This post shows how a Microsoft Entra ID verified employee credential can be used together with a self attestation credential to unlock a door. Using this, a person can prove they know a code and prove their employee status.
Code: https://github.com/swiss-ssi-group/EntraEmployeeUnlockDoor
Get your Verified Employee credential
To use this app, the Microsoft Entra employee credential can be used. The following post shows how to set this up, get a credential and add this to you Microsoft wallet.
Issue Employee verifiable credentials using Entra Verified ID and ASP.NET Core
Issue the self attestation credential
The self attestation credential can be issued using the selfIssued mapping. We require just one claim. This can also be mixed with other claims and other credential types. We do not mix this when issuing the credential as we already have an employee credential with a fixed format.
{
"attestations": {
"selfIssued": {
"mapping": [
{
"outputClaim": "doorCode",
"required": true,
"inputClaim": "doorCode",
"indexed": false
}
],
"required": true
}
},
"validityInterval": 2592000,
"vc": {
"type": [
"DoorCode"
]
}
}
The credential is mapped into C# using the CredentialsClaims class.
/// <summary>
/// self-issued-attestation
/// </summary>
public class CredentialsClaims
{
[JsonPropertyName("doorCode")]
public string? DoorCode { get; set; } = string.Empty;
}
The IssuanceRequestPayload class is used to issue the credentials. The callback is defined and a public URL is required to debug the application. I use ngrok.
public IssuanceRequestPayload
GetIssuanceRequestPayload(HttpRequest request)
{
var payload = new IssuanceRequestPayload();
payload.CredentialsType = "DoorCode";
payload.Manifest
= $"{_credentialSettings.CredentialManifest}";
var host = GetRequestHostName(request);
payload.Callback.State = Guid.NewGuid().ToString();
payload.Callback.Url
= $"{host}/api/issuer/issuanceCallback";
payload.Callback.Headers.ApiKey
= _credentialSettings.VcApiCallbackApiKey;
payload.Registration.ClientName = "Door Code";
payload.Authority
= _credentialSettings.IssuerAuthority;
return payload;
}
The two configuration files are used to create the verifiable credential in the Azure portal.
Use the Employee and unlock door credential in a verification
The VerifierRequestPayload class is used to request both the employee credential and the self issued door code credential.
public VerifierRequestPayload
GetVerifierRequestPayload(HttpRequest request)
{
var payload = new VerifierRequestPayload();
var host = GetRequestHostName(request);
payload.Callback.State = Guid.NewGuid().ToString();
payload.Callback.Url
= $"{host}/api/verifier/presentationCallback";
payload.Callback.Headers.ApiKey
= _credentialSettings.VcApiCallbackApiKey;
payload.Registration.ClientName = "VerifiedEmployee";
payload.Authority = _credentialSettings.VerifierAuthority;
// First credential
var requestedCredentials = new RequestedCredentials
{
CrendentialsType = "VerifiedEmployee",
Purpose = "Verified Employee to authenticate your request"
};
requestedCredentials
.AcceptedIssuers
.Add(_credentialSettings.IssuerAuthority);
payload.RequestedCredentials.Add(requestedCredentials);
// Second credential
var requestedCredentialsNdl = new RequestedCredentials
{
CrendentialsType = "DoorCode",
Purpose = "Door code to gain access"
};
requestedCredentialsNdl
.AcceptedIssuers
.Add(_credentialSettings.IssuerAuthority);
payload.RequestedCredentials.Add(requestedCredentialsNdl);
return payload;
}
The verification request is presented using a QR Code.
The business logic can be implemented on the verifier application as required.
Notes
The self issued credential allows the value to be set by a user. A new credential can be created every time the code changes.
This can then be connected into whatever business process you require. The credentials can be used cross domain or multi-tenant. The security is relatively good, open to phishing attacks but does not rely on passwords.
The Microsoft Entra Verified ID id-tech solution is very good, but not compatible with other SSI solutions. You would require adaptors or cross ledger wallets.
SSI and id-tech solutions will not become a success, if it is not possible to have interop between services, providers or wallets. To compare, this is like when you send a google email and you cannot open it using Microsoft outlook, or the other way around.
Links
https://github.com/swiss-ssi-group/AzureADVerifiableCredentialsAspNetCore
https://ssi-start.adnovum.com/data
https://github.com/e-id-admin/public-sandbox-trustinfrastructure/discussions/14
https://openid.net/specs/openid-connect-self-issued-v2-1_0.html
https://identity.foundation/jwt-vc-presentation-profile/
https://github.com/Azure-Samples/active-directory-verifiable-credentials-dotnet
https://learn.microsoft.com/en-us/graph/api/overview?view=graph-rest-1.0
https://github.com/Azure-Samples/VerifiedEmployeeIssuance
https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret
https://issueverifiableemployee.azurewebsites.net/
Links eIDAS and EUDI standards
Draft: OAuth 2.0 Attestation-Based Client Authentication
https://datatracker.ietf.org/doc/html/draft-looker-oauth-attestation-based-client-auth-00
Draft: OpenID for Verifiable Presentations
https://openid.net/specs/openid-4-verifiable-presentations-1_0.html
Draft: OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop
Draft: OpenID for Verifiable Credential Issuance
https://openid.bitbucket.io/connect/openid-4-verifiable-credential-issuance-1_0.html
Draft: OpenID Connect for Identity Assurance 1.0
https://openid.net/specs/openid-connect-4-identity-assurance-1_0-13.html
Draft: SD-JWT-based Verifiable Credentials (SD-JWT VC)
https://vcstuff.github.io/draft-terbu-sd-jwt-vc/draft-terbu-oauth-sd-jwt-vc.html
Software Engineering 
[…] Use multiple Microsoft Entra Verified ID credentials in a verification presentation [#.NET #.NET Core #ASP.NET Core #dotnet #Microsoft Entra ID #OAuth2 #Security #Self Sovereign Identity #authenticator #entra #idtech #OIDC #SSI #verifiedid #wallet] […]