Revoke VID

[kneckinator]

When viewing a VC, there should be a button to revoke the VID that was used to generate the VC. It should not be possible to revoke a UIN. Technically, revoking the VID will perform a call to a MOSIP API endpoint https://docs.mosip.io/1.1.5/apis/resident-service-apis#patch-resident-v1-vid-vid <-- this might no longer be correct. See https://github.com/mosip/inji/issues/50#issuecomment-1196715775

The revocation request requires an OTP, just like to auth factor lock/unlock.

~The revocation status is updated asynchronously and there may be a requirement to check for/get notified about revocation status updates.~

[kneckinator]

From discussions, it should be noted that the revocation only applies to VID:s and that it only affects future use of the VID as a source for generating a VC.

Thus, it will be possible to revoke a VID by opening any VC derived from it and selecting "revoke". This means that is should not be possible to request a revoke from within a VC that is derived from a UIN. As existing VC:s will not be affected by the revocation, the requirement to check for a revocation status update does not apply,

[kneckinator]

Updating title and description.

[danicaerediano]

@kneckinator do we have a design for it? or we could do it like lock/unlock?

[kneckinator]

@danicaerediano we can do it like lock/unlock. @walidkhouryNL to confirm.

[rakhimosip]

Open question: How does the app differentiate the VC derived using UIN from VID?

[kneckinator]

@rakhimosip this can be done through the id in the VC. If the id suffix is the UIN, the VC is derived from the UIN. If not, it is derived from the VID.

This can be crosschecked through the UIN property.

[kneckinator]

@kyanthony if it is not yet done, can you please raise a ticket in the mimoto repository to create the usual proxy-functionality that inji can use?

Cc: @uocnb

[rakhimosip]

@kneckinator I have summarised the discussion on 10 Aug below. Please review. Post that we can update the content of this ticket.

Assumption: The credential/VC will only have one ID attribute (UIN or VID) at a time.

Mimoto should have the ability to identify the ID attribute in VC and deduce if it contains a UIN or a VID value. For now, we can hardcode the attribute name in Mimoto. In the next phase when we use templates to map VC attributes this logic will need to be revisited.

How will the Mimoto identify if the ID value is UIN or VID? A list of active VIDs for an individual will be available (hardcoded list for now later replaced with API call). If the ID value is present in this list then its a VID. This logic will only work when applied on a VC that is newly downloaded from the platform.

Feature details: An option to revoke VIDs will be given in the profile section of the app. This will provide a list of active VIDs for a resident after UIN/VID + OTP auth or OIDC token auth.

The resident can revoke a VID by selecting that option in the UI and providing OTP. Before revoking the user should be prompted about the impact of revoking the VID with a message like "Your wallet contains a credential with VID 123**89. Revoking this will automatically remove the same from the wallet. Are you sure you want to proceed?"

On successful revocation, a message will be displayed to the user. "VID 123**89 has been revoked. Any credential containing the same will be removed automatically from the wallet". A log for the same will be available in the Transaction History section of the app.

A revoke request failure should display a message indicating the same and not alter the state of the app. A log for the same will be available in the Transaction History section of the app.

If a credential contains VID as ID, then an option to revoke it will be provided when the resident view the credential details.

Figma prototype: https://www.figma.com/proto/bPxcgne8PfGynuuNuIQU5o/Inji-App?page-id=3063%3A45661&node-id=3097%3A48303&viewport=767%2C-1647%2C0.35&scaling=scale-down&starting-point-node-id=3097%3A48303&show-proto-sidebar=1

Given here are the designs for both options: You’ll find two pages in the prototype (check top left corner side panel to find the two pages: Option 1: Revoke VID from profile page Option 2: Revoke single VC from a single VC view

Impact of revoking a VID:

• Credentials containing the said VID as ID attribute will be removed from the 'My ID' section of the wallet
• Credentials containing the said VID as ID attribute cannot be shared
• The said VID cannot be used to download a credential
• NO impact on received credentials even if they contain revoked VID

Is there a need to display revoked VIDs in the app? NOT Required

This feature will NOT be supported in 1.1.5 version of platform.

[danicaerediano]

[rakhimosip]

@danicaerediano The overlay/popup looks fine. But why is it displayed on top of a detail view?

[jannahadlaon]

Tested on build: MOCKMOTO_io.mosip.residentapp-0.4.0-rc2-newlogic_20220921_1801 Server: Mock server

Observations:

1. Did not require OTP when clicking on Revoke VID in the Profile section (OIDC placeholder for the mean time)
2. Did not require OTP after selecting and revoking VID (OIDC placeholder for the mean time)
3. The toast before revoking the VID should be: Your wallet contains a credential with VID 123**89. Revoking this will automatically remove the same from the wallet. Are you sure you want to proceed?
4. Successful revocation should display: VID 123**89 has been revoked. Any credential containing the same will be removed automatically from the wallet
5. VID is still in "My ID" after it has been revoked
6. You should not be able to download credentials using the revoked VID (was able to download credentials using the revoked VID during testing)
7. Revoke per individual VC is still not working. Instead of revoking, it LOCKS/ UNLOCKS the ID

Assigned back to dev.

