This is a demo application that uses vc-authn-oidc as Identity Provider to access a web resource directly, without requiring the use of third-party Access and Identity Management solutions.
This demo requires you to have a mobile wallet installed on your mobile phone. Visit this page for guidance on getting your own mobile wallet on iOS or Android.
Once you have the mobile app, you must obtain a Verified Email
credential from this Email Verification Service. Instructions to do that are on the site.
You will also need to have Docker installed and running. Want to run this a—no Docker needed? See these instructions about running this in your browser using Play with Docker.
ℹ️ If you have publicly accessible endpoints for your agent and controller, you can skip starting ngrok and provide your endpoints when starting the components prefixing the manage
command with the NGROK_AGENT_URL
and NGROK_CONTROLLER_URL
environment variables.
Example: NGROK_AGENT_URL=${NGROK_AGENT_URL} NGROK_CONTROLLER_URL=${NGROK_CONTROLLER_URL} ./manage start
In addition to the above pre-requirements, you will need three bash shell instances open at the following locations:
Your browser will need access to the following localhost ports: 8080
(Django Web App), 4200
(Angular Web App), and 8180
(KeyCloak instance).
Run ./manage build
in shells number 1
and 2
to assemble the images required to run the demo services.
When the builds are completed, run start-ngrok.sh in shell number 3
. This will run an instance of ngrok
used to allow your mobile agent to communicate with the services running on localhost.
To run ngrok, you see a page indicating you need to create an account on the ngrok.io site and login to the service. Further, depending on your setup, you may need to add an authtoken to the demo/ngrok.yml
file (add line authtoken: <token>
at the top or bottom, no indent).
Now we can start the services:
- In shell number
1
run./manage start-demo
Once the services are running, we will need to configure vc-authn-oidc so that it will request the Verified Email
credential. To do this, execute the following command in another shell (you can use, as an example, shell number 2
):
curl -X POST "http://localhost:5001/api/vc-configs" -H "accept: application/json" -H "X-Api-Key: controller-api-key" -H "Content-Type: application/json-patch+json" -d "{\"id\": \"verified-email\",\"subject_identifier\": \"email\", \"configuration\": { \"name\": \"verified-email\", \"version\": \"1.0\", \"requested_attributes\": [ { \"name\": \"email\", \"restrictions\": [ { \"schema_name\": \"verified-email\", \"issuer_did\": \"MTYqmTBoLT7KLP5RNfgK3b\" } ] } ], \"requested_predicates\": [] }}"
Additionally, we need to add the valid redirect URI for the test client to the vc-authn-oidc-controller database: a new entry should be created in the ClientRedirectUris
table. To acquire the credentials to connect to to the database you can refer to the environment variables set in the controller-db
section of the main manage script, however the default parameters for the demo clients have been pre-configured for convenience.
- In shell number
2
run./manage start
Once the applications have started, navigate your web browser to http://localhost:8080 and try clicking the link to provide a Verified Email
credential: you will be redirected to a page displaying a QR code generated by vc-authn-oidc
. If you have previously obtained the Verified Email
credential, you should be able to scan the code with your mobile wallet app, present the required proof and be able to access the protected page in the web application.
To test the second demo application, navigate your web browser to http://localhost:4200 and try clicking the button Authenticate
. You will be redirected to to the Keycloak
log in page (using OIDC code flow auth).
On the right side, click the log in with Verified Credential Access
button, you will be redirected to a page displaying a QR code generated by vc-authn-oidc
. If you have previously obtained the Verified Email
credential, you should be able to scan the code with your mobile wallet app, present the required proof and after redirect back to web application, be authenticated in the web application. You can see your email, roles, id token, access token and user data. The access token will be every time automatically/silent refreshed before it expired.
To stop the demos:
- In the first shell, run the command
./manage down
- In the second shell, run the command
./manage down
- In the third shell (ngrok), hit Ctrl-C to exit from the ngrok script.
You can rerun the demos, by following the steps above, including the curl
command.