Authors: Julien Vanwambeke, Functional Architect, Gaia-X and Vincent Kelleher, Software Engineer, Gaia-X
Introduction
You cannot stand anymore having to empty your pockets full of coins and random cards 💳 (credit, loyalty, identity ones for example) to find what you are looking for. That is why you have decided to buy a brand-new wallet 👛 to store everything and have easy access to what you need.
In the digital world, you can also be flooded with many documents including credentials 🪪, and hopefully, digital wallets are there to help you!
In a previous article, you discovered how Gaia-X is using verifiable credentials and verifiable presentations as key elements for trustful authentication. But how can you securely interact with your digital wallet?
It is now time to see how you can easily store and access all these credentials in your wallet using OpenID Connect.
What is a wallet?
First, let us start with some definitions.
A wallet 👛 is “a small case for carrying money, credit cards, and small personal documents” (Cambridge Dictionary).
Digitally, a wallet will be considered as software or hardware where you can store all the documents you want. You certainly already know the wallet you use to store your credit cards or loyalty cards. In the world of data, credentials are usually stored in digital wallets too.
Since Gaia-X is based on the use of verifiable credentials and verifiable presentations 🪪 (if you want to know more about that subject, feel free to go through our dedicated article), it is recommended to use a wallet to manage all the credentials. Storing and accessing your credentials is thus easing the process, but only if you securely do that!
What is OpenID Connect?
OpenID is “an open standard and decentralised authentication protocol” (Wikipedia).
It is usually used to “allow users to be authenticated by co-operating sites (known as relying parties, or RP) using a third-party identity provider (IDP) service” (Wikipedia).
In the world of payments, you are already used to third parties: when you want to pay for your online cart, you are generally redirected to a payment solution. It is an efficient way for the website to avoid mistakes with sensitive data and legal processes leaving that part of the checkout process to a specialised third party.
OpenID Connect is aiming to do the same but with authentication. Thus, when websites or web applications need to be authenticated, they rely on OpenId Providers following these steps:
- The application is sending a request to an OpenID Provider.
- The OpenID Provider will perform authentication and get authorisations.
- The OpenID Provider will send back to the application tokens (identity and access one).
- The application can use this token to prove it has been authenticated.
OpenID Connect is for example used to perform Single Sign On: once you are authenticated, you can only rely on the given token to prove it to other applications without having to send your personal details (login and password for example).
But OpenID Connect is going further than that. It also provides specific protocols to deal securely with verifiable credentials and verifiable presentations adding interactions with a digital wallet.
So now, show your digital ticket 🎫 from your wallet 👛 to enter the OpenID Connect and Wallet tour, with the following use case: as a service offering provider, you want to be Gaia-X Compliant using the credentials that are already stored in your wallet.
Gaia-X Compliance and OpenID Connect?
As a reminder, if you want to be Gaia-X compliant, you need to call a Gaia-X Digital Clearing House with a verifiable presentation including your verifiable credentials (to know more about that, go and check our article “Gaia-X and Verifiable Credentials / Presentations”).
But how do you set up secure interactions between you, your wallet, and a Gaia-X Digital Clearing House?
You just need to use both OpenID Connect for Verifiable Presentation (OIDC4VP) and OpenID Connect for Verifiable Credential Issuance (OIDC4VCI) protocols, following these steps:
- You, as a service provider, are starting the process of getting your service offering Gaia-X Compliant:
- You are calling a Gaia-X Digital Clearing House to ask for compliance concerning your service offering Gaia-X Compliant.
- In response, you will get an object including all the requested elements from your wallet and a URI where the wallet provider can send them.
- You forward that object to your wallet provider.
- The wallet provider then starts an automatic process.
- With the requested elements included in the object, it will collect all the needed verifiable credentials.
- it will then build a verifiable presentation including the collected verifiable credentials.
- Using the URI included in the object, it will directly send the verifiable presentation to the Gaia-X Digital Clearing House.
- The Gaia-X Digital Clearing House is processing the verifiable presentation.
- Using the verifiable presentation sent by the wallet provider, it will call the Gaia-X Compliance Engine in order to issue a Gaia-X Verifiable Credential (if the compliance rules are fulfilled).
- It will send the Gaia-X credential offer URI (or a QR code), a pre-authorisation code and a pin code to you.
NB: at this point, your service offering is Gaia-X Compliant, but you still need to store the Gaia-X Verifiable Credential in your wallet.
4. You forward the Gaia-X credential offer URI and the two codes to your wallet provider to start the storing process.
5. Then the wallet provider is starting the automatic storing process:
-
- It will collect some metadata exposed by the Gaia-X Digital Clearing House.
- It will also ask you what kind of credential you want to store in your wallet.
- It will then request an access token to the Gaia-X Digital Clearing House using the pre-authorisation code and the pin code received from you.
- It will then use the Gaia-X credential offer URI with the access token to collect to Gaia-X verifiable credential.
- It will store the Gaia-X verifiable credential in your wallet.
- It will finally tell you that the Gaia-X verifiable credential has been stored correctly.
As you can see, with this process, your verifiable credentials, your verifiable presentations, and the Gaia-X verifiable credential are no more between your hands are they are automatically processed between the wallet provider and the Gaia-X Digital Clearing House, thanks to the OpenID Connect protocols, in a decentralised way.
Keep also in mind that OpenID Connect protocols are still under specification. What we have just described is what is under development by the Gaia-X Lab based on the latest version of the specifications. It will certainly evolve in the future.
Integrating OpenID Connect for Verifiable Credentials is currently a daunting task as it asks for an acute knowledge of the protocol, cryptographic algorithms, and requests/responses management. The Lab Team is working on the integration of the Sphereon OIDC4VC libraries into a Gaia-X-crafted library to make this task less daunting.
The goal is to offer the possibility for developers to become their issuer or verifier in an OpenID Connect for Verifiable Credentials ecosystem by leveraging Gaia-X libraries.
Conclusion
Gaia-X is aiming to add trust between consumers and providers in the world of data by building de facto standards. Gaia-X Digital Clearing Houses are one of its pillars, checking compliance and issuing credentials and labels to prove participants are trustworthy.
But Gaia-X, collaborating with wallet providers (for example, Alt.me, Talao, Sphereon, or Walt.id), is also going further by providing examples of how to interact in a decentralised and secure way with your digital wallet: using OpenID Connect for Verifiable Credential Issuance (OIDC4VCI) and OpenID Connect for Verifiable Presentation (OIDC4VP) protocols will allow Gaia-X Digital Clearing Houses and wallet providers to get connected and go through Gaia-X Compliance.
If you want to know more about other Gaia-X initiatives to enable trusted decentralised digital ecosystems, stay tuned!