Screenshots https://user-images.githubusercontent.com/102940764/191943318-d7f98f8e-3d19-4d71-bd84-833c206c8a14.mp4 https://user-images.githubusercontent.com/102940764/191943346-4d9c58a4-9b50-401b-94b7-31a000bbcaf6.mp4

[jannahadlaon]

Tested on: [MOCKMOTO_io.mosip.residentapp-0.4.0-rc2-newlogic_20220921_1801.apk] Resident app build: v0.4.0 R3 (android) MOSIP server: Mockmoto Devices: Samsung Galaxy A23

Observations

1. Whenever i download 2 VIDs that are the same, then download the 3rd VID which is different from the previous two, a duplicate of the first 2 VID is also downloaded.
2. The downloaded VIDs are not accurately shown in the History
3. In iOS, downloading VID gets you stuck in Requesting credential...
4. VIDs can be downloaded even if the type you selected is UIN
5. Bulk a revoking VID does not delete all VID with the same ID number in My IDs
6. As of now, Bulk Revoking VID and Individually Revoking VID has the same function. Described below...

Bulk Revoke VID - Go to profile and select VIDs to revoke. VIDs with the same ID number in that list will be ticked if selected. Once revoked, all of the selected VID with the same ID number should not be in My IDs.

Individual Revoke VID - Go My ID's and select a VID. Click the kebab menu on the upper right corner and select Revoke . Revoking this ID will also revoke all the VIDs with the same ID number.

Expected Results:

1. No duplicate VID should be downloaded when uploading a VID
2. History should log the downloads correctly
3. The app should not get stuck on Requesting credential... when downloading VID - for iOS
4. You should not be able to download a VID if the type of ID selected is UIN
5. Bulk revoking a VID should delete all VID with the same ID number in My IDs
6. Bulk Revoke VID should delete all selected VIDs (multiple revocation) while Individual Revoke VID revokes that specific VID

ASSIGNED BACK TO DEV @danicaerediano @pmigueld @kyanthony

[jannahadlaon]

Tested on: MOCK_io.mosip.residentapp-0.4.0-rc3-17-5f7c994-develop-temp-dirty-newlogic_20221003_0914.apk Resident app build: v0.4.0 R3-17-5f7c994 (android) MOSIP server: Mockmoto Device: Samsung Galaxy A23

Observations

1. Generating VC with same VID is not correctly displayed in History. Only one download is displayed instead of two.
2. When 2 or more identical VID are downloaded, only one version is displayed in the list of VIDs in Revoke VID
3. Individually Revoking VID still has the same function with Bulk revoke VID
4. Using 'Bulk revoke VID' when there's is only one VID in My IDs does not revoke the VID.
5. Renaming a VID and then revoking that VID will retain the nametag once that VID is downloaded again.

STEPS TO REPLICATE OBSERVATIONS

Observation 1

1. Generate VID, verify that it is displayed under My IDs
2. Generate the same VID, verify that both VC are displayed under My IDs with same data
3. Go to History
4. See error

Observation 2

1. Generate VID, verify that it is displayed under My IDs
2. Generate the same VID, verify that both VC are displayed under My IDs with same data
3. Go to Profile then click on Revoke VID
4. See error

Observation 3

1. Generate VID, verify that it is displayed under My IDs
2. Generate the same VID, verify that both VC are displayed under My IDs with same data
3. Rename one of the VID
4. Go back to My IDs
5. Enter on the the unnamed VID
6. Revoke the VID
7. See error - both VIDs in My IDs are revoked instead of just one

Observation 4

1. Generate 2 different VIDs, verify that it is displayed under My IDs
2. Go to My IDs then click on first VID
3. Revoke the VID - verify that it has been successfully revoked
4. Go to Profile then select the remaining VID
5. Revoke the VID
6. Got to My IDs
7. See error - VID is still in My IDs

Observation 5

1. Generate VID, verify that it is displayed under My IDs
2. Rename the VID
3. Revoke the VID
4. Download the same VID
5. See error - The VID is downloaded with a nametag

*Expected Results

1. All downloads should be displayed correctly in History
2. All downloaded VIDs should be in the Revoke VID list
3. Revoking an individual VID should only revoke that specific VID
4. Bulk revoke VID should function even if only one VID is in My IDs
5. When a revoked VID with nametag is downloaded again, the nametag shouldn't be kept.

ASSIGN BACK TO DEV @pmigueld @danicaerediano @kyanthony

[danicaerediano]

@jannahadlaon 2.) When 2 or more identical VID are downloaded, only one version is displayed in the list of VIDs in Revoke VID since we are revoking all VIDs that have the same number it is only right we display them uniquely, Bulk Revoke is a feature to revoke multiple VIDs that may or may not have the same VID numbers

3.) Individually Revoking VID still has the same function with Bulk revoke VID It is only correct that we should revoke all VIDs that have the same number since these VIDs are the same

[jannahadlaon]

Thanks for the clarification @danicaerediano! I'll take a note of this in my future testing

[danicaerediano]

@jannahadlaon 1.) Generating VC with same VID is not correctly displayed in History. Only one download is displayed instead of two. 5.) Renaming a VID and then revoking that VID will retain the nametag once that VID is downloaded again. this only happens since we are using mock server which makes the VCs have the exact same vcKey

[jannahadlaon]

Tested on: Android - MOCK_io.mosip.residentapp-0.4.0-rc6-newlogic_20221014_1757.apk iOS - 0.4.0 (11.1)

MOSIP server: Mock

Devices: Samsung Galaxy A23 iPhone 11

WORKS AS EXPECTED for both android and iOS @pmigueld @danicaerediano @kyanthony

Additional notes

• Success toast after revoking a VID disappears quickly. It would be better to add timeout so users can view the toast. -> @danicaerediano

https://user-images.githubusercontent.com/102940764/196120670-68bad526-91c6-4259-9978-22bfa19fe517.MP4

[danicaerediano]

in bulk revoke, VIDs should come from the list of VIDs that can be requested via this API (and is available in QA4)