-4f35-9d21-251668a60950\",\"format\":\"jwt_vc\",\"path\":\"$.verifiableCredential[0]\"}]}", 2024-02-18 17:35:38   "vp_token": "..." 2024-02-18 17:35:38 } 2024-02-18 17:35:38 Supplied presentation_submission was a string instead of JSON. Correctig, but external party should fix their implementation! 2024-02-18 17:35:38 URI: {"expires_in":"300","state":"034a3a98-89a6-4e66-8cac-166e7c113571","presentation_submission":{"id":"l5QeJMoMqFTnQCjy5O85g","definition_id":"sphereonWalletIdentity","descriptor_map":[{"id":"ace7aff1-0234-4f35-9d21-251668a60950","format":"jwt_vc","path":"$.verifiableCredential[0]"}]},"vp_token":"..."} 2024-02-18 17:35:38 TypeError: Cannot read properties of undefined (reading 'payload') 2024-02-18 17:35:38     at AuthorizationResponse.<anonymous> (/opt/oid4vc-demo/node_modules/.pnpm/@[email protected]/node_modules/@sphereon/did-auth-siop/dist/authorization-response/AuthorizationResponse.js:116:102) 2024-02-18 17:35:38     at Generator.next (<anonymous>) 2024-02-18 17:35:38     at fulfilled (/opt/oid4vc-demo/node_modules/.pnpm/@[email protected]/node_modules/@sphereon/did-auth-siop/dist/authorization-response/AuthorizationResponse.js:5:58) 2024-02-18 17:35:38     at process.processTicksAndRejections (node:internal/process/task_queues:95:5) 2024-02-18 17:35:38 sendErrorResponse (500): Could not verify auth status 2024-02-18 17:35:38 error message: Cannot read properties of undefined (reading 'payload') 2024-02-18 17:35:38 error object: {} 2024-02-18 17:35:38 Original error stack (if any) and REST API error stack: 2024-02-18 17:35:38 TypeError: Cannot read properties of undefined (reading 'payload') 2024-02-18 17:35:38     at AuthorizationResponse.<anonymous> (/opt/oid4vc-demo/node_modules/.pnpm/@[email protected]/node_modules/@sphereon/did-auth-siop/dist/authorization-response/AuthorizationResponse.js:116:102) 2024-02-18 17:35:38     at Generator.next (<anonymous>) 2024-02-18 17:35:38     at fulfilled (/opt/oid4vc-demo/node_modules/.pnpm/@[email protected]/node_modules/@sphereon/did-auth-siop/dist/authorization-response/AuthorizationResponse.js:5:58) 2024-02-18 17:35:38     at process.processTicksAndRejections (node:internal/process/task_queues:95:5) 2024-02-18 17:35:38 Error 2024-02-18 17:35:38     at sendErrorResponse (/opt/oid4vc-demo/node_modules/.pnpm/@[email protected]_@[email protected][email protected]/node_modules/@sphereon/ssi-express-support/dist/express-utils.js:23:23) 2024-02-18 17:35:38     at /opt/oid4vc-demo/node_modules/.pnpm/@[email protected][email protected][email protected]_ny4ssxtrad5zz6thktcyxgrcgm/node_modules/@sphereon/ssi-sdk.siopv2-oid4vp-rp-rest-api/dist/siop-api-functions.js:72:64 2024-02-18 17:35:38     at Generator.throw (<anonymous>) 2024-02-18 17:35:38     at rejected (/opt/oid4vc-demo/node_modules/.pnpm/@[email protected][email protected][email protected]_ny4ssxtrad5zz6thktcyxgrcgm/node_modules/@sphereon/ssi-sdk.siopv2-oid4vp-rp-rest-api/dist/siop-api-functions.js:6:65) 2024-02-18 17:35:38     at process.processTicksAndRejections (node:internal/process/task_queues:95:5) 2024-02-18 17:35:38 POST /siop/definitions/sphereonWalletIdentity/auth-responses/4db5e562-1af4-45de-910c-1481b3eb9f43 500 38.958 ms - 40

Issue 2: VC Presentation Demo Compatibility and Error

Steps to Reproduce:

Stored VCs issued from the OID4VC-demo's issuer page (localhost:5001) in the Sphereon wallet.
Attempted to authenticate by presenting a VC at the verifier demo (localhost:5002) through the Sphereon wallet.

Expected Behavior:

On presenting the appropriate VC, the expectation was to authenticate and sign in seamlessly within the demo environment, utilizing the VCs issued by the localhost issuer.

Actual Behavior:

The Sphereon wallet did not list the VCs issued by the localhost issuer as compatible for presentation, leading to a failure in authentication.
Resorting to using a VC issued from "https://ssi.sphereon.com/demo/issuer/#/credentials/select" for presentation, which ideally should not be necessary, resulted in the following error on localhost:5002 webpage:
Uncaught runtime errors: ERROR Cannot read properties of undefined (reading 'payload')     at handleError (http://localhost:5002/static/js/bundle.js:79723:58)     at http://localhost:5002/static/js/bundle.js:79746:7
This unexpected behavior suggests a missing link in the VC compatibility or support within the OID4VC-demo, particularly with the VCs issued by its own issuer demo.

