mattcollier
commented
1 month ago @tmarkovski Can you provide a copy of the YAML configuration you're using, of course redacting any secrets/URLs you don't want to expose?
Closed tmarkovski closed 3 weeks ago
mattcollier
commented
1 month ago @tmarkovski Can you provide a copy of the YAML configuration you're using, of course redacting any secrets/URLs you don't want to expose?
tmarkovski
commented
1 month ago Sure. Any keys are copied from the README, so nothing sensitive.
mattcollier
commented
1 month ago And to be clear, we're talking about the relyingParty definition that has a workflow.id of z1A32xJZGqBeAEcMq56avmw2L correct?
tmarkovski
commented
1 month ago Correct.
mattcollier
commented
1 month ago @tmarkovski would you be willing to remove the RPs that you're not using from the above example config and test with that to setup a minimum runnable example? Along with updating the config in your earlier post?
tmarkovski
commented
1 month ago Sure. Here's the latest update. This resulted in the same behavior.
Edit: I'm supplying the config through an env var, if that makes any difference. I can see that it picks up on changes.
config.yamlGET /context/login
deshmukhrajvardhan
commented
1 month ago @tmarkovski I was able to reproduce https://github.com/stateofca/opencred/issues/4#issuecomment-2145496704 Is https://trinsic.ngrok.io an RP that has implemented the diagram mentioned in the README? Also, how do you render the QR code and other data, does this repo have those tools are is it your custom implementation? Thanks for creating this issue.
tmarkovski
commented
1 month ago Thanks for looking into it @deshmukhrajvardhan I do not have a website that acts as an RP, I simply use ngrok (instead localtunnel from the README), so I can have publicly available service for the mobile app - I'm only trying to get the service running. However I do not think this is necessary to get a response from the wallet app.
This is how I crated my setup.
BEDROCK_CONFIG to base64 value of the config file abovenpm starttrinsictrinsic.ngrok.io/api-docsGET /context/login with the RP data configured in the configThe QR code is contained in the response of the GET /context/login request that I make. I understand the QR code is just an encoded URL of the data in the exchangeData.OID4VP field. I simply show this data in a browser. Once I scan it with the CA DMV wallet, I can see that the wallet makes two requests in my ngrok interface, as shown in my original comment.
When the mobile app calls /openid/client/authorization/request in the response of that there is another URL which points to /openid/client/authorization/response with the domain trinsic.ngrok.io.
I'm expecting the app to prepare and submit response at this URL. The app does not seem to process this part.
kezike
commented
1 month ago Hi @tmarkovski - what do you see when you visit https://trinsic.ngrok.io/login?client_id=rp1&redirect_uri=http%3A%2F%2Flocalhost%3A3000&state=whateveryouwant&scope=openid?
tmarkovski
commented
1 month ago I see the web app interface offering me to login using CHAPI or scan QR code. Scanning this QR code results in the same behavior.
kezike
commented
1 month ago Could you give more information on how you obtained your DL into your CA DMV wallet?
tmarkovski
commented
1 month ago My team members from CA that are helping me test will respond shortly.
Is this setup working for you @kezike ? I've also left my public bridge up, so you can try for yourself if you have a CA DL.
Additionally, is there a config file for development that you would recommend I try?
janpieterz
commented
1 month ago @kezike I basically went through the default onboarding flow the CA DMV app provides us. That is the CA DMV Wallet app (I know there are two). This video shows the onboarding process.
michaeldboyd
commented
1 month ago I also went through the default onboarding flow
ottonomy
commented
1 month ago @kezike I have now also reproduced a variation of this problem.
GET /workflows/default/exchanges/z1A8mxpEDhvNhWMVAYs15JUzQ 200 OK but nothing was displayed to me in the wallet.Next steps tomorrow include: getting access to the iOS error log by hooking the phone up to the computer to see if there are any more informative errors in there.
Using a relying party configured in combined.yaml like the following:
- name: Utopia DMV
clientId: "dmv"
clientSecret: "toosecrettopastehere"
description: "Utopia DMV"
icon: ""
backgroundImage: ""
brand:
cta: "#0B669D"
primary: "#045199"
header: "#0979c4"
redirectUri: "http://localhost:3000"
explainerVideo:
provider: "youtube"
id: "dQw4w9WgXcQ"
scopes:
- name: "openid"
description: "Open ID Connect"
workflow:
type: native
id: default
initialStep: default
steps:
default:
createChallenge: true
verifiablePresentationRequest: >
{
"query": {
"type": "QueryByExample",
"credentialQuery": {
"reason": "Please present your Driver's License to complete the verification process.",
"example": {
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://w3id.org/vdl/v1",
"https://w3id.org/vdl/aamva/v1"
],
"type": [
"Iso18013DriversLicenseCredential"
]
}
}
}
}Update after a little more research today.
