Skip to content

Repository hosts the source code, documentation, and other related files for the Inji Certify project

License

Notifications You must be signed in to change notification settings

mosip/inji-certify

 
 

Repository files navigation

Inji Certify

INJI Certify enables an issuer to connect with an existing Credential Registry to issue verifiable credentials. Issuer can configure their respective credential schema for various types of certificates they wish to issue. Certificates are generated in JSON-LD as per W3C VC v1.1.

API docs

Requirements to run it locally (without docker)

  • Java SE 21
  • Postgres
  • Maven
  • Redis, if an Authorization provider like eSignet is also deployed

Databases

Refer to SQL scripts and go through it's README

Local Installation Guide (via Docker Compose)

The following steps will help you to setup Sunbird RC and Esignet services using Docker compose alongwith Certify.

Requirements

  • Docker (26.0.0)
  • Docker Compose (2.25)
  • Git bash shell to run the scripts, if on Windows
  • GNU sed installed, if on Mac
  • A URL to host your DID for verifying VCs, can use GitHub pages here or any other self hosted server which is highly available for use by verifiers.

Pre-requisites

  1. Postman with postman utility lib setup
  2. Git bash shell to run the scripts, if on Windows
  3. GNU sed installed, if on Mac. Also replace all instances of sed with gsed in the setup_vault.sh.
  4. A URL to host your DID for verifying VCs, can use GitHub pages here or any other self hosted server which is highly available for use by verifiers.

Steps to setup Mock credential use case

  1. Clone this repository and navigate to its directory:

    NOTE(Apple Silicon Mac users): need to run the containers in linux/amd64 mode; prior to running the script run, export DOCKER_DEFAULT_PLATFORM=linux/amd64

    NOTE(windows users only): need to run the commands only in git bash shell

    cd inji-certify/docker-compose
  2. Change the variable active_profile_env in esignet and certify to active_profile_env=default,mock-identity

  3. Esignet and Certify takes the required plugin from artifactory server by default, in case there is a custom use case where plugin is to be added manually should a need arise for trying out their own plugins

    • Create a folder with name loader_path here.
    • Add the jar file of Digital Credential Stack(DCS) plugin implementations for eSignet and certify:
  4. Execute the installation script located inside the docker-compose directory to install the Registry & Credentialling Service.

    ./install.sh
  5. During the execution of the install.sh script, user will be prompted to select the service to be installed:

    1. Sunbird RC
    2. Certify
    0. Exit
    Select:
    
  6. Select "Certify" from the choices provided.

  7. The installation of Certify will encompass the following services:

  8. Download the postman collection and environment for mock use case from here.

  9. Create Client from Create OIDC client API.

  10. Create a mock identity with Create Mock Identity API in the Mock Identity System folder.

  11. Change the individualId variable in environment to the above created mock identity identifier.

  12. Perform a Mock Authentication with the API's in VCI folder as specified in the Postman collection.

Steps to setup Insurance credential use case

Execute installation script

  1. Clone the repository and navigate to its directory:

    cd inji-certify/docker-compose
    ./install.sh
  2. During the execution of the install.sh script, user will be prompted to select the service to be installed:

    1. Sunbird RC
    2. Certify
    0. Exit
    Select:
    
  3. Select "Sunbird RC" as the first step of the installation process.

  4. The installation will encompass the following services:

  5. Post Sunbird installation, proceed to create an issuer and credential schema. Refer to the API schemas available here via this Postman collection or by looking at API schemas.

    • Set the individual service URLs of the identity, registry, credential service correctly as per your setup.
    • Now generate a DID(POST /did/generate), create a credential schema(POST /credential-schema) and create an issuance registry.
      • take note of $.schema[0].author and $.schema[0].id from the create credential schema request
      • host the output of the JSON to the GitHub pages repo created earlier
  6. Change the variable active_profile_env in esignet and certify to active_profile_env=default,sunbird-insurance

  7. Esignet and Certify takes the required plugin from artifactory server by default, in case there is a custom use case where plugin is to be added manually follow the below steps:

    • Create a folder with name loader_path here.
    • Add the jar file of Digital Credential Stack(DCS) plugin implementations for eSignet and certify:
  8. Modify the properties of the Esignet and Certify services located in the esignet-sunbird-insurance.properties and certify-sunbird-insurance.properties files respectively.

    • Include Issuer ID and credential schema ID for the following properties:
      • esignet-default-properties:
        • mosip.esignet.vciplugin.sunbird-rc.credential-type.{credential type}.static-value-map.issuerId.
        • mosip.esignet.vciplugin.sunbird-rc.credential-type.{credential-type}.cred-schema-id.
      • certify-default.properties:
        • mosip.certify.vciplugin.sunbird-rc.credential-type.{credential type}.static-value-map.issuerId.
        • mosip.certify.vciplugin.sunbird-rc.credential-type.{credential-type}.cred-schema-id.
    • The $.schema[0].author DID goes to the config ending in issuerId and $.schema[0].id DID goes to the config ending in cred-schema-id.
  9. Once the Esignet and Certify properties are configured, proceed to select Certify from the option provided in the installation steps while running install.sh again.

