HackMD
    • Create new note
    • Create a note from template
      • Sharing URL Link copied
      • /edit
      • View mode
        • Edit mode
        • View mode
        • Book mode
        • Slide mode
        Edit mode View mode Book mode Slide mode
      • Customize slides
      • Note Permission
      • Read
        • Only me
        • Signed-in users
        • Everyone
        Only me Signed-in users Everyone
      • Write
        • Only me
        • Signed-in users
        • Everyone
        Only me Signed-in users Everyone
      • More features Commenting, Suggest edit
      • Invitee
      • No invitee
    • Publish Note

      Publish Note

      Everyone on the web can find and read all notes of this public team.
      Once published, notes can be searched and viewed by anyone online.
      See published notes
      Please check the box to agree to the Community Guidelines.
    • Commenting
      Permission
      Disabled Forbidden Owners Signed-in users Everyone
    • Enable
    • Permission
      • Forbidden
      • Owners
      • Signed-in users
      • Everyone
    • Suggest edit
      Permission
      Disabled Forbidden Owners Signed-in users Everyone
    • Enable
    • Permission
      • Forbidden
      • Owners
      • Signed-in users
    • Options
    • Versions and GitHub Sync
    • Transfer ownership
    • Delete this note
    • Note settings
    • Template
    • Save as template
    • Insert from template
    • Export
    • Dropbox
    • Export to Google Drive
    • Gist
    • Import
    • Dropbox
    • Import from Google Drive
    • Gist
    • Clipboard
    • Download
    • Markdown
    • HTML
    • Raw HTML
Menu Note settings Sharing URL Create Help
Create Create new note Create a note from template
Menu
Options
Versions and GitHub Sync Transfer ownership Delete this note
Export
Dropbox Export to Google Drive Gist
Import
Dropbox Import from Google Drive Gist Clipboard
Download
Markdown HTML Raw HTML
Back
Sharing URL Link copied
/edit
View mode
  • Edit mode
  • View mode
  • Book mode
  • Slide mode
Edit mode View mode Book mode Slide mode
Customize slides
Note Permission
Read
Only me
  • Only me
  • Signed-in users
  • Everyone
Only me Signed-in users Everyone
Write
Only me
  • Only me
  • Signed-in users
  • Everyone
Only me Signed-in users Everyone
More features Commenting, Suggest edit
Invitee
No invitee
Publish Note