I am still not able to configure a successful local w/ngrok tunnel connection to the wallet. I got to a point where the presentation_definition would generate the same input_descriptors as the working UAT OpenCred environment.
That is possible by changing the above workflow to this, with constraintsOverride:
workflow:
type: native
id: dmvappworkflow
initialStep: default
steps:
default:
createChallenge: true
verifiablePresentationRequest: >
{
"query": {
"type": "QueryByExample",
"credentialQuery": {
"reason": "Please present your Driver's License to complete the verification process.",
"example": {
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://w3id.org/vdl/v1",
"https://w3id.org/vdl/aamva/v1"
],
"type": [
"Iso18013DriversLicenseCredential"
]
}
}
}
}
constraintsOverride: >
{
"fields": [
{
"path": [
"$.vc.type"
],
"filter": {
"type": "string",
"pattern": "Iso18013DriversLicenseCredential"
}
}
]
}but I still get the same behavior in the wallet, which is once I scan the QR code, the wallet makes a request to the request_uri in the QR code, and the wallet then happily to the Home tab with no indication of failure.
I did proceed to connect my iPhone to my MacOS device to try to capture logs with the Console app. I successfully saw a bunch of logs from the Springboard process and others related to com.spruceid.app.credible.mdl, but no log messages error or otherwise seemed to relate to anything that might have gone wrong processing the JWT retrieved from the server.
Then I noticed in my ngrok logs a request for the DID document, which was disabled on my server. I had the wrong config key for it. Incorrect configuration:
app:
opencred:
didWeb:
enabled: trueCorrected, this should be:
app:
opencred:
didWeb:
mainEnabled: trueThis was SUCCESSFUL. The wallet prompted me to share the credential, and it worked.
Note I didn't define a mainDocument statically, I let it be generated dynamically. Probably the "id": "did:web:example.com" should have been "id": "did:web:trinsic.ngrok.io" in your config @tmarkovski. My guess is that this was an issue processing the DID Web document and the signature on the JWT discovered from the request_uri in the QR code. The wallet really should be displaying a human readable error in this case, but hopefully you'll be able to work around that with this guidance. Go ahead and close the issue if it works.
tmarkovski
commented
3 weeks ago Thank you @ottonomy. The didWeb configuration was indeed the issue. We managed to get a successful presentation up.
Thank you (and everyone who contributed to this issue) for looking into this and helping us get the POC up and running.
deshmukhrajvardhan
commented
3 weeks ago @tmarkovski I was able to get a local setup where the mobile phone can reach the HTTP endpoint on my local machine (they are on the same network). (replace baseUri with en0 ip)
When the CA DMV app scans the QR code, this entry shows up. But the app interface itself doesn't load.
mongosh mongodb://localhost:27017/opencred_localhost
opencred_localhost> db.Exchanges.find()
[
{
_id: ObjectId('66677f1fcd87358ea3cb7ffa'),
id: 'z19nF6KMj97aQakPMpXvqXc9K',
workflowId: 'z1A32xJZGqBeAEcMq56avmw2L',
sequence: 0,
ttl: 900,
state: 'pending',
variables: {},
step: 'default',
challenge: 'z1A55cGdqpyCC4S3VPXqPSL6B',
accessToken: 'z1AF1Mc3LX66z1GFrvbber7HZ',
createdAt: ISODate('2024-06-10T22:33:03.778Z'),
recordExpiresAt: ISODate('2024-06-11T22:48:03.778Z'),
oidc: { code: null, state: '' }
}
]I just realized that the Exchanges are created when this endpoint is called http://localhost:22080/context/login?client_id=rp1&redirect_uri=http%3A%2F%2Flocalhost%3A3000&scope=openid&response_type=code and not when CA DMV app scans it.
Upon scanning the code CA DMV app launches correctly, and I can see that it makes two distinct calls to my ngrok service
@tmarkovski how do you see these logs? On the server side, i assume?
I got the service up and running, proxying to a public ngrok address, and I'm attempting a verify workflow. I got the QR code (or URL) generated from the
/context/loginendpoint and I scan this with an iPhone that does have CA mDL for that user. Upon scanning the code CA DMV app launches correctly, and I can see that it makes two distinct calls to my ngrok serviceHowever, nothing happens after this. Neither the app, nor my running service report any error. I have configured my opencred service with the default examples shown in the readme, and it seems they're getting processed, but I have no way to diagnose why it won't complete the flow. Any way we can work through this using some test harness or a development app?