Error using authorization code on OIDC4VCI flow

[edutomesco]

I'm having this error every time I've issued a credential with the authorization code flow, do you know if the authorization code flow it's working?

Wallet alert: Something went wrong, please try again later.

[ThierryThevenet]

yes its works. where is your issuer ? @edutomesco

[ThierryThevenet]

@edutomesco hello any more details ?

[edutomesco]

I'm using this credential offer request for example:

{
  "credential_issuer": "https://trial.authlete.net",
  "credential_configuration_ids": [
    "IdentityCredential"
  ],
  "grants": {
    "authorization_code": {
      "issuer_state": "Iea0HXXDWjTcizBCY4M-SwHK7m1GiqQFHXIa3zSOqdo"
    }
  }
}

openid-credential-offer://?credential_offer=%7B%22credential_issuer%22%3A%22https%3A%2F%2Ftrial.authlete.net%22%2C%22credential_configuration_ids%22%3A%5B%22IdentityCredential%22%5D%2C%22grants%22%3A%7B%22authorization_code%22%3A%7B%22issuer_state%22%3A%22Iea0HXXDWjTcizBCY4M-SwHK7m1GiqQFHXIa3zSOqdo%22%7D%7D%7D

The wallet rise an error saying: Something went wrong, please try again later.

[ThierryThevenet]

@edutomesco Authlete APIs has a couple of strict requirements. Check what client authentication method they use, and if the redirect_uri must be registered. We did an interop test with Authlete in May this year and it was ok but many options was to configure in particular a client_id value and the redirect_uri was to be registered.

You may also need to access our wallet provider backend if advanced options are required.

Check also this doc : https://doc.wallet-provider.io/wallet/issuer_configuration#authlete-issuer-integration

[edutomesco]

But I would like to know what exactly it's rising the error? Because I don't see the wallet calls any endpoint from the issuer, any .well-known? So what makes the wallet throw the error?

[ThierryThevenet]

do you have the qr code ? you have an access to the https://trial.authlete.net server console ?

[edutomesco]

Here you have the qr code. And I do not have access to the server console, I'm just using the test guide

[ThierryThevenet]

Ok, / The wallet supports different types of VC, and protocoles. When you download the wallet the profile is by default setup for VC format ldp_vc and OIDC4VCI Draft 11. Authlete supports sd-jwt VC with OIDC4VCI Draft 13 So can this QR code to get a better config : https://wallet-provider.talao.co/configuration/webpage?login=guest@authlete&password=guest&wallet-provider=https://wallet-provider.talao.co

But it will not be enough, for the authorization code flow, you will need to tune the APIs also as possibly you will have to register the redirect_uri of the wallets: https://app.talao.co/app/download/callback or "https://app.altme.io/app/download/callback"

[edutomesco]

Actually I'm using my own issuer so then I'm issuing the format ldp_vc for the Draft 13, and I already customize the wallet profile, I shared the qr code

The problem here is that I don't know when the wallet raise the error, because I do not receive any request on the issuer side, so I'm debugging that!

[ThierryThevenet]

No more, Authlete so. There is a developer mode option, the wallet first checks the credential-issuer-configuration and oauth-authorization-server enpoints both data are available in the Display popup in developer mode.

You will need to setup the wallet in choosing a custom profile and setups the parameters in the OIDC4VC settings menu to get ldp_vc and draft 13 or you can choose the profile DIIP V3.0 in the profile list.

for ldp_vc you will need to add @context in the issuer metadata. "vct" is not used for ldp_vc format.

As you have 2 different code flow proposed in the offer, wallet will choose the pre authorized code flow.

Here is an example of an issuer configuration for ldp_vc with Draft 13 https://talao.co/sandbox/issuer/test_5

[edutomesco]

But, I'm debugging the wallet and I didn't see that it calls to the .well-known/oauth-authorization-server endpoint, I've already set all the wallet configuration as you said.

About this: for ldp_vc you will need to add @context in the issuer metadata. "vct" is not used for ldp_vc format. You are saying in the /oidc/token response right?

Do you have an example for issuing with authorization code ?

[ThierryThevenet]

The wallet calls the 2 endpoint and displays the VC for consent. You should see the call at minimum to the credential-issuer configuration. It works on my side as i see the VC displayedl.

in the issuer metadata the wallet will look for the @context and type to build its credential request

Yes there several authorization code flow here https://talao.co/issuer/oidc/test

[edutomesco]

Yes! For me the VC is displayed too! But then when following is when it gives the error. And I don't see that it calls to any endpoint

[ThierryThevenet]

we need a fresh qrcode, or the issuer link to do some testing.

[edutomesco]

Here:

[ThierryThevenet]

The request

https://194d-92-177-78-113.ngrok-free.app/oidc/authorize?response_type=code&redirect_uri=https%3A%2F%2Fapp.talao.co%2Fapp%2Fdownload%2Fcallback&state=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjb2RlVmVyaWZpZXIiOiJXNGhsREYtUEtnaWtPRFprV1NGV3VzVFhNVTFxeG5YRU1NWGJTN2JQRWgwIiwiY3JlZGVudGlhbHMiOlsiVmVyaWZpZWRFbXBsb3llZUlkZW50aWZpZXIiXSwiaXNzdWVyIjoiaHR0cHM6Ly8xOTRkLTkyLTE3Ny03OC0xMTMubmdyb2stZnJlZS5hcHAvb2lkYy9pZHAvaV9teXByb2ZpbGVfY210cl9wMjU2X2xkcC92MS4wIiwiaXNFQlNJIjpmYWxzZSwiY2xpZW50X2lkIjoiZGlkOmtleTp6Nk1rcEJBQzQ5QWtoeGpSRTZFSG9qWVhkZWc3OTRIb1R0eDM0bzNERnlYVzFzUU4iLCJpYXQiOjE3MzA3MzM1ODR9.F5mACFkm8IkU3pw43TRqWwuonynWSx8Eo2FYVyrG6D8&nonce=b7dd443d-5321-4595-af51-dcd1545234c7&code_challenge=-B4AIxXZZ88FE6LXoL83VP_KonXpYmuhXSjN7Z-Nvpg&code_challenge_method=S256&issuer_state=33038d8a-7eef-4bba-a845-a74d43ea6931&wallet_issuer=https%3A%2F%2Fapp.talao.co%2Fwallet_issuer&client_id=did%3Akey%3Az6MkpBAC49AkhxjRE6EHojYXdeg794HoTtx34o3DFyXW1sQN&scope=openid&authorization_details=%5B%7B%22type%22%3A%22openid_credential%22%2C%22credential_configuration_id%22%3A%22VerifiedEmployeeIdentifier%22%7D%5D

The answer

{"error":"invalid_client","error_description":"Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). The requested OAuth 2.0 Client does not exist. data not found"}

[ThierryThevenet]

Talao IOS 2.16.3 with safari

[ThierryThevenet]

the problem is probably due to a specific client authentication method expected by the oauth server. In that config the wallet only provides a client_id which is its own DID. So it is a public client. Server should not expect any authentication.

[edutomesco]

Right perfect, I check on my own!

I will just use this thread to comment another error I'm facing, and it's when the wallet inserts the credential. I'm getting this credential response

[
  {
    "c_nonce": "39vTi8kDzglcFpcES0B2",
    "c_nonce_expires_in": 300,
    "credential": {
      "@context": [
        "https://www.w3.org/2018/credentials/v1",
        "https://trustbloc.github.io/context/vc/examples-crude-product-v1.jsonld",
        "https://w3id.org/vc-revocation-list-2020/v1",
        "https://w3c-ccg.github.io/lds-jws2020/contexts/lds-jws2020-v1.json"
      ],
      "credentialStatus": {
        "id": "urn:uuid:8c45e867-1fc0-42ca-874a-c53807b0ff15",
        "revocationListCredential": "http://localhost:3000/issuer/groups/c4272256-68fb-4af5-9df3-20d118ec1734/credentials/status/3ddf80c0-a06b-4efc-ae65-a8bbf3996505",
        "revocationListIndex": "1605",
        "type": "RevocationList2020Status"
      },
      "credentialSubject": {
        "category": "crude oil",
        "id": "did:key:z6MkgWBoRohfYQMs2rvmpBmmvMkJQPeH43ZkCAKBouB33i8v",
        "name": "Crude Oil Name"
      },
      "description": "credential test issuer 1",
      "expirationDate": "2025-11-04T15:34:18.433207Z",
      "id": "urn:uuid:ea560266-5881-4920-8c3c-7efbec51102d",
      "issuanceDate": "2024-11-04T16:34:37.066855+01:00",
      "issuer": {
        "id": "did:key:zDnaesSAxqHzavZ1R2h1U1QDWPBjULf7CgLccppg4U6Bc2sYA",
        "name": "i_myprofile_cmtr_p256_ldp"
      },
      "name": "Credential Test Issuer 1",
      "proof": {
        "created": "2024-11-04T16:34:37.085383+01:00",
        "jws": "eyJhbGciOiJFUzI1NiIsImI2NCI6ZmFsc2UsImNyaXQiOlsiYjY0Il19..MEUCIQC9Sjkm33i5nUEOrV8ArgepkKwlnk-Z5HijOHKdLsA2yAIgfwEargR9db8_wzeMNIXw3BxsOc5P3vFu_i2IE5YB8_U",
        "proofPurpose": "authentication",
        "type": "JsonWebSignature2020",
        "verificationMethod": "did:key:zDnaesSAxqHzavZ1R2h1U1QDWPBjULf7CgLccppg4U6Bc2sYA#zDnaesSAxqHzavZ1R2h1U1QDWPBjULf7CgLccppg4U6Bc2sYA"
      },
      "type": [
        "VerifiableCredential",
        "CrudeProductCredential"
      ]
    },
    "format": "ldp_vc",
    "notification_id": "1e1c08b4-e9be-4385-b1c8-35c7f570a5e8_d41e9a09"
  }
]

