The verification flow is started from the Verifier web portal. The Verifier requires a certain type of credential to be presented, and lets the user connect to a previously configured, known Wallet. The Wallet, receiving the SIOP authorization request, can check if all required credentials are available, and optionally trigger a credential issuance flow for possibly missing credentials. If all required credentials are available the user selects the credentials to present (if multiple credentials of the same type are available) and the Wallet generates the SIOP response, containing an id token and the verifiable presentation, and redirects back the verifier portal for verification:
The Wallet Kit supports credential issuance and presentation exchange via the OpenID Connect (OIDC) standards:
On the following pages you can find sequence diagrams of the integrated end-to-end flows.
The web wallet supports a custom issuance flow, that can be triggered from the issuer portal and makes use of the OIDC for verifiable presentations (SIOP) flow, to commute between issuer portal and wallet. The user starts at the issuer portal and selects the credentials they want to get issued. The issuer portal redirects to a, previously configured, known wallet, using the SIOP flow outlined above. The wallet creates the SIOP response, posts it to the issuer portal, and in return receives the issued credentials, given that the credential presentation was verified successfully:
The issuance flow is triggered from the Wallet. The user chooses from a list of issuer portals known to the wallet backend, and triggers the issuance of any credential type the issuers support. Optionally, the Issuer can require a Verifiable Presentation of certain types of credentials, to be sent with the initial authorization request. If the authorization is successful, the issuer portal provides an authorization code and access token, for the wallet to retrieve the issued credentials:
