search

openwallet-foundation / acapy

ACA-Py is a foundation for building decentralized identity applications and services running in non-mobile environments.
https://aca-py.org
Apache License 2.0
421 stars 515 forks source link

credential-request message derived from OOB invitation failed. #2069

Closed kukgini closed 1 year ago

kukgini commented 1 year ago

I made an oob invitation with following procedure:

  1. /issue-credential/create-offer
  2. /out-of-band/create-invitation

In the step 2, I put attachments like this:

"attachments": [{ "id": "<credential_exchange_id from step 1's response>", "type": "credential-offer" } ]

created OOB invitation URL is like this

When holder agent accepts this invitation and made credential-request message like this:

{"@type":"did:sov:BzCbsNYhMrjHiqZDTUASHg;spec/issue-credential/1.0/request-credential","@id":"92D217E6-F575-4112-9B5B-FBA2F9D4C2D1","~transport":{"return_route":"all"},"~thread":{"thid":"3747d7b3-d0c7-4fc3-81c7-9cadc16293cf"},"requests~attach":[{"@id":"libindy-cred-request-0","mime-type":"application/json","data":{"base64":"eyJwcm92ZXJfZGlkIjoiV0RHWFphUkRUZ2NGQ3dVMjdkOHVtQSIsImNyZWRfZGVmX2lkIjoiU1hZRTNpQlNXckY4amg1N200eWhnYTozOkNMOjYyMDM5NDoyMDIyLjEyLjEzIiwiYmxpbmRlZF9tcyI6eyJ1IjoiNzk0NDI3NDEwODA0ODc5MzE5OTQyODg2MzAwMDE5ODY0NzQ3OTgzNzg2MzI2MjM4NDAxMjY5MzgyMTY5NjQ3Nzk0MTMwMDc3MjE0MjE1MTkzOTM2Mjc0NjYzMTc3MjcwODQ3OTk4OTM3MzMwODg0MTI1MjYyODI4MzQzMjU1MzQyOTEzMzk3NjAxNDcxNzI2OTE0NjI3NjUyMTEwOTkxMDU5Mzg3MTQ4ODIwMDUyMjE2MzM5NzgxOTUxNzY3NTA5MDQ5MDI4NTUzNDg3OTk1NTEyMzAyOTEzMDY3MTU4ODAwMTE2MzgzMDk3NzkwMjI1MzA4NzUyMzIyNjkyMjg1NDI2MDE4NTQ0ODUyOTE3NTk3MDE2MjA3NDQwMTA3MDk2Nzc0NTQ2MTQ1MjI3NTIzNTM4MDc4MjYyNTc4Nzg5MzczNDAyNDk3NDEwMjAzMDk2MjY5NDgyNzI4NzgyNDQxMzU2MTI5Njg3MTk0NjkwNTc0NzcwMTU1MzgxMDk4OTQ0NTAwNjg3OTgyNDE0MzkxMzU2NDMwOTc2MTk3MDc5NDQ0MjA2MDAzOTQ5NTQ5MjIyNTk2NDkwNDI4MzY0NDA5MDc4NjcwNTQ0MDI2MzA5MjI2NDcwNzcyNzEyOTc5Njk0OTAxNzIzMzQ0NDgyMjY5NDgwNjgxNjk0NTkyNTk2OTkyNjAwNjEyNzE0ODAxNzIzODAyOTg3MTE0MDAzODAwNzY3NDk0Njk0NzA4OTc5OTUxOTcwNjY0NzAwMjk5MTUxMTc1MTg0MzAxMzMwMTMxNDYzMDQwNDY0NzM2NzQ3Nzc2Nzk5NDQ0NzYiLCJ1ciI6bnVsbCwiaGlkZGVuX2F0dHJpYnV0ZXMiOlsibWFzdGVyX3NlY3JldCJdLCJjb21taXR0ZWRfYXR0cmlidXRlcyI6e319LCJibGluZGVkX21zX2NvcnJlY3RuZXNzX3Byb29mIjp7ImMiOiI3NTI3ODU4MzYwODg2MDcwOTQ4MjgxMzA4NjUwNzEyNjY0OTIxMTE4MTU1MzgyMDQyOTQyMzQwMzAxMjM3NzIyNjc3Njc2MTIyMjIwNCIsInZfZGFzaF9jYXAiOiI4MDAyMzIxMjY2NzQ3MzQ2NDQ3NzE1OTYzNTIyMjQ4MjY0NDM0NTA4NDIyOTE5NDY1MTE4OTMwNjQwMzA5Nzk1NTgyNTY0MDA5NDY1NzI2NDU4MTUzMDExNzgwOTEwNjI3MTA4MTY2Mjk5NDYxNTM2MjcxOTk0ODM4OTU2Mjk2NzcwMzgzMTgyMDM1NTQ2NDMwNzI0MDUyMDM4Njk4NDUxMTYxMDk1MzAzNTk2MjM3ODA4MjM1MzE5NDY5ODQzMDU1NjUxODY1NTg3NDQ2Mjg5OTUyMTkwMjAxMjc3MjE0MTA4MzE2NzYxMDIxNTg5MjEzMDEwNjc5Njg1NDAzMzAwNjc1NTM0NTQ3NjYyNDAxMjg0ODY0NzE4NDgxMzE0NDk4NDAyNTM4MzU4MzA2MjgyODM0MjMyNTYzMTcwMTUzMTcwNDQ4OTkxNTI0NDM4Njg0ODQ4MzQyOTAzODQxMjI2ODA0OTc0MDQxODA0NDY2MzYyNzEyNTU2OTk1MjQ0NjAzNDYwMjExNjc2NDMwMTQ1NjQ1OTg5MzU1MDE2NDA3NTk3NjkxMzg1MzU3OTYwNDM0OTg2OTI3NTEzNDIzNjYyNjU4MzgyNDAwMjAzMjk3OTg2MTYxMTA3OTgyNDQ5Nzg3OTY4NDgxODQ3MDgyNzgzMzY3NDk0NzU0NzUyNTc4ODUzNDkyNjM3MDQ5MTYzODg4NTAyNTg0NjkwNTc5ODkwMTQ3NTc0ODUzOTExMDE1MTk0ODIwODk2MDk4MjExMDEwMDIyNDc3MDMxNzk4OTAwMTQ3MTcwMTU5NDY4NDE2ODA4MTIxNzI0NzAzOTA0NTM2MzQ3NjQyMjk0MTAwMzY4Nzg0Mzk0MzY1MTIwMDk5ODA5NTAyNzg3NTE1ODU5NTUwMDc5ODAyNzk1NTY4MTgzODIwMzEwNzE3NjA5Mzk3MzM4ODk3NTA0MDU4NjgiLCJtX2NhcHMiOnsibWFzdGVyX3NlY3JldCI6IjI0NTIwMzAyNDc5NDA1OTMwNzc4MzEwNzM4NjI2MzMyMjc1NjYxODEyOTAyNTkzNjY3NTgxMDMxNTE2MzQ1MjM0OTQxNTYxNDc5MTk3Mzg1MzM0MDcyOTAyMDY0NTY4MTQyMzc4OTQ0ODEyMTQ4MDM2MjEyMDE0MDEzMTA2MDAyMzU2NzU2ODczNzQwMDI1NTc3MjM5NDYxMzcwNDQ3MzA5NjYzMjgxNTQ1MzEwMDg1MTMzIn0sInJfY2FwcyI6e319LCJub25jZSI6IjEwNDY2Mzc4NDQxMzA1ODg0Mjg2ODMwNTUifQ==