Request for Support:

Facing challenges with VC issuance and presentation in the OID4VC-demo, I'm seeking assistance to resolve these critical issues. Any support or guidance to overcome these hurdles would be greatly appreciated.
Please let me know if you need further details or logs to facilitate troubleshooting.

Problem with local dev config for demo issuer front-end

I'm trying to run the issuer front-end locally on my dev machine, either against the local agent (via ngrok) or the one at https://ssi.sphereon.com.

In .env.local, copied from .env per the instructions, should it have:
REACT_APP_OID4VP_PRESENTATION_DEF_ID=sphereon (like in the .env file)
or
REACT_APP_OID4VP_PRESENTATION_DEF_ID=sphereon2023 (like in the README)

Example packages/oid4vci-demo-frontend/.env.local:

REACT_APP_OID4VP_AGENT_BASE_URL=https://ssi.sphereon.com/agent
REACT_APP_OID4VP_PRESENTATION_DEF_ID=sphereon
REACT_APP_OID4VCI_AGENT_BASE_URL=https://ssi.sphereon.com/issuer/sphereon2023
REACT_APP_ENVIRONMENT=sphereon
PORT=5001

With REACT_APP_OID4VP_PRESENTATION_DEF_ID as sphereon, trying to log in with the Sphereon ID wallet app (latest iOS version) fails with:

Unable to retrieve information. Error: undefined is not an object (evaluating 'e.claims.vp_token')

The payload of the auth request JWT doesn't contain any claims, and the app isn't resilient to that, surfacing the low level error.

74C1FBE5-D845-408C-B9E5-D49058BF99A6_1_105_c

If I change it to sphereon2023, it gets further, but the wallet prompts for the guest credential, not the primary wallet ID credential. In the expected demo flow, this is only issued later, after authenticating.

If instead I enter the auth info manually, it goes through OK to issuing the guest credential

@nklomp I see there have been recent changes here. Could you please clarify?

Question about the issuer demo

Hello,
On https://ssi.sphereon.com/demo/issuer/
I see in the credential offer a and an array of string

{
  "grants": {
    "urn:ietf:params:oauth:grant-type:pre-authorized_code": {
      "pre-authorized_code": "hTJJAbnSdRi5fK1z46imAV",
      "user_pin_required": false
    }
  },
  "credentials": [
    "DBCGuest"
  ],

but the DBCGuest is not used as the "id" in the credential supported section which is my interpretation of the draft 11, credential offer
If the entry is a string, the string value MUST be one of the id values in one of the objects in the credentials_supported Credential Issuer metadata parameter. When processing, the Wallet MUST resolve this string value to the respective object.

VC with status

Hey guys, I was using your demo and both OID4VCI and OID4VP work perfectly! Good job.

I have one question about issuing VC with status / credentialStatus.
From what I can see, currently, the credentials issued within the demo don't have status.
I want to have something like this https://www.npmjs.com/package/@sphereon/vc-status-list
Which plugins i should add to the agent in this demo, to be able to issue VC with status?

Question about some SIOPv2 specification details

I was playing around with the example and I noticed two things regarding how some of the SIOPv2 specifications are implemented.

Firstly, I noticed that when Authorization Response is returned to the endpoint specified in the redirect_uri, it will be rejected when its iss value is not set to "https://self-isued.me/v2", e.g.:

verifyAuthenticationResponseJwt failed: Error: The Response Token Issuer Claim (iss) MUST start with https://self-isued.me/v2, got: did:key:z6MkfeU6K1HNu5G8saotMzUmiAPoche1k942rTqWkgEfxh3S

As far as I understand this is compliant with section 7.4 in the OpenID Connect core specification: "1. The iss (issuer) Claim Value is https://self-issued.me.".
However, in section 11 of the SIOPv2 specification, the iss claim is described as: "REQUIRED. in case of a Self-Issued ID Token, this claim MUST be set to the value of the sub claim in the same ID Token.", where the sub claim can be either a JWK Thumbprint, or a Decentralized Identifier.

On validation of the ID Token in section 11 of SIOPv2 it is mentioned that "1. The Relying Party (RP) MUST determine whether the ID Token has been issued by the Self-Issued OP. The ID Token is self-issued if the issclaims and the subclaim have the same value. If both values differ, the ID Token MUST be processed as defined in [OpenID.Core], section 3.2.2.11.."

In section 3.2.2.11 there is no mention anymore of "https://self-isued.me/v2". So I was wondering what your thoughts are about this? My interpretation of all of this is that using "https://self-isued.me/v2" has become obsolete with the introduction of using DIDs or JWK Thumbprints in SIOPv2.

The second thing I noticed is that the client_id is not present in the Authorization Request used in this example:

"openid-vc://?request_uri=http%3A%2F%2Flocalhost%3A3002%2Fext%2Fdefinitions%2F9449e2db-791f-407c-b086-c21cc677d2e0%2Fauth-requests%2F629773a7-ce3d-4d30-8363-79b5453163fe"

Only the request_uri parameter is present. However, according to SIOPv2, the client_id MUST be present when either the request or the request_uri parameter is present: https://openid.net/specs/openid-connect-self-issued-v2-1_0.html#section-9-7

I guess that's just a minor detail and perhaps not very important for this example repo. I'm just pointing this out to check whether I am missing something in my understanding 😄

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.