  10. The installation of Certify will encompass the following services:

  11. Download the postman collection and environment for sunbird use case from here.

  12. Create Client from Create OIDC client API, and set redirect-url to 'http://localhost:3001' or the URL of OIDC-UI service, set auth-factor 'mosip:idp:acr:knowledge' to the request body.

  13. Perform a Knowledge based authentication(KBA) as specified in the Postman collection.

    • perform the authorize callback request
    • in the /authorization/authenticate request update the challenge to a URL-safe base64 encoded string with the KBA details such as {"fullName":"Abhishek Gangwar","dob":"1967-10-24"}, one can use an online base64 encoding service for the same.

Properties for custom use case

  • Sample schemas for Insurance registry are provided here, change it according to use case.
  • Change these properties for different use case mosip.esignet.authenticator.sunbird-rc.auth-factor.kba.field-details,mosip.esignet.authenticator.sunbird-rc.auth-factor.kba.individual-id-field
  • Add the Sunbird registry URL for these properties: mosip.esignet.vciplugin.sunbird-rc.issue-credential-url,mosip.esignet.authenticator.sunbird-rc.auth-factor.kba.registry-search-url.
  • Specify the list of supported credential types for these properties:
    • esignet-default-properties:
      • mosip.esignet.vciplugin.sunbird-rc.supported-credential-types.
    • certify-default.properties:
      • mosip.certify.vciplugin.sunbird-rc.supported-credential-types.
  • For each supported credential type change the below properties. Sample properties are provided in the eSignet default properties and Certify default properties.
    • esignet-default-properties:
      • Issuer id mosip.esignet.vciplugin.sunbird-rc.credential-type.{credential type}.static-value-map.issuerId
      • Credential schema id mosip.esignet.vciplugin.sunbird-rc.credential-type.{credential type}.cred-schema-id
      • Registry Url mosip.esignet.vciplugin.sunbird-rc.credential-type.{credential type}.registry-get-url
      • Template Url mosip.esignet.vciplugin.sunbird-rc.credential-type.{credential type}.template-url
      • Credential schema version mosip.esignet.vciplugin.sunbird-rc.credential-type.{credential type}.cred-schema-version
      • Define the list of supported scopes using: mosip.esignet.supported.credential.scopes, and for each scope, map the resource accordingly at mosip.esignet.credential.scope-resource-mapping.
      • Change these properties for different credential types supported mosip.esignet.vci.key-values based on OID4VCI version.
    • certify-default-properties:
      • Issuer id mosip.certify.vciplugin.sunbird-rc.credential-type.{credential type}.static-value-map.issuerId
      • Credential schema id mosip.certify.vciplugin.sunbird-rc.credential-type.{credential type}.cred-schema-id
      • Registry Url mosip.certify.vciplugin.sunbird-rc.credential-type.{credential type}.registry-get-url
      • Template Url mosip.certify.vciplugin.sunbird-rc.credential-type.{credential type}.template-url
      • Credential schema version mosip.certify.vciplugin.sunbird-rc.credential-type.{credential type}.cred-schema-version
      • Change these properties for different credential types supported mosip.certify.key-values based on OID4VCI version.

Web interface for VC Issuance (optional)

  • To test the Setup from UI we can configure a Client and Issuer in InjiWeb.

    • Setup InjiWeb and Mimoto in local.
    • Add an issuer to mimoto issuer config with authorization_endpoint, credential_endpoint and .well-known properties pointing to eSignet and certify installed above.
    • Add the private key from the OIDC client created in eSignet(collection to create a client can be found here) to the p12 file in mimoto.
    • You will be able to see the newly created issuer in InjiWeb home page to download the credential.
  • For this release Mosip ID and Mock plugins are using eSignet DTO's due to shared redis cache dependency to resolve serialization issues, so eSignet image tag version in docker compose should be in consistent with Mock and Mosip ID pom dependency version.As of now we are using eSignet 1.4.1 in docker compose as well as plugins in artifactory

Troubleshooting

  • invalid_proof error while downloading credentials --> check the audUrl value, it should be the hostname of the injicertify instance
  • invalid_assertion at the token endpoint of eSignet --> check the aud env value
  • while using Postman do check if an Environment is set for the pre & post request scripts to be able to carry forward & override the variables; and set the correct Hostnames and other entities correctly via the Variables section for a Postman collection

Helm Deployments

About

Repository hosts the source code, documentation, and other related files for the Inji Certify project

Resources

License

Stars

Watchers

Forks

Packages

No packages published