Try   HackMD

Connection-Less Proof Requests with ACA-Py

When using Aries Cloudagent Python (ACA-Py) most of the interactions with other agents occur on a connection, established beforehand and persisted across interactions.

There are, however, scenarios where a connection-less interaction is useful, if not preferable. With ACA-Py the only type of connection-less interaction supported "out-of-the-box" is submitting proof requests.

Service Decorator

When utilizing a connection-less proof request, the verifier is identified by the presence of a service decorator section in the received proof request, rather than a connection identifier. The end result, however, is the same: the prover/holder knows where to send the proof, even if a connection with the verifier was not established ahead of time.

See this link for reference.

Structure of the Request




















{
  "@id": "a376cfa1-5b15-4f41-9e32-7294d7b643b1",
  "@type": "did:sov:BzCbsNYhMrjHiqZDTUASHg;spec/present-proof/1.0/request-presentation",
  "request_presentations~attach": [
    {
      "@id": "libindy-request-presentation-0",
      "mime-type": "application/json",
      "data": {
        "base64": "eyJuYW1lIjoiQ29udGFjdCBBZGRyZXNzIiwibmFtZXMiOm51bGwsInZlcnNpb24iOiIxLjEuMCIsIm5vbmNlIjoiNjkwNTQ4MDYyMjU3MTgwOTc0MDA1MzY2IiwicmVxdWVzdGVkX2F0dHJpYnV0ZXMiOnsiYTM1NDU1NTctMTAxZS00MjgxLWE5ZWQtOWRhZWZlMDc3N2Q5Ijp7Im5hbWVzIjpbImdpdmVuX25hbWVzIiwiZmFtaWx5X25hbWUiLCJiaXJ0aGRhdGUiLCJzdHJlZXRfYWRkcmVzcyIsInBvc3RhbF9jb2RlIiwibG9jYWxpdHkiLCJyZWdpb24iLCJjb3VudHJ5Il0sInJlc3RyaWN0aW9ucyI6W3sic2NoZW1hX2lzc3Vlcl9kaWQiOiI4NTQ1OUd4ak55U0o4SHdUVFE0dnE3Iiwic2NoZW1hX25hbWUiOiJ2ZXJpZmllZF9wZXJzb24iLCJzY2hlbWFfdmVyc2lvbiI6IjEuNC4wIn0seyJzY2hlbWFfbmFtZSI6InVudmVyaWZpZWRfcGVyc29uIiwic2NoZW1hX3ZlcnNpb24iOiIwLjEuMCIsImlzc3Vlcl9kaWQiOiJZWEN0WEU0WWhWalVMZ2o1aHJrNE1MIn0seyJzY2hlbWFfbmFtZSI6InVudmVyaWZpZWRfcGVyc29uIiwic2NoZW1hX3ZlcnNpb24iOiIwLjEuMCIsImlzc3Vlcl9kaWQiOiI5d1Z1WVlERUR0cFo2Q1lNcVNpV29wIn1dfX0sInJlcXVlc3RlZF9wcmVkaWNhdGVzIjp7fX0="
      }
    }
  ],
  "comment": null,
  "~service": {
    "recipientKeys": ["HGeUTFuZCM1f2FubVnYGc1xAhgAPEzBFQRcfxcpNjWbm"],
    "routingKeys": null,
    "serviceEndpoint": "https://toip-vc-authn-agent-test.apps.silver.devops.gov.bc.ca"
  }
}

The above example was taken from one of the demo apps using vc-authn-oidc for authentication, and provides an example of connection-less proof request.

The notable attributes in the JSON payload are:

  • @id: this identifies the proof request the holder/prover is responding to
  • request_presentations~attach: this is the payload describing what needs to be proven (the base64 attribute can de decoded to read the requested attributes and predicates)
  • ~service: defines where the response to the proof request should be sent for verification, specifying in particular the serviceEndpoint (in this case an ACA-Py agent endpoint), the agent's recipientKeys and - in case the agent was behind a mediator - the routingKeys for the mediator agents (not 100% sure about this aslast bit I have not tested it, but I believe it is correct).

To build a connection-less proof request, the verifier:

  1. Will use the /present-proof/create-request to generate the payload that will be base64-encoded and placed in the frinal proof-request body
  2. Will use the agent's public endpoint to populate the serviceEndpoint property in the service decorator, and the agent's public DID verkey to populate the recipientKeys array.
    i. In case of an agent not exposed directly to the web, but behind a mediator, I believe the serviceEndpoint would be themediator's and the routingKeys array would include the appropriate set of keys to route the request - unsure about how to populate this.
Last changed by 
Emiliano Suñé
0
1208

Read more

Aries Cloudagent Web Application Integration Guidelines

This document outlines best practices and guidelines to be considered and implemented when integrating an existing system with Aries Cloudagent. Architecture Generally speaking, a web application that leverages Aries agents is structured as follows: Agent: this service is used by the web application to interact with a Ledger and other agents connected to the same ledger. It is generally not controlled directly by the web application frontend, instead requests to the agent come from a controller service. Controller: this service provides the business logic for the web application, and acts as bridge between the frontend and the agent. The controller usually exposes appropriate APIs that the frontend will use to perform common business tasks as well as agent-related tasks such as requesting the creation of a new connection, etc. The controller is also tasked with tracking and managing all of the information that is required for the business processes to be implemented and work successfully. Frontend: this service is what the users see and interact with, commonly something that is displayed in a web browser. The above components may be at times partially consolidated or further split into separate services, the purpose of this overview is to explain the separation of concerns of these three macro-areas.

Jan 11, 2023
Aries BPA + Aries VCR: Onboarding Scenario

Current State When onboarding a new standalone Issuer to an Aries VCR instance (e.g.: OrgBook), an out-of-band step is required to establish the connection between the Issuer agent and the Aries VCR agent that will receive the credentials. This task needs to be completed by a developer with access to the administrative API for the Aries VCR agent, and one with access to the administrative API for the Issuer agent. Either developer will initiate the process by manually generating a new connection invitation on the agent they manage, and send the resulting payload to their counterpart, who will manually submit a request to their agent to accept the connection invitation. The invitation payload is transmitted using a method (e.g.: email, chat client) that might have some degree of risk involved with a third party malicious actor intercepting it and connecting to either agent instead of the expected party. Proposed Solution The use of a Business Partner Agent as base for both the Aries VCR and Issuer will mitigate the issues present in the current state as: either agent will be able to initiate a connection invitation by finding the target agent on a public/authorized list of connections (like in a directory)

Mar 29, 2022
Aries Cloudagent Python: simplifying the endorser and revocation workflows

Background Aries Cloudagent Python recently introduced the ability for non-privileged agents (from here on: author) to request endorsement of transactions that need to be written to the ledger by an agent (from here on: endorser) with ledger write privileges. A common use case for this functionality is for an organization running an agency of authors (that can be created/destroyed without needing any write interaction with the ledger) and a single instance of an endorser agent that acts as a gateway for all write needs: registering the author's DID on the ledger endorse writing a new schema to the ledger endorse writing a new credential definition to the ledger endorse writing a new revocation registry definition to the ledger

Mar 29, 2022
Read more from Emiliano Suñé
Published on HackMD