Publish Note

Everyone on the web can find and read all notes of this public team.
Once published, notes can be searched and viewed by anyone online.
See published notes
Please check the box to agree to the Community Guidelines.
More features
Commenting
Permission
Disabled Forbidden Owners Signed-in users Everyone
Enable
Permission
  • Forbidden
  • Owners
  • Signed-in users
  • Everyone
Suggest edit
Permission
Disabled Forbidden Owners Signed-in users Everyone
Enable
Permission
  • Forbidden
  • Owners
  • Signed-in users
   owned this note    owned this note      
Published Linked with GitHub
Subscribed
  • Any changes
    Be notified of any changes
  • Mention me
    Be notified of mention me
  • Unsubscribe
Subscribe
# Guide Draft [ Moe's GitHub for reference](https://github.com/tbdeng/known-customer-credential?tab=readme-ov-file#implementation-details) (this line isn't apart of the guide) notes: - add section in setup for guidance on how server is configured for issuer, when it comes to their metadata # Known Customer Credential Known Customer Credentials (KCCs) are [Verifiable Credentials](https://developer.tbd.website/docs/web5/learn/verifiable-credentials) designed to streamline the [Know Your Customer(KYC)]() process for tbDEX protocol users. KCCs help in gaining access to PFIs providing regulated financial services. For a comprehensive exploration of the practical applications and compliance considerations of KCCs, refer to our [KCC Guide](https://docs.google.com/document/d/1vwcqzXOpVrCUv7U7g3A4jJs99Lj18gAVy4FaA3COEb8/edit). This resource provides detailed examples and insights into how KCCs align with certain regulatory requirements, offering valuable context for those overseeing the implementation and management of KCCs. :::danger IMPORTANT: This guide is intended for educational purposes only and does not constitute legal advice. Compliance programs may have varying requirements. Consult your legal and/or compliance advisors to ensure that the KCC is consistent with your legal and compliance obligations. ::: In this guide, we'll cover: - Performing [Identity Verification (IDV)]() as a necessary step **before** issuing a Known Customer Credential (KCC), following Self Issued OpenID Provider V2 (SIOPv2) and [OpenID for Verifiable Presentation's (OID4VP)](https://openid.net/specs/openid-4-verifiable-presentations-1_0.html) set of specifications. - Designing a KCC, detailing the required properties. - Issuing a KCC, following successful IDV. :::info For a detailed guide on Known Customer Credentials for Wallets, please refer to our [Wallet's Known Customer Credential Guide](https://hackmd.io/SQwE3SnrRkmeipGGtznJTw) ::: ## Environment Setup If you haven't already, please follow our [Credential Issuance Server Setup Guide](https://hackmd.io/4cW3D9BVQGCEuf1CEg47jA?both#Credential-Issuance-Enviornment-Setup-Guide) for detailed instructions on the dependencies and packages needed to set up your server. ## IDV Process Identity Verification (IDV) is a critical component of typical Know Your Customer (KYC) requirements, where certain types of Personally Identifying Information (PII) are collected and verified from an individual. IDV is a crucial step before a Known Customer Credential (KCC) can be issued. <<<<<<<<<<<<<< IDV Flow diagram >>>>>>>>>>>>>> The IDV flow begins when the customer's agent (e.g. Wallet application) sends an HTTP request to the Issuer's [IDV service endpoint](https://hackmd.io/4cW3D9BVQGCEuf1CEg47jA?both#Issuers-Identity) specified in the Issuer's DID. ### Handling Incoming Requests 1. Create an endpoint to handle incoming GET requests from the Wallet. When a request is received, you'll need to construct the [SIOPv2]() (Self Issued OpenID Provider V2) Authorization Request. ### Approach 1: Requesting only `id_token` This approach is used when the goal is solely to authenticate the user without requesting any additional Verifiable Credentials. ```javascript // Issuer api.js for id_token only app.get('/idv/siopv2/initiate', async (req, res) => { const siopRequestOnlyIdToken = { client_id: issuerDid, // Issuer's Decentralized Identifier scope: "openid", // Standard OpenID Connect scope response_type: "id_token", // Only requesting an ID Token response_uri: "https://issuer.example.com/siopv2/response", // Endpoint for SIOP response delivery response_mode: "direct_post", // Delivery method of the SIOP response nonce: "n-0S6_WzA2Mj" // Unique string to link the request and response // Note: No presentation_definition is included, as we're not requesting a vp_token }; // Construct and send the SIOPv2 Authorization Request }); ``` ### Approach 2: Requesting both `id_token` and `vp_token` This approach is used when you need to authenticate the user and also want to request specific Verifiable Credentials. ```javascript // Issuer api.js for id_token and vp_token app.get('/idv/siopv2/initiate', async (req, res) => { // Construct the SIOPv2 Authorization Request const siopRequest = { client_id: issuerDid, // Issuer's Decentralized Identifier scope: "openid", // Standard OpenID Connect scope response_type: "id_token vp_token", // Expected response formats: ID Token and optionally, Verifiable Presentation Token response_uri: "https://issuer.example.com/siopv2/response", // Endpoint for SIOP response delivery response_mode: "direct_post", // Delivery method of the SIOP response nonce: "n-0S6_WzA2Mj", // Unique string to link the request and response client_metadata: { // Descriptive metadata about the requesting party (issuer) subject_syntax_types_supported: "did:dht did:jwk", client_name: "Issuance Service Name", client_uri: "https://issuer.example.com", logo_uri: "https://issuer.example.com/logo.png", tos_uri: "https://issuer.example.com/tos", policy_uri: "https://issuer.example.com/privacy" }, presentation_definition: { id: "IDCardCredentials", input_descriptors: [ { id: "IDCardCredential", schema: { uri: [ "https://www.w3.org/2018/credentials#VerifiableCredential", "https://www.w3.org/2018/credentials/examples/v1#IDCardCredential" ], name: "ID Card Credential", purpose: "We need to verify your identity." }, constraints: { fields: [ { path: ["$.vc.credentialSubject.given_name"], purpose: "The given name on your ID card." }, { path: ["$.vc.credentialSubject.family_name"], purpose: "The family name on your ID card." }, { path: ["$.vc.credentialSubject.birthdate"], purpose: "Your birth date." }, { path: ["$.vc.credentialSubject.national_identifier"], purpose: "Your national identifier." } ] } } ] } }; }); ``` This request contains information about you, the issuer, along with a [Presentation Definition](https://developer.tbd.website/docs/web5/build/verifiable-credentials/presentation-definition). * **`client_id`**: Issuer's DID, establishing the issuer/requestor's identity * **`response_type`**: Lets the wallet know the desired format, with `id_token` being required identity token and `vp_token` for *optional* verifiable presentation token. The inclusion of `vp_token` means a presentation definition is required within the request. * **`response_uri`**: Indicates the callback url for the wallet, ensuring direct communication between the wallet and the issuer. * **`nonce`**: A unique identifier tying together the request and its response :::info For more information on the schema, refer to the [Presentation Definition spec](https://identity.foundation/presentation-exchange/spec/v1.0.0/#json-schema-2). ::: 2. Encode the SIOPv2 Authorization Request and respond ```javascript // Issuer api.js const queryString = Object.entries(siopRequest).map(([key, value]) => { if (typeof value === 'object') { value = encodeURIComponent(JSON.stringify(value)); } else { value = encodeURIComponent(value); } return `${encodeURIComponent(key)}=${value}`; }).join('&'); res.send(queryString); ``` 3. The Wallet will then respond with a POST SIOPv2 Authorization response. This response will be [JSON Web Tokens (JWTs)](https://jwt.io/). Here's an example response where `vp_token` and `id_token` is in the Auth Response: ```javascript // wallet id_token JWT response eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJkaWQ6ZGh0OmN1c3RvbWVyRGlkIiwic3ViIjoiZGlkOmRodDpjdXN0b21lckRpZCIsImF1ZCI6Imlzc3VlckRpZC51cmkiLCJub25jZSI6Im4tMFM2X1d6QTJNaiIsImV4cCI6MTYxODg4NDQ3MywiaWF0IjoxNjE4ODgwODczfQGUuY29tL2NyZWRlbnRpYWxzLzE4NzIiLCJ0eXBlIjpbIlZlcmlmaWFibGVDcmVkZW50aWFsIiwiSURDYXJkQ3JlZGVudGlhbCJdLCJpc3N1ZXIiOnsiaWQiOiJkaWQ6ZXhhbXBsZTppc3N1ZXIifSwiaXNzdWFuY2VEYXRlIjoiMjAxMC0wMS0wMVQxOToyMzoyNFoiLCJjcmVkZW50aWFsU3ViamVjdCI6eyJnaXZlbl9uYW1lIjoiRnJlZHJpayIsImZhbWlseV9uYW1.Imlzc3VlckRpZC51cmkiLCJub25jZSI6Im4tMFM2X1d6QTJNaiIsImV4cCI6MTYxODg4NDQ3MywiaWF0IjoxNjE4ODgwODcz ``` ```javascript // wallet vp_token JWT response eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJAY29udGV4dCI6WyJodHRwczovL3d3dy53My5vcmcvMjAxOC9jcmVkZW50aWFscy92MSJdLCJ0eXBlIjpbIlZlcmlmaWFibGVQcmVzZW50YXRpb24iXSwidmVyaWZpYWJsZUNyZWRlbnRpYWwiOlt7IkBjb250ZXh0IjpbImh0dHBzOi8vd3d3LnczLm9yZy8yMDE4L2NyZWRlbnRpYWxzL3YxIiwiaHR0cHM6Ly93d3cudzMub3JnLzIwMTgvY3JlZGVudGlhbHMvZXhhbXBsZXMvdjEiXSwiaWQiOiJodHRwczovL2V4YW1wbGUuY29tL2NyZWRlbnRpYWxzLzE4NzIiLCJ0eXBlIjpbIlZlcmlmaWFibGVDcmVkZW50aWFsIiwiSURDYXJkQ3JlZGVudGlhbCJdLCJpc3N1ZXIiOnsiaWQiOiJkaWQ6ZXhhbXBsZTppc3N1ZXIifSwiaXNzdWFuY2VEYXRlIjoiMjAxMC0wMS0wMVQxOToyMzoyNFoiLCJjcmVkZW50aWFsU3ViamVjdCI6eyJnaXZlbl9uYW1lIjoiRnJlZHJpayIsImZhbWlseV9uYW1lIjoiU3RyJm9tYmVyZyIs.ImJpcnRoZGF0ZSI6IjE5NDktMDEtMjIifX1dLCJob2xkZXIiOiJkaWQ6ZXhhbXBsZTpob2xkZXIiLCJwcm9vZiI6eyJ0eXBlIjoiRWQyNTUxOVNpZ25hdHVyZTIwMTgiLCJjcmVhdGVkIjoiMjAyMS0wMy0xOVQxNTozMDoxNVoiLCJjaGFsbGVuZ2UiOiJuLTBTNl9XekEyTWoiLCJkb21haW4iOiJodHRwczovL2NsaWVudC5leGFtcGxlLm9yZy9jYiIsImp3cyI6ImV5SmhiR2NpT2lKSVV6STFOaUo5LkhvbGRlcl9GT1JfU0lHTkFUVVJFIiwicHJvb2ZQdXJwb3NlIjoiYXV0aGVudGljYXRpb24iLCJ2ZXJpZmljYXRpb25NZXRob2QiOiJkaWQ6ZXhhbXBsZTpob2xkZXIja2V5LTEifX0 ``` When decoded here is the Human-Readable JSON of `id_token` and `vp_token`: ```json // wallet { "id_token": { "iss": "did:dht:customerDid", "sub": "did:dht:customerDid", "aud": "did:dht:issuerDid", // issuer's did string "nonce": "n-0S6_WzA2Mj", "exp": 1618884473, "iat": 1618880873 }, "vp_token": { "@context": [ "https://www.w3.org/2018/credentials/v1", "https://identity.foundation/presentation-exchange/submission/v1" ], "type": [ "VerifiablePresentation", "PresentationSubmission" ], "presentation_submission": { "id": "epzZXstAcVNt5MRrcyG91", "definition_id": "IDCardCredentials", "descriptor_map": [ { "id": "IDCardCredential", "format": "jwt_vc", "path": "$.verifiableCredential[0]" }, { "id": "nationalIdentifierVerification", "format": "jwt_vc", "path": "$.verifiableCredential[1]" } ] }, "verifiableCredential": [ "eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCIsImtpZCI6ImRpZDprZXk6ejZNa2VyNDlDbnVnN2hzdkhEZ3Y0NHl2cGR2dE1oNHlMaURYeFM2N2huclVodHQyI3o2TWtlcjQ5Q251Zzdoc3ZIRGd2NDR5dnBkdnRNaDR5TGlEWHhTNjdobnJVaHR0MiJ9.eyJpc3MiOiJkaWQ6a2V5Ono2TWtlcjQ5Q251Zzdoc3ZIRGd2NDR5dnBkdnRNaDR5TGlEWHhTNjdobnJVaHR0MiIsInZjIjp7IkBjb250ZXh0IjpbImh0dHBzOi8vd3d3LnczLm9yZy8yMDE4L2NyZWRlbnRpYWxzL3YxIl0sInR5cGUiOlsiVmVyaWZpYWJsZUNyZWRlbnRpYWwiLCJFbXBsb3ltZW50Q3JlZGVudGlhbCJdLCJpZCI6InVybjp1dWlkOjcyNDhiOTkyLTkwOTYtNDk2NS1hMGVjLTc3ZDhhODNhMWRmYiIsImlzc3VlciI6ImRpZDprZXk6ejZNa2VyNDlDbnVnN2hzdkhEZ3Y0NHl2cGR2dE1oNHlMaURYeFM2N2huclVodHQyIiwiaXNzdWFuY2VEYXRlIjoiMjAyMy0xMi0yMVQyMDoxMToyNVoiLCJjcmVkZW50aWFsU3ViamVjdCI6eyJpZCI6ImRpZDppb246RWlEMTR4UmY0cTJNWlh1ZWY2X2ZXYnBGbVlTUG94dGFxTkp1SmdEMG96Wl84UTpleUprWld4MFlTSTZleUp3WVhSamFHVnpJanBiZXlKaFkzUnBiMjRpT2lKeVpYQnNZV05sSWl3aVpHOWpkVzFsYm5RaU9uc2ljSFZpYkdsalMyVjVjeUk2VzNzaWFXUWlPaUprZDI0dGMybG5JaXdpY0hWaWJHbGpTMlY1U25kcklqcDdJbU55ZGlJNklrVmtNalUxTVRraUxDSnJkSGtpT2lKUFMxQWlMQ0o0SWpvaWVubGFNbVYzTlhKeVVXdFVjbUV3WlZsVk16WlBTblJzTURCbFJWZHhhalZhV0dkNmNEZFpSVTVKUVNKOUxDSndkWEp3YjNObGN5STZXeUpoZFhSb1pXNTBhV05oZEdsdmJpSmRMQ0owZVhCbElqb2lTbk52YmxkbFlrdGxlVEl3TWpBaWZTeDdJbWxrSWpvaVpIZHVMV1Z1WXlJc0luQjFZbXhwWTB0bGVVcDNheUk2ZXlKamNuWWlPaUp6WldOd01qVTJhekVpTENKcmRIa2lPaUpGUXlJc0luZ2lPaUpQZDJZMFQyMUViamxKWm5SNFdYWnBkRTFHWm1jMVVXeDVMVVV6VWs1b1dsUkdPVlpFTWtnNVQzVjNJaXdpZVNJNkltUnZjVmxtV2s1c1NtRlRNVll4U201bU9HdEZObEF6VkRsd2QzaDNla3hFVTJWc1ZqTlRUa2s1U2xFaWZTd2ljSFZ5Y0c5elpYTWlPbHNpYTJWNVFXZHlaV1Z0Wlc1MElsMHNJblI1Y0dVaU9pSktjMjl1VjJWaVMyVjVNakF5TUNKOVhTd2ljMlZ5ZG1salpYTWlPbHQ3SW1sa0lqb2laSGR1SWl3aWMyVnlkbWxqWlVWdVpIQnZhVzUwSWpwN0ltVnVZM0o1Y0hScGIyNUxaWGx6SWpwYklpTmtkMjR0Wlc1aklsMHNJbTV2WkdWeklqcGJJbWgwZEhCek9pOHZaSGR1TG5SaVpHUmxkaTV2Y21jdlpIZHVOaUlzSW1oMGRIQnpPaTh2WkhkdUxuUmlaR1JsZGk1dmNtY3ZaSGR1TUNKZExDSnphV2R1YVc1blMyVjVjeUk2V3lJalpIZHVMWE5wWnlKZGZTd2lkSGx3WlNJNklrUmxZMlZ1ZEhKaGJHbDZaV1JYWldKT2IyUmxJbjFkZlgxZExDSjFjR1JoZEdWRGIyMXRhWFJ0Wlc1MElqb2lSV2xEWm05bVFUQkpVbU5uY2tWdVVHZHdRbU5RV1ZsV2VFWlliR0pTYjJRd2RVNWZRVkJwTkVrNUxVRmZRU0o5TENKemRXWm1hWGhFWVhSaElqcDdJbVJsYkhSaFNHRnphQ0k2SWtWcFFtd3pWWG80VldGT2REZGxlREJKYjJJMFJFNXNhbFJGVmpaelQwTmtjbFJ3TWxvNE5FTkJPVFJPUWtFaUxDSnlaV052ZG1WeWVVTnZiVzFwZEcxbGJuUWlPaUpGYVVOWk9WRldZbWRKYkUxemRraEZYMVJtTld4a1MxQjBkR3d3WVV4blNrdHNSbmt6Vms0d2QzQTJhVFpSSW4xOSIsImVtcGxveW1lbnRTdGF0dXMiOiJlbXBsb3llZCJ9fX0.Sazc8Ndhs-NKjxvtVMKeC9dxjEkI26fVsp2kFNWM-SYLtxMzKvl5ffeWd81ysHgPmBBSk2ar4dMqGgUsyM4gAQ", "eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCIsImtpZCI6ImRpZDprZXk6ejZNa2pwUzRHVUFoYmdCSmg2azJnZTZvWTQ0UUxyRXA3NXJadHNqYVRLb3JSRGR0I3o2TWtqcFM0R1VBaGJnQkpoNmsyZ2U2b1k0NFFMckVwNzVyWnRzamFUS29yUkRkdCJ9.eyJpc3MiOiJkaWQ6a2V5Ono2TWtqcFM0R1VBaGJnQkpoNmsyZ2U2b1k0NFFMckVwNzVyWnRzamFUS29yUkRkdCIsInZjIjp7IkBjb250ZXh0IjpbImh0dHBzOi8vd3d3LnczLm9yZy8yMDE4L2NyZWRlbnRpYWxzL3YxIl0sInR5cGUiOlsiVmVyaWZpYWJsZUNyZWRlbnRpYWwiLCJOYW1lQW5kRG9iQ3JlZGVudGlhbCJdLCJpZCI6InVybjp1dWlkOjliZjM2YzY5LTI0ODAtNDllZC1iMTYyLTRlZDEwOWE3MTc3NyIsImlzc3VlciI6ImRpZDprZXk6ejZNa2pwUzRHVUFoYmdCSmg2azJnZTZvWTQ0UUxyRXA3NXJadHNqYVRLb3JSRGR0IiwiaXNzdWFuY2VEYXRlIjoiMjAyMy0xMi0yMVQyMDowNjowMVoiLCJjcmVkZW50aWFsU3ViamVjdCI6eyJpZCI6ImRpZDppb246RWlDS2o2M0FyZlBGcEpsb2lTd3gxQUhxVWtpWlNoSDZGdnZoSzRaTl9fZDFtQTpleUprWld4MFlTSTZleUp3WVhSamFHVnpJanBiZXlKaFkzUnBiMjRpT2lKeVpYQnNZV05sSWl3aVpHOWpkVzFsYm5RaU9uc2ljSFZpYkdsalMyVjVjeUk2VzNzaWFXUWlPaUprZDI0dGMybG5JaXdpY0hWaWJHbGpTMlY1U25kcklqcDdJbU55ZGlJNklrVmtNalUxTVRraUxDSnJkSGtpT2lKUFMxQWlMQ0o0SWpvaWNscFdXbTVJVkVrNWFEWkJUVmxVV0dwT01HcFhTVkYwTTI5ak4xTnJTeTF4Y2kxcVVuSTBUalEzUlNKOUxDSndkWEp3YjNObGN5STZXeUpoZFhSb1pXNTBhV05oZEdsdmJpSmRMQ0owZVhCbElqb2lTbk52YmxkbFlrdGxlVEl3TWpBaWZTeDdJbWxrSWpvaVpIZHVMV1Z1WXlJc0luQjFZbXhwWTB0bGVVcDNheUk2ZXlKamNuWWlPaUp6WldOd01qVTJhekVpTENKcmRIa2lPaUpGUXlJc0luZ2lPaUpaVDFwRE5WSmlUMHQ1T0dadVVUWTJVWEZPUkc5aldFMXZPVXhUZEdNNVYyOWthMHd0ZFZCZlExQnZJaXdpZVNJNklsWnZZM0UxVERodFozQlhXVTFrYjFwS1JrWlJUa1ZDT0hsR0xXTndkRWQzZFdkcFRWVm5hR2t6Y21jaWZTd2ljSFZ5Y0c5elpYTWlPbHNpYTJWNVFXZHlaV1Z0Wlc1MElsMHNJblI1Y0dVaU9pSktjMjl1VjJWaVMyVjVNakF5TUNKOVhTd2ljMlZ5ZG1salpYTWlPbHQ3SW1sa0lqb2laSGR1SWl3aWMyVnlkbWxqWlVWdVpIQnZhVzUwSWpwN0ltVnVZM0o1Y0hScGIyNUxaWGx6SWpwYklpTmtkMjR0Wlc1aklsMHNJbTV2WkdWeklqcGJJbWgwZEhCek9pOHZaSGR1TG5SaVpHUmxkaTV2Y21jdlpIZHVOaUlzSW1oMGRIQnpPaTh2WkhkdUxuUmlaR1JsZGk1dmNtY3ZaSGR1TUNKZExDSnphV2R1YVc1blMyVjVjeUk2V3lJalpIZHVMWE5wWnlKZGZTd2lkSGx3WlNJNklrUmxZMlZ1ZEhKaGJHbDZaV1JYWldKT2IyUmxJbjFkZlgxZExDSjFjR1JoZEdWRGIyMXRhWFJ0Wlc1MElqb2lSV2xCTXpSMlMzb3llVmswZVV4dGRDMUdabkJuYWpWbGFFRm1ZWFI1YzFOa2MwNVNWbVpMYkhwUWRqTjVkeUo5TENKemRXWm1hWGhFWVhSaElqcDdJbVJsYkhSaFNHRnphQ0k2SWtWcFF6ZGZjMXBzTW1wMVVXNUdhRVJIV1RSb2NFVTRiMlF4YVU5MWRuZG1PVFJ5TVVkbk9HMWFWbVJCVmxFaUxDSnlaV052ZG1WeWVVTnZiVzFwZEcxbGJuUWlPaUpGYVVKdU5sTnJiSEpWYzNKdVFuaFJPVXBqVXkxTlNVaGtWelYwTXpRM1MxWjNaMXBwVEZwMFQwcDRRVkYzSW4xOSIsIm5hbWUiOiJhbGljZSBib2IiLCJkYXRlT2ZCaXJ0aCI6IjEwLTAxLTE5OTAifX19.mNCDv_JntH-wZpYONKNL58UbOWaYXCYJO_HPI_WVlSgwzo6dhYmV_9qtpFKd_exFb-aaEYPeSE43twWlrJeSBg" ] } } ``` 4. Create a `/siopv2/response` endpoint to verify and handle the Wallet's response. If the Wallet provides a [Verifiable Presentation](https://developer.tbd.website/docs/glossary#verifiable-presentation) (vp_token), we'll proceed with sending just a `credential_offer`. If the response only has `id_token`, the `credential_offer` object will also include a URL to an Identity Verification form. ```javascript // Issuer api.js import { VerifiableCredential, Jwt } from '@web5/credentials'; // replaced with a more secure storage & DID linking solution const preAuthCodeToDidMap = new Map(); app.post('/siopv2/response', async (req, res) => { const walletResponse = req.body; // The SIOPv2 Authorization Response from the wallet /************************************************************ * Extract and verify the ID Token from the wallet's response *************************************************************/ try { const compactIdToken = walletResponse.id_token; if (!compactIdToken) { return res.status(400).json({ message: "Missing ID Token" }); } const idTokenVerificationResult = await Jwt.verify({ jwt: compactIdToken }) /************************************************************ * Extract customers Did from verificationResult *************************************************************/ const customersDidUri = idTokenVerificationResult.payload.sub; // Perform additional checks (e.g., nonce, audience, expiration) } /************************************************************ * Extract and verify the VP Token from the wallet's response *************************************************************/ let credentialOffer; if (walletResponse.vp_token) { const compactVpToken = walletResponse.vp_token; const vpTokenVerificationResult = await Jwt.verify({ jwt: compactVpToken }); /************************************************************************** * Generate a unique Pre-Authorization Code and map it to the Customer's DID ***************************************************************************/ const preAuthCode = generateUniquePreAuthCode(); preAuthCodeToDidMap.set(preAuthCode, customersDidUri); /************************************************************************ * Construct Credential Offer without URL since VP Token is present *************************************************************************/ credentialOffer = { "credential_issuer": "https://issuer.example.com/credentials/.well-known/openid-credential-issuer", // this a set value: .well-known/openid-credential-issuer "credential_configuration_ids": [ "knownCustomerCredential-basic", "knownCustomerCredential-extended" ], "grants": { "urn:ietf:params:oauth:grant-type:pre-authorized_code": preAuthCode } }; } else { /************************************************************************ * If VP token is not present, include URL for IDV form *************************************************************************/ credentialOffer = { "url": "https://issuer.example.com/idv/form", // IDV Request form "credential_issuer": "https://issuer.example.com", "credential_configuration_ids": ["knownCustomerCredential-basic", "knownCustomerCredential-extended"], "grants": {"urn:ietf:params:oauth:grant-type:pre-authorized_code": generateUniquePreAuthCode()} }; res.json(credentialOffer); } catch (error) { // Handle verification errors return res.status(401).json({ errors: ['Invalid token', error.message] }); } }); ``` :::info When the Wallet only responds with `id_token`, your response must include a **`url`** (IDV Request Form). This will point to a webpage for the customer to input their information (e.g.; name, identification number, date of birth, etc). ::: Credential Offer Details: - **`credential_issuer`**: The base URL address of the Issuer's service. It is used by the Wallet to retrieve the Issuer's metadata and the Issuer's Authorization Server Metadata. - **`credential_configuration_ids`**: Unique strings that identify the credential you are offering. The Wallet can use these to request metadata. - **`grants`**: Contains grant types you will accept for this credential offer. - **`urn:ietf:params:oauth:grant-type:pre-authorized_code`**: Grant type that allows the Wallet to follow a Pre-Authorized code flow skipping any PII steps because they've already completed it. - **`pre-authorized_code`**: The code representing the Credential Issuer's authorization for the Wallet to obtain an access token. :::info **Dynamic Metadata Retrieval by Wallets** Wallets use the `credential_issuer` from the Credential Offer to dynamically construct URLs for fetching issuer and authorization server metadata. These URLs, formed by appending `/.well-known/openid-credential-issuer` and` /.well-known/oauth-authorization-server` to the `credential_issuer`, allow wallets to access up-to-date information on issuer capabilities and OAuth 2.0 endpoints. The next steps will cover how to properly configure these endpoints. ::: 6. Implement the `/.well-known/openid-credential-issuer` endpoint that will return the Issuer's Metadata: ```javascript // Issuer api.js app.get('/.well-known/openid-credential-issuer', (req, res) => { const issuerMetadata = { "credential_issuer": "https://issuer.example.com", "credential_endpoint": "https://issuer.example.com/credentials", "credential_configurations_supported": { // type of credentials issuer supports & what credential will look like "KnownCustomerCredential": { "format": "jwt_vc_json", "scope": "CustomerIdentity", "cryptographic_binding_methods_supported": ["did:example"], "credential_signing_alg_values_supported": ["ES256"], "credential_definition": { "type": ["VerifiableCredential", "KnownCustomerCredential"], "credentialSubject": { "country": { "display": [{"name": "Country", "locale": "en-US"}] } } }, "proof_types_supported": { "jwt": { "proof_signing_alg_values_supported": ["ES256"] } }, "display": [ { "name": "Known Customer Credential", "locale": "en-US", "logo": { "url": "https://issuer.example.com/public/logo.png", "alt_text": "Issuer Logo" }, "background_color": "#FFFFFF", "text_color": "#000000" } ] } } }; res.json(issuerMetadata); }); ``` * `credential_issuer`: The base URL address of the Issuer's service. It is used by the Wallet to retrieve the Issuer's metadata and the Issuer's Authorization Server Metadata. * `credential_endpoint`: The endpoint the wallet will use to submit requests to issue credentials. After obtaining an access token, the wallet sends a credential request to this endpoint. * `credential_configurations_supported`: Defines the format `jwt_vc_json` and the credential 7. Create the `/.well-known/oauth-authorization-server` endpoint that will return the Issuer's Authorization Server Metadata: ```javascript // Issuer api.js app.get('/.well-known/oauth-authorization-server', (req, res) => { const oauthAuthorizationServerMetadata = { "issuer": "https://issuer.example.com", // URL of the Credential Issuer "token_endpoint": "https://issuer.example.com/token", // URL for the Access Token Request }; res.json(oauthAuthorizationServerMetadata); }); ``` * `issuer`: The base URL of the issuer's service. * `token_endpoint`: The endpoint where Wallet's can exchange the `pre_authorization_code` receieved in the `credential_offer` for an access token. 8. Implement the `/token` endpoint to accept the `pre_authorization_code`, from the Wallet, which is from the `credential_offer` object: ```javascript // Issuer api.js import jwt from 'jsonwebtoken'; app.post('/token', async (req, res) => { const { grant_type, code } = req.body; if (grant_type !== 'urn:ietf:params:oauth:grant-type:pre-authorized_code') { return res.status(400).json({ error: 'unsupported_grant_type' }); } const customersDidUri = preAuthCodeToDidMap.get(code); if (!customersDidUri) { return res.status(400).json({ error: 'invalid_grant' }); } /******************************************* Create the payload for the access token ********************************************/ const accessTokenPayload = { sub: customersDidUri, // Customer's DID string iss: issuersBearerDid.uri, // Issuer's DID string iat: Math.floor(Date.now() / 1000), // Issued at exp: Math.floor(Date.now() / 1000) + 86400, // Expiration time }; /******************************************* sign accessToken and generate a c_nonce ********************************************/ const accessToken = jwt.sign(accessTokenPayload, JWT_SECRET_KEY); const cNonce = generateCNonce(); storeCNonce(accessToken, cNonce); res.json({ "access_token": accessToken, "token_type": "bearer", "expires_in": 86400, // Token expiration time "c_nonce": cNonce, // Challenge nonce to be signed "c_nonce_expires_in": 86400, // cNonce expiration time }); }); ``` ## Design Known Customer Credential When creating a Verifiable Credential you can design a model class to represent the specific type of credential you'd like to issue. 1. Define a `KccCredential` class with the required fields for the credential: ```javascript // Issuer kccCredential.js class KccCredential { constructor(country) { this.country = country } } ``` :::info - You'll need to assign`issuer`, `subject`, and `expirationDate` properties during the creation process. `issuanceDate` is managed and generated by the `Web5` SDK. You'll see how this works in the upcoming section. ::: ## Issue Known Customer Credential Issuing a Known Customer Credential to a customer's Wallet confirms the successful completion of the Identity Verification Process. To create and securely sign this credential we will utilize the [web5/credentials](https://www.npmjs.com/package/@web5/credentials) package. 1. Once the customer accepts your Credential Offer, the Wallet will then send a request for credentials to the endpoint specified in the `credential_endpoint` field of the [issuer's metadata](). Here is an example of the Wallet's request: ```json POST /credentials HTTP/1.1 Host: issuer.example.com Authorization: Bearer czZCaGRSa3F0MzpnWDFmQmF0M2JW // access_token Content-Type: application/json { "proof": { "proof_type": "jwt", "jwt": "eyJ0eXAiOiJvcGVu...ZoipdP-jvh1WlA" } } ``` The `proof` section contains various claims, for a detailed look at each field please refer to the [OpenID specs](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#section-7.2.1.1-2.1.1). * `czZCaGRSa3F0MzpnWDFmQmF0M2JW`: The access token that the wallet recieved from the `/token` endpoint. :::danger Before issuing a Known Customer Credential, it's important to complete all necessary steps of your Know Your Customer (KYC) program. This may include further screenings on the user's DID/information, such as Sanctions Checks, Politically Exposed Persons (PEP) screenings, and Negative News Screenings, which aren't covered in this guide. Consult with your legal and compliance advisors to ensure that this process is consistent with your specific legal and compliance obligations. ::: 2. Create an `app.post('/credentials')` endpoint to validate the request, create and sign the Known Customer Credential ```javascript import KccCredential from './kccCredential.js'; app.post('/credentials', async (req, res) => { try { /******************************************************** * Extract and validate the JWT from Authorization header *********************************************************/ const authHeader = req.headers['authorization']; if (!authHeader) { return res.status(401).json({ errors: ['Authorization header required'] }); } const tokenParts = authHeader.split('Bearer '); if (tokenParts.length !== 2) { return res.status(401).json({ errors: ['Authorization header format is Bearer <token>'] }); } const compactJwt = tokenParts[1]; let customersDidUri, payload; try { const verificationResult = await Jwt.verify({ jwt: compactJwt }); customersDidUri = verificationResult.payload.sub; // Customer's DID string payload = verificationResult.payload; } catch (error) { return res.status(401).json({ errors: ['Invalid token'] }); } /*********************************************** * Validate the signed c_nonce ************************************************/ const { proof } = req.body; if (!proof || proof.proof_type !== 'jwt' || !proof.jwt) { return res.status(400).json({ errors: ['Invalid proof provided'] }); } if (!validateSignedCNonce(proof.jwt, payload.nonce, customersDidUri)) { return res.status(401).json({ errors: ['Invalid proof'] }); } /*********************************************** * Create and sign the credential ************************************************/ const known_customer_credential = await VerifiableCredential.create({ type: 'KnownCustomerCredential', issuer: issuerDid.uri, // Issuer's DID string subject: customersDidUri, // Customer's DID string from the verified JWT expirationDate: '2026-05-19T08:02:04Z', data: new KccCredential('US'), }); const credential_token = await known_customer_credential.sign({ did: issuerDid, // Signing with the issuer's bearer DID }); /*********************************************** * Respond with the signed credential ************************************************/ return res.status(200).json({ credential: credential_token }); } catch (error) { /*********************************************** * Generic error handling ************************************************/ return res.status(500).json({ errors: [`An unexpected error occurred: ${error.message}`], }); } }); ``` :::info Signing will return a VC JSON Web Token, which is ideal for secure transmission of the credential. ::: With that, you've successfully gone through the Identity Verification flow, and issued a Known Customer Credential. Please note that this example is a foundational implementation. For a production environment, it's crucial to enhance this basic setup with comprehensive error handling, and security measures. # Credential Issuance Enviornment Setup Guide :::spoiler In this guide we're going to cover how to set your system up to create, issue and sign [Verifiable Credentials](https://developer.tbd.website/docs/web5/learn/verifiable-credentials). ### Install Express Follow these instructions to [install Express](https://expressjs.com/en/starter/installing.html). ### Install Credentials Package ```bash npm i @web5/credentials ``` ### Issuer's Identity To issue a credential, you need a [Decentralized Identifier (DID)](https://developer.tbd.website/docs/web5/learn/decentralized-identifiers/) which will serve as your Issuer's identifier. If you don't already have one, you'll need to create a DID with an IDV(Identity Verification) service endpoint. ```javascript const issuerDid = await DidDht.create({ options:{ publish: true, services: [ { id: 'idv', type: 'IDV', serviceEndpoint: 'https://exampleIdvEndpoint.com/idv/siopv2/initiate' } ] } }) // create a did with 2 service endpoints const issuerDid = await DidDht.create({ options:{ publish: true, services: [ { id: 'idv', type: 'IDV', serviceEndpoint: 'https://exampleIdvEndpoint.com/idv/siopv2/initiate' }, { id: 'pfi', type: 'PFI', serviceEndpoint: 'https://example.com/' // should be the URL to your PFI's service entry } ] } }) // update existing did with 'idv' endpoint issuerDid.document.service.push({ id: 'idv', type: 'IDV', serviceEndpoint: 'https://exampleIdvEndpoint.com/idv/siopv2/initiate' }); await DidDht.publish({did: issuerDid}); ``` The value for `serviceEndpoint` should be the full URL to your IDV service's entry point where the SIOPv2 initiation request can be sent. :::info - To use a different DID method, refer to our [Create A DID](https://developer.tbd.website/docs/web5/build/decentralized-identifiers/how-to-create-did) guide - It's essential to keep your private keys secure. Please review our [Key Management guide](https://developer.tbd.website/docs/web5/build/decentralized-identifiers/key-management) for more details ::: :::spoiler ### Create API Service ( can link them to Follow [steps 1-4](https://developer.tbd.website/docs/web5/learn/decentralized-identifiers/) from Issuance Guide) 1. Ensure you have a file, such as `main.js`, to act as your API's entry point, which was created during the Express setup. 2. Within the file, import the following: ```javascript import { api } from './api.js'; ``` 3. To start your Express API service, add the following: ```javascript const config = { port: 3000, // this can be any port you want to listen on }; const server = api.listen(config.port, () => { log.info(`Server listening on port ${config.port}`); }); ``` 4. Next, create an `api.js` file. This file will define the core API routes and logic for the IDV flow and issuing credentials: ```javascript // Issuer api.js import express from 'express'; const app = express(); app.use(express.json()); // Express route to handle incoming GET requests app.get('/siopv2/request', async (req, res) => { // implement API route }); // Export the app so it can be imported in your main.js file export { app as api }; ``` :::

Import from clipboard

Advanced permission required

Your current role can only read. Ask the system administrator to acquire write and comment permission.

This team is disabled

Sorry, this team is disabled. You can't edit this note.

This note is locked

Sorry, only owner can edit this note.

Reach the limit

Sorry, you've reached the max length this note can be.
Please reduce the content or divide it to more notes, thank you!

Import from Gist

Import from Snippet

or

Export to Snippet

Are you sure?

Do you really want to delete this note?
All users will lose their connection.

Create a note from template

Create a note from template

Oops...
This template has been removed or transferred.


Upgrade

All
  • All
  • Team
No template.

Create a template


Upgrade

Delete template

Do you really want to delete this template?

This page need refresh

You have an incompatible client version.
Refresh to update.
New version available!
See releases notes here
Refresh to enjoy new features.
Your user state has changed.
Refresh to load new user state.

Sign in

Forgot password

or

By clicking below, you agree to our terms of service.

Sign in via Facebook Sign in via Twitter Sign in via GitHub Sign in via Dropbox Sign in with Wallet
Wallet ( )
Connect another wallet

New to HackMD? Sign up

Help

  • English
  • 中文
  • Français
  • Deutsch
  • 日本語
  • Español
  • Català
  • Ελληνικά
  • Português
  • italiano
  • Türkçe
  • Русский
  • Nederlands
  • hrvatski jezik
  • język polski
  • Українська
  • हिन्दी
  • svenska
  • Esperanto
  • dansk

Documents

Tutorials

Book Mode Tutorial

Slide Example

YAML Metadata

Contacts

Facebook

Twitter

Discord

Feedback

Send us email

Resources

Releases

Pricing

Blog

Policy

Terms

Privacy

Cheatsheet

Syntax Example Reference
# Header Header 基本排版
- Unordered List
  • Unordered List
1. Ordered List
  1. Ordered List
- [ ] Todo List
  • Todo List
> Blockquote
Blockquote
**Bold font** Bold font
*Italics font* Italics font
~~Strikethrough~~ Strikethrough
19^th^ 19th
H~2~O H2O
++Inserted text++ Inserted text
==Marked text== Marked text
[link text](https:// "title") Link
![image alt](https:// "title") Image
`Code` Code 在筆記中貼入程式碼
```javascript
var i = 0;
```		 
var i = 0;
:smile: :smile: Emoji list
{%youtube youtube_id %} Externals
$L^aT_eX$ LaTeX
:::info
This is a alert area.
:::

This is a alert area.

Versions and GitHub Sync

Sign in to link this note to GitHub Learn more
This note is not linked with GitHub Learn more
 
Add badge Pull Push GitHub Link Settings
Upgrade now

Version named by    

More Less
  • Edit
  • Delete

Note content is identical to the latest version.
Compare with
    Choose a version
    No search result
    Version not found

Feedback

Submission failed, please try again

Thanks for your support.

On a scale of 0-10, how likely is it that you would recommend HackMD to your friends, family or business associates?

Please give us some advice and help us improve HackMD.

 

Thanks for your feedback

Remove version name

Do you want to remove this version name and description?

Transfer ownership

Transfer to
    Warning: is a public team. If you transfer note to this team, everyone on the web can find and read this note.

      Link with GitHub

      Please authorize HackMD on GitHub

      Please sign in to GitHub and install the HackMD app on your GitHub repo. Learn more

       Sign in to GitHub

      HackMD links with GitHub through a GitHub App. You can choose which repo to install our App.

      Push the note to GitHub Push to GitHub Pull a file from GitHub

        Authorize again
       

      Choose which file to push to

      Select repo
      Refresh Authorize more repos
      Select branch
      Select file
      Select branch
      Choose version(s) to push
      • Save a new version and push
      • Choose from existing versions
      Include title and tags
      Available push count

      Upgrade

      Pull from GitHub

       
      File from GitHub
      File from HackMD

      GitHub Link Settings

      File linked

      Linked by
      File path
      Last synced branch
      Available push count

      Upgrade

      Danger Zone

      Unlink
      You will no longer receive notification when GitHub file changes after unlink.

      Syncing

      Push failed

      Push successfully