When aca-py received this credential-request message through inbound port, It gives following error:

acapy_1     | 2022-12-20 08:55:11,355 aries_cloudagent.core.conductor ERROR Exception in message handler:
acapy_1     | Traceback (most recent call last):
acapy_1     |   File "/home/indy/.pyenv/versions/3.6.13/lib/python3.6/asyncio/tasks.py", line 180, in _step
acapy_1     |     result = coro.send(None)
acapy_1     |   File "/home/indy/.pyenv/versions/3.6.13/lib/python3.6/site-packages/aries_cloudagent/core/dispatcher.py", line 209, in handle_message
acapy_1     |     await handler(context, responder)
acapy_1     |   File "/home/indy/.pyenv/versions/3.6.13/lib/python3.6/site-packages/aries_cloudagent/protocols/issue_credential/v1_0/handlers/credential_request_handler.py", line 58, in handle
acapy_1     |     context.message, context.connection_record, oob_record
acapy_1     |   File "/home/indy/.pyenv/versions/3.6.13/lib/python3.6/site-packages/aries_cloudagent/protocols/issue_credential/v1_0/manager.py", line 548, in receive_request
acapy_1     |     ) from None
acapy_1     | aries_cloudagent.protocols.issue_credential.v1_0.manager.CredentialManagerError: Indy issue credential format can't start from credential request

The cause of the error I inferred with above error message is: The credential-offer created in step 1 is not related with any connection yet. However, it seems that when a credential-request comes in, aca-py tries to find the corresponding credential-exchange record based on connection, not thread, but cannot find it.

swcurran commented 1 year ago

AFAIK -- ACA-Py does not support connectionless credential issue. This has been talked about, but I don't think it has been implemented by anyone. AFAIK, only Aries Framework .NET supports connectionless issue.

andrewwhitehead commented 1 year ago

It seems like most of the parts are there. ACA-Py can receive an OOB message with a credential offer attached, and connect and send a credential request. The receive_request method (issue-credential 1.0) also has some special handling for OOB messages, but it looks like in this case the originating credential exchange can't be found when the request is being processed. I'm not sure at the moment if it's an issue with the thread ID on the credential request or if it's being filtered out because of the connection ID.

andrewwhitehead commented 1 year ago

The credential exchange would be created as a 'free offer', with no connection ID. So maybe the filter should just look for records with the same connection ID or an empty connection ID. Otherwise, we could add a method to assign the connection ID on the credential exchange (to match the OOB invitation connection record) but that seems more error prone.

kukgini commented 1 year ago

It turns out holder agent missed pthid in ~thread decorator when sending credential-offer message. related requirements is this. After fixing it, I'll test it again and close the issue.

dinbtechit commented 1 year ago

@kukgini We ran into the same issue for OOB credential request. Curious, how did you include the pthid in ~thread on the holder, are you using bifold??

kukgini commented 1 year ago

@dinbtechit I have tried this with aries-framework-swift and fixed now with this:

I heard that aries-framework-javascript which is base of bifold has the same issue. see: