bcgov / vc-authn-oidc

Apache License 2.0
144 stars 74 forks source link
citz hyperledger hyperledger-indy trust-over-ip verifiable-credentials verifiable-organizations-network verifiable-origins von

img License

unit-tests Coverage Status

Verifiable Credential Authentication with OpenID Connect (VC-AuthN OIDC)

Verifiable Credential Identity Provider for OpenID Connect.

See here for background into how this integration is defined.

For configuration instructions, refer to the configuration guide.

Make sure to read the best practices to be used when protecting a web application using vc-authn-oidc.

If you are upgrading from a previous release, take a look at the migration guide.

Pre-requisites

Configuring Ngrok

Each developer must apply for an Ngrok token here. Then place the token into the .env-dev file within the docker directory.

NGROK_AUTHTOKEN=<your token here>

Running VC-AuthN

Open a shell in the docker folder and run the following commands:

A list of all available commands is visible by executing ./manage -h.

The project is set-up to run without needing any external dependencies by default, using a standalone agent in read-only that will target the ledgers specified in ledgers.yaml.

Using VC-AuthN

To use VC-AuthN for development and/or demo purposes, a pre-configured demo app is provided in the demo/vue folder. To start it, execute docker compose up from within the demo/vue folder.

In order to use the VC OIDC authentication, a couple of extra steps are required:

curl -X 'POST' \
  'http://localhost:5000/ver_configs/' \
  -H 'accept: application/json' \
  -H 'Content-Type: application/json' \
  -d '{
  "ver_config_id": "showcase-person",
  "subject_identifier": "",
  "generate_consistent_identifier": true,
  "proof_request": {
    "name": "BC Wallet Showcase Person",
    "version": "1.0",
    "requested_attributes": [

      {
        "names": ["given_names", "family_name", "country"],
        "restrictions": [
          {
              "schema_name": "Person",
              "issuer_did": "QEquAHkM35w4XVT3Ku5yat"
          },
          {
              "schema_name": "Person",
              "issuer_did": "RGjWbW1eycP7FrMf4QJvX8"
          }
        ]
      }
    ],
    "requested_predicates": []
  }
}'
curl -X 'POST' \
  'http://localhost:5000/clients/' \
  -H 'accept: application/json' \
  -H 'Content-Type: application/json' \
  -d '{
  "client_id": "keycloak",
  "client_name": "keycloak",
  "client_secret": "**********",
  "response_types": [
    "code",
    "id_token",
    "token"
  ],
  "token_endpoint_auth_method": "client_secret_basic",
  "redirect_uris": [
    "http://localhost:8880/auth/realms/vc-authn/broker/vc-authn/endpoint"
  ]
}'

After all these steps have been completed, you should be able to authenticate with the demo application using the "Verified Credential Access" option.

Debugging

To connect a debugger to the vc-authn controller service, start the project using DEBUGGER=true ./manage start and then launch the debugger, it should connect automatically to the container.

This is a sample debugger launch configuration for VSCode that can be used by adding it to launch.json, it assumes a .venv folder containing the virtual environment was created in the repository root:

{
  "version": "0.1.1",
  "configurations": [
    {
      "name": "Python: Debug VC-AuthN Controller",
      "type": "python",
      "request": "attach",
      "port": 5678,
      "host": "localhost",
      "pathMappings": [
        {
          "localRoot": "${workspaceFolder}/oidc-controller",
          "remoteRoot": "/app"
        },
        {
          "localRoot": "${workspaceFolder}/.venv/Lib/site-packages",
          "remoteRoot": "/usr/local/lib/python3.12/site-packages"
        }
      ],
      "justMyCode": false
    }
  ]
}