Issuance

Issue a Microsoft Entra Verified ID verifiable credential using the walt.id Issuer API. The credential will be issued using the OID4VC standard and can be received by any compliant wallet (walt.id web wallet, Microsoft Authenticator App).

The holder must use a did:web based on secp256k1 or Ed25519, a did:jwk using Ed25519, or secp256r1, or a did:ion.


Before we can issue credentials, we need to have the following in place.

  • Azure account with Microsoft Verified ID enabled.
  • Credential To Issue - A registered credential (manifest) in Microsoft Verified ID.
  • Azure App - An Azure App to authenticate against the Microsoft APIs.

Now we will be using the walt.id issuer API to generate an OID4VC credential offer URL which can be rendered as a QR or provided as link for compliant wallets to scan or use.

Request

API Reference

CURL

Endpoint: /entra/issue

Example Request

curl -X 'POST' \
  'https://issuer.portal.walt.id/entra/issue' \
  -H 'accept: */*' \
  -H 'Content-Type: application/json' \
  -d '{
  "authorization": {
    "clientId": "<clientId>",
    "clientSecret": "<clientSecret>",
    "tenantId": "<tenantId>",
    "scope": "3db474b9-6a0c-4840-96ac-1fceb342124f/.default"
  },
  "data": {
    "authority": "<IssuerDID>",
    "claims": {
      "firstName": "Max",
      "lastName": "Mustermann",
      "jobTitle": "Manager"
    },
    "manifest": "https://verifiedid.did.msidentity.com/v1.0/tenants/a8671fa1-780f-4af1-8341-cd431da2c46d/verifiableCredentials/contracts/810b31c3-af84-ea32-4f81-237924b396ea/manifest",
    "type": "VerifiableCredential, VerifiedCredentialEmployeeID"
  }
}
'

Body

{
  "authorization": {
    "clientId": "<clientId>",
    "clientSecret": "<clientSecret>",
    "tenantId": "<tenantId>",
    "scope": "3db474b9-6a0c-4840-96ac-1fceb342124f/.default"
  },
  "data": {
    "authority": "<IssuerDID>",
    "claims": {
      "firstName": "Max",
      "lastName": "Mustermann",
      "jobTitle": "Manager"
    },
    "manifest": "https://verifiedid.did.msidentity.com/v1.0/tenants/a8671fa1-780f-4af1-8341-cd431da2c46d/verifiableCredentials/contracts/810b31c3-af84-ea32-4f81-237924b396ea/manifest",
    "type": "VerifiableCredential, VerifiedCredentialEmployeeID"
  }
}

Body Parameters

authorization - Authentication parameters needed by the Issuer API to interact with Microsoft's APIs.

  • clientId - Found on overview page of you registered App in Microsoft Azure. Guide.
  • clientSecret - Found on the Certificate & Secrets section in the registered app. Guide.
  • tenantId - Found under "Organization Settings" when visiting Verified ID overview page in Azure. Link.
  • scope - hardcoded value 3db474b9-6a0c-4840-96ac-1fceb342124f/.default

data - data and config for credential to issue

  • authority - The DID of the issuer. Must be a did that your Azure account manages. Default DID can be found under " Organization Settings" when visiting Verified ID overview page in Azure. Link.
  • claims - an object containing key value pairs of the claims that can be included in the credential based on the credential manifest rules definition. See example below. IMPORTANT: The key you provide in the claims object should match the inputClaim value in the rules definition.
  • manifest - This holds the Manifest URL of the credential to be issued. You can find it on the "Details" page of the credential in your Verified ID account overview.
  • type - It will always hold the following structure "VerifiableCredential, <TheTypeOfYourCredential>". E.g., based on the Example Rules below it would be "VerifiableCredential, VerifiedCredentialEmployeeID"

Example Rules Definition

{
  "attestations": {
    "idTokenHints": [
      {
        "mapping": [
          {
            "outputClaim": "firstName",
            "required": false,
            "inputClaim": "firstName",
            "indexed": false
          },
          {
            "outputClaim": "lastName",
            "required": false,
            "inputClaim": "lastName",
            "indexed": false
          },
          {
            "outputClaim": "jobTitle",
            "required": false,
            "inputClaim": "jobTitle",
            "indexed": false
          }
        ],
        "required": false
      }
    ]
  },
  "validityInterval": 2592000,
  "vc": {
    "type": [
      "VerifiedCredentialEmployeeID"
    ]
  }
}

Example Response

The API will respond with an OpenID Offer URL, which can be rendered as QR code or a link to supported wallets. You can receive all credentials via the walt.id web-wallet or the Microsoft Authenticator App.

openid-vc://?request_uri=https://verifiedid.did.msidentity.com/v1.0/tenants/a8671fa1-780f-4af1-8341-cd431da2c46d/verifiableCredentials/issuanceRequests/8b777f76-51fb-4f9c-8892-d4e00b0f8f8d