The wallet it's saying: This format is not supported: Some issue in the response from the server.

[ThierryThevenet]

There are there more issues due to the inherent complexity of the linked data proof format :

1. For privacy issue the wallet does not support remote loading @context, so you have to replace "https://trustbloc.github.io/context/vc/examples-crude-product-v1.jsonld", by the claims and their definition you need precisely. The other 3 contexts are embedded in the wallet:

   "https://www.w3.org/2018/credentials/v1",
   "https://w3id.org/vc-revocation-list-2020/v1", "https://w3c-ccg.github.io/lds-jws2020/contexts/lds-jws2020-v1.json"

and is there is no remote access needed.

2. $.credential.description is not in the specs of a W3C VC. You should move it inside the credentialSubject object and add an element in the @context to describe it ("description" : "https://schema.or/description" )... Same for "$.credential.name"

3. the object :

   "issuer": {
       "id": "did:key:zDnaesSAxqHzavZ1R2h1U1QDWPBjULf7CgLccppg4U6Bc2sYA",
       "name": "i_myprofile_cmtr_p256_ldp"

   is not supported as the "name" is self declared. So you can replace it by "issuer": "did:key:zDnaesSAxqHzavZ1R2h1U1QDWPBjULf7CgLccppg4U6Bc2sYA",

Another option would be to use the format jwt_vc_json which is less complex or even jwt_vc_json-ld

[edutomesco]

Thanks, but about point number 2. I think W3C VC name and description attributes are accepted. https://www.w3.org/TR/vc-data-model-2.0/#names-and-descriptions

Also it should accept the extended issuer property as indicated: https://www.w3.org/TR/vc-data-model-2.0/#example-expanded-use-of-the-issuer-property

What do you think?

[ThierryThevenet]

You are right but the wallet does not support VCDM 2.0 for ldp vc and the issuer object The main reason is that we use an external lib which does not support it.

[edutomesco]

Sorry, but if the wallet do not accept remote @context what is the alternative? Because at my end I need to control my credential schema with the context json-ld. Is there any way to register this contexts to the wallet?

[ThierryThevenet]

You can integrate the description of the context in the VC itself, below an example

a very basic one

{
    "@context": [
        "https://www.w3.org/2018/credentials/v1",
        {
            "schema" : "https://schema.org/",
            "givenName" : "schema:givenName",
            "familyName" : "schema:familyName",
            "nationality" : "schema:nationality",
            "yearOfBirth" : "schema:number",
            "LinkedinCard" : "https://github.com/TalaoDAO/context#linkedincard"   
        }
    ],
    "type": ["VerifiableCredential", "LinkedinCard"],
    "issuer": "",
    "issuanceDate": "",
    "credentialSubject" : {
        "type" : "LinkedinCard",
        "givenName" : "",
        "familyName" : "",
        "nationality" : "",
        "yearOfBirth" : ""
    }
}

Another one more structured

{
    "@context": ["https://www.w3.org/2018/credentials/v1",
        {
            "EmailPass" : {
                "@id": "https://github.com/TalaoDAO/context#emailpass",
                "@context": {
                    "@version": 1.1,
                    "@protected": true,
                    "schema" : "https://schema.org/",
                    "id": "@id",
                    "type": "@type",
                    "email": "schema:email"
                }
            }
        }
    ],
    "id": "",
    "type": ["VerifiableCredential", "EmailPass"],
    "issuer": "",
    "issuanceDate": "",
    "credentialSubject" : {
        "type" : "EmailPass",
        "email" : "john.doe@gmail.com"
    }
}

[edutomesco]

Is there any option to make the wallet read from remote contexts then?

[ThierryThevenet]

no because te lib we use (didkit) does not accept remote loading. the best option except embedded @context is to change the format and take jwt_vc_json or jwt_vc_json-ld