Closed tmarkovski closed 3 weeks ago
@tmarkovski Can you provide a copy of the YAML configuration you're using, of course redacting any secrets/URLs you don't want to expose?
Sure. Any keys are copied from the README, so nothing sensitive.
And to be clear, we're talking about the relyingParty definition that has a workflow.id
of z1A32xJZGqBeAEcMq56avmw2L
correct?
Correct.
@tmarkovski would you be willing to remove the RPs that you're not using from the above example config and test with that to setup a minimum runnable example? Along with updating the config in your earlier post?
Sure. Here's the latest update. This resulted in the same behavior.
Edit: I'm supplying the config through an env var, if that makes any difference. I can see that it picks up on changes.
config.yaml
GET /context/login
@tmarkovski I was able to reproduce https://github.com/stateofca/opencred/issues/4#issuecomment-2145496704 Is https://trinsic.ngrok.io an RP that has implemented the diagram mentioned in the README? Also, how do you render the QR code and other data, does this repo have those tools are is it your custom implementation? Thanks for creating this issue.
Thanks for looking into it @deshmukhrajvardhan I do not have a website that acts as an RP, I simply use ngrok (instead localtunnel from the README), so I can have publicly available service for the mobile app - I'm only trying to get the service running. However I do not think this is necessary to get a response from the wallet app.
This is how I crated my setup.
BEDROCK_CONFIG
to base64 value of the config file abovenpm start
trinsic
trinsic.ngrok.io/api-docs
GET /context/login
with the RP data configured in the configThe QR code is contained in the response of the GET /context/login
request that I make. I understand the QR code is just an encoded URL of the data in the exchangeData.OID4VP
field. I simply show this data in a browser. Once I scan it with the CA DMV wallet, I can see that the wallet makes two requests in my ngrok interface, as shown in my original comment.
When the mobile app calls /openid/client/authorization/request
in the response of that there is another URL which points to /openid/client/authorization/response
with the domain trinsic.ngrok.io
.
I'm expecting the app to prepare and submit response at this URL. The app does not seem to process this part.
Hi @tmarkovski - what do you see when you visit https://trinsic.ngrok.io/login?client_id=rp1&redirect_uri=http%3A%2F%2Flocalhost%3A3000&state=whateveryouwant&scope=openid?
I see the web app interface offering me to login using CHAPI or scan QR code. Scanning this QR code results in the same behavior.
Could you give more information on how you obtained your DL into your CA DMV wallet?
My team members from CA that are helping me test will respond shortly.
Is this setup working for you @kezike ? I've also left my public bridge up, so you can try for yourself if you have a CA DL.
Additionally, is there a config file for development that you would recommend I try?
@kezike I basically went through the default onboarding flow the CA DMV app provides us. That is the CA DMV Wallet app (I know there are two). This video shows the onboarding process.
I also went through the default onboarding flow
@kezike I have now also reproduced a variation of this problem.
GET /workflows/default/exchanges/z1A8mxpEDhvNhWMVAYs15JUzQ 200 OK
but nothing was displayed to me in the wallet.Next steps tomorrow include: getting access to the iOS error log by hooking the phone up to the computer to see if there are any more informative errors in there.
Using a relying party configured in combined.yaml
like the following:
- name: Utopia DMV
clientId: "dmv"
clientSecret: "toosecrettopastehere"
description: "Utopia DMV"
icon: ""
backgroundImage: ""
brand:
cta: "#0B669D"
primary: "#045199"
header: "#0979c4"
redirectUri: "http://localhost:3000"
explainerVideo:
provider: "youtube"
id: "dQw4w9WgXcQ"
scopes:
- name: "openid"
description: "Open ID Connect"
workflow:
type: native
id: default
initialStep: default
steps:
default:
createChallenge: true
verifiablePresentationRequest: >
{
"query": {
"type": "QueryByExample",
"credentialQuery": {
"reason": "Please present your Driver's License to complete the verification process.",
"example": {
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://w3id.org/vdl/v1",
"https://w3id.org/vdl/aamva/v1"
],
"type": [
"Iso18013DriversLicenseCredential"
]
}
}
}
}
Update after a little more research today.
I am still not able to configure a successful local w/ngrok tunnel connection to the wallet. I got to a point where the presentation_definition would generate the same input_descriptors
as the working UAT OpenCred environment.
