OAuth Presentations

Presenting Verifiable Credentials from one organization to another is an interaction between two security domains. Therefore, all presentations must be authenticated so the verifier receiving the presentation can verify the identity of the holder submitting the presentation.
Verifiable Data Platform supports two ways to authenticate presentations: DIDAuth and OAuth. Some benefits of OAuth include:
  • Very widely used and well known authentication mechanism.
  • Once authenticated, presentations can be done (within the lifetime of the access token) with ⅓ of the network requests compared to DIDAuth.
  • It allows tight control over who can make presentations, which can in some situations (but not always) be beneficiary.
  • Conformance to the Traceability Interoperability specification and thus US CBP requirements, which are based on OAuth.

Receiving OAuth Presentations

In order to allow a business partner to submit presentations with OAuth, you must make an Application for the business partner.
Go to Organization -> Applications:
OAuth Applications
Click “+” to create a new Application.
In the Application create screen, give the application a suitable name and description to keep track of who is intended to authenticate with this application.
The only scope needed for others to submit OAuth presentations is submit:presentations. Granting any other scopes will give broader access to the platform, potentially including access to sensitive data.
IMPORTANT! You should not grant scopes beyond submit:presentations to applications shared externally unless you know exactly what you are doing.
Create application for presentations
Click “Create” to create the Application.
Created platform application
You will need to copy and share the Client ID and Client Secret with your business partner.
The third and final piece of data you need to share is your organization’s endpoint for receiving OAuth presentations.
It looks something like this:
The easiest place to find this is to go to Identifiers -> DID:WEB -> expand your default did:web and then under service, copy the value of serviceEndpoint.
This is shown below:
did:web service end point
Share Client ID, Client Secret and presentation endpoint with your business partner. Make sure it is shared in a safe way and over encrypted channels, so no one else can use it to authenticate using their credentials.

Sending OAuth Presentations

When presenting with OAuth, you have received Client ID, Client Secret and a presentation endpoint from a business partner who has registered an application on their system (this could be another organization on Verifiable Business Platform).
The Verifiable Data Platform does not yet have a feature to support this, so you will need to authenticate and make the presentation yourself. This Postman collection illustrates how this is done.