Verifying mDL via OID4VC
This guide provides a comprehensive walkthrough for verifying an mDL based on the ISO/IEC 18103-5 standard using the walt.id verifier API. The verification process will utilize the OID4VCI protocol, an extension of OpenID, facilitating secure and standardized communication between identities.
mDL: A digital equivalent of physical driver's license.
OID4VCI: A protocol specifying how parties can issue digital credentials and present these credentials in a way that's consistent and secure across platforms ensuring interoperability.
Verification Process
- Specify mDL as credential type to request from a user.
- Optionally provide a success and failure redirect URL, which the user will be redirected to after the verification process is completed.
After you have provided the required information:
- The API generates a Presentation Definition.
- API returns a URL which can passed to OIDC-compliant wallet to fulfill the request.
If you have provided a success or failure redirect URL, the user will be redirected to that URL. You can then access the verification results by using the id of the verification session, which can be found in the URL generated by the API, as well as in the query or path parameters of the redirect URL.
Example Verification Request
curl -X 'POST' \
'https://verifier.portal.walt-test.cloud/openid4vc/verify' \
-H 'accept: */*' \
-H 'authorizeBaseUrl: mdoc-openid4vp://' \
-H 'responseMode: direct_post_jwt' \
-H 'successRedirectUri: https://example.com/success?id=$id' \
-H 'errorRedirectUri: https://example.com/error?id=$id' \
-H 'statusCallbackUri: https://example.com/verificationResult' \
-H 'statusCallbackApiKey: myAPIKey' \
-H 'stateId: myUniqueStateValue' \
-H 'Content-Type: application/json' \
-d '{
"request_credentials": [
{ "doc_type": "org.iso.18013.5.1.mDL", "format": "mso_mdoc" }
],
"trusted_root_cas": [
"-----BEGIN CERTIFICATE-----\nMIIBQzCB66ADAgECAgjbHnT+6LsrbDAKBggqhkjOPQQDAjAYMRYwFAYDVQQDDA1NRE9DIFJPT1QgQ1NQMB4XDTI0MDUwMjEzMTMzMFoXDTI0MDUwMzEzMTMzMFowFzEVMBMGA1UEAwwMTURPQyBST09UIENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWP0sG+CkjItZ9KfM3sLF+rLGb8HYCfnlsIH/NWJjiXkTx57ryDLYfTU6QXYukVKHSq6MEebvQPqTJT1blZ/xeKMgMB4wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCAQYwCgYIKoZIzj0EAwIDRwAwRAIgWM+JtnhdqbTzFD1S3byTvle0n/6EVALbkKCbdYGLn8cCICOoSETqwk1oPnJEEPjUbdR4txiNqkHQih8HKAQoe8t5\n-----END CERTIFICATE-----\n"
]
}'
Header Parameters
- authorizeBaseUrl - should be
mdoc-openid4vp://
- responseMode - should be
direct_post_jwt
- successRedirectUri (optional) - is used to redirect the user if verification is successful. You can use the
$id
placeholder to get access to the id of verification session in your application in order to retrieve the verification results. E.g./success?id=$id
will be replaced with/success?id=1234567890
- errorRedirectUri (optional) - is used to redirect the user if verification is unsuccessful. You can use the
$id
placeholder to get access to the id of verification session in your application in order to retrieve the verification results. E.g./error?id=$id
will be replaced with/error?id=1234567890
- statusCallbackUri (optional) - URL that should be called when the presentation request has been fulfilled by a
wallet. The request
sent will be a
POST
including the whole presentation result. See Verification Status Policies Response - statusCallbackApiKey (optional) - If the endpoint you provide via
statusCallbackUri
is protected, you can use thestatusCallbackApiKey
to authenticate. The provided key will be appended as Authorization Header to the request. - stateId (optional) - overwrite the unique
state
value which gets created for each verification request with your own. - openId4VPProfile - should be
HAIP
Body Parameters
- request_credentials - An array of objects detailing the credentials to be requested from the user. Each object
varies based on the type of credential being requested.
Expand To Learn More
Below are the possible credential types and their respective object structures:
- mDL Credential (ISO/IEC 18013-5)
- doc_type: Specifies the type of credential (e.g., org.iso.18013.5.1.mDL). This maps to the doc_type attribute of the mdoc document.
- format: Describes the format of the credential. For mDL credentials, this would be
mso_mdoc
.{ "doc_type": "org.iso.18013.5.1.mDL", "format": "mso_mdoc" }
- W3C JWT Credential
- type Specifies the type of credential (e.g.,
VerifiableID
,VerifiableDiploma
). This maps to thetype
attribute in W3C credentials. - format: Describes the format of the credential. For W3C JWT credentials, this would
be
jwt_vc_json
.{ "type": "ProofOfResidence", "format": "jwt_vc_json" }
- SD-JWT VC Credential (IETF Standard)
- vct: Specifies the type of credential (e.g., https://issuer.com/identity_credential). This maps to
the
vct
attribute in the SD-JWT VC credential. - format: Describes the format of the credential. For SD-JWT VC credentials, this would be
vc+sd-jwt.: Describes the format of the credential. For SD-JWT VC credentials, this would be
vc+sd-jwt
.
{ "vct": "test.com/identity_credential", "format": "vc+sd-jwt" }
Optional Parameters
Next to describing the type and format of the credential, the objects also take an optionalpolicies
andid
attribute- policies: An array of policies to apply to the specified credential. A list of all policies can be found here.
- id: Used to set a specific id for the generated Presentation Definition. If not set, the verifier API auto-assigns a generated one.
Full Examples
{ "type": "ProofOfResidence", "format": "jwt_vc_json", "policies": [ "schema", { "policy": "webhook", "args": "https://example.org/abc/xyz" } ], "id": "test123" }
- trusted_root_cas (optional): List of trusted certificates used to verify the authenticity of issuer. Only required if the issuer key is specified as certificate.
Once the verifier API receives the mDL from the holder, it will apply the following checks:
- Validate the certificate included in the MSO header
- Verify the digital signature of the IssuerAuth structure
- Calculate the digest value for every
IssuerSignedItem
received from the holder - Verify the
doc_type
- Validate the elements in the
ValidityInfo
structure.
Presenting the mDL via walt.id Wallet
Using the URL returned by the verification request, we can fulfill the request using the hosted wallet by walt.id. Either show the URL as QR code and scan it with a camera or provide the URL as is in the text field below the camera once you click on "Scan to receive or present credentials" in the web wallet credentials overview page in the top right corner.
Retrieving the Verification Status
After the user presents the credential(s), you can verify the status by performing the following call with the
state
value obtained from the URL query params you shared with the user previously.
Example
openid4vp://authorize?...state=a07bdb17-7d87-4965-9296-1adefcaaddd9...
Making the call to receive the verification result
curl -X 'GET' \
'https://verifier.portal.walt.id/openid4vc/session/$state' \
-H 'accept: */*'
Verification Status Policies Response
The response of the verification status call will contain the status of the verification policies applied to the credential(s) presented by the user. The policy results will be in the following format:
{
"verificationResult": true,
"policyResults": {
"results": [
{
"credential": "VerifiableDiploma",
"policies": [
{
"policy": "signature",
"is_success": true
}
]
}
]
}
}
The verificationResult
field will be true
if all policies were successful, otherwise it will be false
.
The policyResults
field will contain the results of the policies applied to each credential. The credential
field
will contain the name of the credential, and the policies
field will contain the results of the policies applied to
the credential. The policy
field will contain the name of the policy, and the is_success
field will contain the
result of the policy.