That is possible by changing the above workflow to this, with constraintsOverride
:
workflow:
type: native
id: dmvappworkflow
initialStep: default
steps:
default:
createChallenge: true
verifiablePresentationRequest: >
{
"query": {
"type": "QueryByExample",
"credentialQuery": {
"reason": "Please present your Driver's License to complete the verification process.",
"example": {
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://w3id.org/vdl/v1",
"https://w3id.org/vdl/aamva/v1"
],
"type": [
"Iso18013DriversLicenseCredential"
]
}
}
}
}
constraintsOverride: >
{
"fields": [
{
"path": [
"$.vc.type"
],
"filter": {
"type": "string",
"pattern": "Iso18013DriversLicenseCredential"
}
}
]
}
but I still get the same behavior in the wallet, which is once I scan the QR code, the wallet makes a request to the request_uri
in the QR code, and the wallet then happily to the Home tab with no indication of failure.
I did proceed to connect my iPhone to my MacOS device to try to capture logs with the Console app. I successfully saw a bunch of logs from the Springboard process and others related to com.spruceid.app.credible.mdl
, but no log messages error or otherwise seemed to relate to anything that might have gone wrong processing the JWT retrieved from the server.
Then I noticed in my ngrok logs a request for the DID document, which was disabled on my server. I had the wrong config key for it. Incorrect configuration:
app:
opencred:
didWeb:
enabled: true
Corrected, this should be:
app:
opencred:
didWeb:
mainEnabled: true
This was SUCCESSFUL. The wallet prompted me to share the credential, and it worked.
Note I didn't define a mainDocument
statically, I let it be generated dynamically. Probably the "id": "did:web:example.com"
should have been "id": "did:web:trinsic.ngrok.io"
in your config @tmarkovski. My guess is that this was an issue processing the DID Web document and the signature on the JWT discovered from the request_uri in the QR code. The wallet really should be displaying a human readable error in this case, but hopefully you'll be able to work around that with this guidance. Go ahead and close the issue if it works.
Thank you @ottonomy. The didWeb
configuration was indeed the issue. We managed to get a successful presentation up.
Thank you (and everyone who contributed to this issue) for looking into this and helping us get the POC up and running.
@tmarkovski I was able to get a local setup where the mobile phone can reach the HTTP endpoint on my local machine (they are on the same network). (replace baseUri with en0 ip)
When the CA DMV app scans the QR code, this entry shows up. But the app interface itself doesn't load.
mongosh mongodb://localhost:27017/opencred_localhost
opencred_localhost> db.Exchanges.find()
[
{
_id: ObjectId('66677f1fcd87358ea3cb7ffa'),
id: 'z19nF6KMj97aQakPMpXvqXc9K',
workflowId: 'z1A32xJZGqBeAEcMq56avmw2L',
sequence: 0,
ttl: 900,
state: 'pending',
variables: {},
step: 'default',
challenge: 'z1A55cGdqpyCC4S3VPXqPSL6B',
accessToken: 'z1AF1Mc3LX66z1GFrvbber7HZ',
createdAt: ISODate('2024-06-10T22:33:03.778Z'),
recordExpiresAt: ISODate('2024-06-11T22:48:03.778Z'),
oidc: { code: null, state: '' }
}
]
I just realized that the Exchanges
are created when this endpoint is called http://localhost:22080/context/login?client_id=rp1&redirect_uri=http%3A%2F%2Flocalhost%3A3000&scope=openid&response_type=code
and not when CA DMV app scans it.
Upon scanning the code CA DMV app launches correctly, and I can see that it makes two distinct calls to my ngrok service
@tmarkovski how do you see these logs? On the server side, i assume?
I got the service up and running, proxying to a public ngrok address, and I'm attempting a verify workflow. I got the QR code (or URL) generated from the
/context/login
endpoint and I scan this with an iPhone that does have CA mDL for that user. Upon scanning the code CA DMV app launches correctly, and I can see that it makes two distinct calls to my ngrok serviceHowever, nothing happens after this. Neither the app, nor my running service report any error. I have configured my opencred service with the default examples shown in the readme, and it seems they're getting processed, but I have no way to diagnose why it won't complete the flow. Any way we can work through this using some test harness or a development app?