search

eu-digital-identity-wallet / eudi-srv-web-verifier-endpoint-23220-4-kt

Web application (Backend Restful service) that acts as a Verifier/RP trusted end-point.
Apache License 2.0
12 stars 15 forks source link

Presentation Definition for credential withouth attributes #171

Closed dariocast closed 3 months ago

dariocast commented 3 months ago

Hi, I haven't found a way to ask for a full credential without specifying fields. For example the following presentation works:

"presentation_definition": {
        "id": "32f54163-7166-48f1-93d8-ff217bdb0653",
        "input_descriptors": [
            {
                "constraints": {
                    "fields": [
                        {
                            "intent_to_retain": false,
                            "path": [
                                "$['eu.europa.ec.eudiw.pid.1']['family_name']"
                            ]
                        }
                    ]
                },
                "id": "eu.europa.ec.eudiw.pid.1",
                "format": {
                  "mso_mdoc": {
                    "alg": [
                      "ES256",
                      "ES384",
                      "ES512",
                      "EdDSA"
                    ]
                  }
                }
                "name": "EUDI PID",
                "purpose": "We need to verify your identity"
            }
        ]
    },

But this one does not:

"presentation_definition": {
        "id": "32f54163-7166-48f1-93d8-ff217bdb0653",
        "input_descriptors": [
            {
                "constraints": {
                    "fields": [
                        {
                            "intent_to_retain": false,
                            "path": [
                                "$.type"
                              ],
                              "filter": {
                                "type": "string",
                                "const": "eu.europa.ec.eudiw.pid.1"
                              }
                      }
                    ]
                },
                "id": "eu.europa.ec.eudiw.pid.1",
                "format": {
                  "mso_mdoc": {
                    "alg": [
                      "ES256",
                      "ES384",
                      "ES512",
                      "EdDSA"
                    ]
                  }
                }
                "name": "EUDI PID",
                "purpose": "We need to verify your identity"
            }
        ]
    },

In the example above I tried using a common way to describe input descriptor but that doesn't work as any other test i tried:

To summarize I am asking if there is a way to set the path to just ask for the credential type without any other fields

babisRoutis commented 3 months ago

Dear @dariocast

Presentation Exchange, has many shortcomings and that's why there is an ongoing effort on openId4vp spec to replace it with a format-specific query language.

Anyway, returning on the Presentation Exchange, there are some "conventions" when used to describe a presentation definition for mso_mdoc format. Please check here

Your 2nd example doesn't follow the conventions mentioned above ( "path" : ["$.type"])

Haven't checked with the wallet but I think that something like the example bellow should work

{
  "id": "pid-request",
  "input_descriptors": [
    {
      "id": "eu.europa.ec.eudiw.pid.1",
      "format": {
        "mso_mdoc": {
          "alg": [ "ES256"]
        }
      },
      "name": "EUDI PID",
      "purpose": "We need to verify your identity",
      "constraints": {
          "limit_disclosure":"preferred"
      }
    }
  ]
}
dariocast commented 3 months ago

Hi thank you for your reply. I read the references and I understood the mechanism behind the usage of limit_disclosure attribute. By the way the example you provided doesn't work with the implementation of this repository. I mean If I try to send that inside the properly created request body to the endpoint /ui/presentations I still receive error. I use the built version of this repository at https://verifier-backend.eudiw.dev

EDIT. I correctly tested the example with the verifier and It creates the QR code. The wallet instead is not able to read correctly the presentation (it says that I do not hjave credential to fulfil the request, the only difference with a working example is the presence or the absence of the fields part)

dariocast commented 3 months ago

That said I think that this issue cannot be addressed anymore to the verifier and can be closed

babisRoutis commented 3 months ago

Dear @dariocast

I really appreciate the feedback.

Perhaps, it is not clear from the README, but so far the focus of the verifier-endpoint was on the openId4vp interactions (with the wallet). This has some pros & cons:

Positive:

Negative:

Frankly, after the plans of the openid4vp WG to replace Presentation Exchange, with a format-specific and certainly more constraint query language, I think that perhaps it doesn't worth keep improving Presentation Definition processing. Yet that's my personal opinion.

PS: You can quickly check the structural checks for the Presentation Definition using this

val pd: String ="..."
PresentationExchange.jsonParser.decodePresentationDefinition(pd).getOrThrow()