The document provides information about decentralized identities and verifiable credentials. It discusses how a university administrator can configure the issuance of digital student ID credentials on the Microsoft identity platform. This includes customizing the look and feel of the credentials, defining the data included in credentials, and specifying requirements for credential issuance such as authentication methods. It also shows how a student can request the issuance of a new credential by sending an OpenID request containing credential details and requirements. The goal is to allow students to securely prove their student status to other applications and services using self-sovereign digital credentials.
2. Introduction
• First things first
• Please note: We are recording this call so those unable to attend can benefit from the recording.
• This call is designed for developers who implement or are interested in implementing Microsoft identity platform
solutions.
• What kind of topics will we discuss?
• We will address development related topics submitted to us by the community for discussion.
• We build a pipeline of topics for the next few weeks, please submit your feedback and topic suggestions -
https://aka.ms/IDDevCommunityCallSurvey
• View recordings on the Microsoft 365 Developer YouTube channel - https://aka.ms/M365DevYouTube
• Follow us on Twitter @Microsoft365Dev and @azuread
• This is NOT a support channel. Please use Stack Overflow to ask your immediate support related questions.
• When is the next session?
• Community Calls: Monthly – 3rd Thursday of every month
• Next Identity Developer Community Call: Aug 20th
6. u s e r n a m e
l l l l l l l lYour Identity > App(username, password)
7. Your Identity > App(username, password)
play
purchases
education
achievements
interests
work citizenship
u s e r n a m e
l l l l l l l l
8. Your Identity > App(username, password)
u s e r n a m e
l l l l l l l l
play
purchases education
achievements
interests
work citizenship
9. Your Identity App(username, password)
Endless breaches
of personal data
Billions spent
on audits
1B+ displaced
without any ID
?
In some cases,
disappear
10. • Privacy and control of
my identity and data
• Protection from hacks
• Protection from breaches
Individuals
• Trust, and Verify
• Collaborate with everyone
• Reduce risk for GDPR, KYC/AML
Organizations
• ID for cross border & agency
• Digital ID for refugees
• Social and financial inclusion
for everyone
Governments
11. u s e r n a m e
l l l l l l l l
play
purchases education
achievements
interests
work citizenship
13. Each of us needs digital identity we own and
control, one which securely and privately stores all
elements of our digital identity.
This self-owned identity must seamlessly integrate
into our lives and give us complete control over
how our identity data is accessed and used.
14.
15.
16. To: Alice Smith
ContosoRegistrar
5/6/2020 9:30 AM
YourDigital Student IT isavailable
CR
CR
Add to Wallet
Contoso Registrar
Wed 9:30AMYourDigitalStudentITisavailable
Hi Alice, Your digital student ID is here. Contoso
17. To: Alice Smith
ContosoRegistrar
5/6/2020 9:30 AM
YourDigital Student IT isavailable
CR
CR
Add to Wallet
Contoso Registrar
Wed 9:30AMYourDigitalStudentITisavailable
Hi Alice, Your digital student ID is here. Contoso
18. To: Alice Smith
ContosoRegistrar
5/6/2020 9:30 AM
YourDigital Student IT isavailable
CR
CR
Add to Wallet
Contoso Registrar
Wed 9:30AMYourDigitalStudentITisavailable
Hi Alice, Your digital student ID is here. Contoso
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
30.
31.
32.
33.
34.
35.
36.
37.
38.
39.
40.
41. Users
Identity Hub
Universal Resolver
People,Apps,
andDevices
Stage: Working Implementations
Stage: Working Implementations
W3C Decentralized Identifiers
Stage: Published Standard
Decentralized Systems · Blockchains and Ledgers
CCG
DID Authentication
W3C Verifiable Credentials
Stage: Published Standard
User Agent
Stage: Working Implementations
did://
Join, collaborate, and contribute
45. Configure credential issuance
Administrator
Contoso admin sets up an issuer
that will produce verifiable
credentials:
1. Provide an Azure Key Vault
2. Associate a verified
DNS domain
3. A DID is registered
46. Configure credential look and feel
Administrator
Contoso admin customizes
branding of their credentials.
1. Choose a card color.
2. Upload icons & images.
3. Provide helpful text.
47. Markup for defining look & feel of a card
{
"locale": "en-US",
"contract": "https://identity.microsoft.com/76B0B89D-4D7D...”,
"card": {
"title": "Student ID Card",
"issuedBy": "Contoso University",
"backgroundColor": "#000000",
"textColor": "#FFFFFF",
"logo": {
"uri": "https://contosouniversity.edu/studentIdCard/logo.png",
"description": “Student ID Card Logo"
},
}
"consent": {
"title": "Do you want to be issued this card...?",
"instructions": "You will need to sign into your school..."
},
"claims": {
"vc.credentialSubject.studentId": {
"type": "Number",
"label": “Student ID Number"
},
"vc.credentialSubject.expiration": {
"type": "Date",
"label": "Card Expires At"
},
"vc.credentialSubject.studentProfilePicture": {
"type": "base64Image",
"label": "Profile Picture",
"description": "A student’s profile picture"
}
}
}
48. {
"locale": "en-US",
"contract": "https://identity.microsoft.com/76B0B89D-4D7D...”,
"card": {
"title": "Student ID Card",
"issuedBy": "Contoso University",
"backgroundColor": "#000000",
"textColor": "#FFFFFF",
"logo": {
"uri": "https://contosouniversity.edu/studentIdCard/logo.png",
"description": “Student ID Card Logo"
},
}
"consent": {
"title": "Do you want to be issued this card...?",
"instructions": "You will need to sign into your school..."
},
"claims": {
{
"locale": "en-US",
"contract": "https://identity.microsoft.com/76B0B89D-4D7D...”,
"card": {
"title": "Student ID Card",
"issuedBy": "Contoso University",
"backgroundColor": "#000000",
"textColor": "#FFFFFF",
"logo": {
"uri": "https://contosouniversity.edu/studentIdCard/logo.png",
"description": “Student ID Card Logo"
},
}
"consent": {
"title": "Do you want to be issued this card...?",
"instructions": "You will need to sign into your school..."
},
"claims": {
"vc.credentialSubject.studentId": {
"type": "Number",
"label": “Student ID Number"
},
"vc.credentialSubject.expiration": {
"type": "Date",
"label": "Card Expires At"
},
"vc.credentialSubject.studentProfilePicture": {
"type": "base64Image",
"label": "Profile Picture",
"description": "A student’s profile picture"
}
}
}
Markup for defining look & feel of a card
Customize the look
& feel of the card
49. }
"consent": {
"title": "Do you want to be issued this card...?",
"instructions": "You will need to sign into your school..."
},
"claims": {
"vc.credentialSubject.studentId": {
"type": "Number",
"label": “Student ID Number"
},
"vc.credentialSubject.expiration": {
"type": "Date",
"label": "Card Expires At"
},
"vc.credentialSubject.studentProfilePicture": {
"type": "base64Image",
"label": "Profile Picture",
"description": "A student’s profile picture"
}
}
}
Markup for defining look & feel of a card
Provide text strings
for credential data
{
"locale": "en-US",
"contract": "https://identity.microsoft.com/76B0B89D-4D7D...”,
"card": {
"title": "Student ID Card",
"issuedBy": "Contoso University",
"backgroundColor": "#000000",
"textColor": "#FFFFFF",
"logo": {
"uri": "https://contosouniversity.edu/studentIdCard/logo.png",
"description": “Student ID Card Logo"
},
}
"consent": {
"title": "Do you want to be issued this card...?",
"instructions": "You will need to sign into your school..."
},
"claims": {
"vc.credentialSubject.studentId": {
"type": "Number",
"label": “Student ID Number"
},
"vc.credentialSubject.expiration": {
"type": "Date",
"label": "Card Expires At"
},
"vc.credentialSubject.studentProfilePicture": {
"type": "base64Image",
"label": "Profile Picture",
"description": "A student’s profile picture"
}
}
}
50. Contract describes requirements for issuance
{
"credentialIssuer": "https://portableidentitycards.azure-api...",
"issuer": "did:ion:z6MkjRagNiMu91DduvCvgEsqLZDVzrJzFrwahc4tXLt9DoHd",
"vc": {
"type": [ "https://contosouniversity.edu/StudentIdCredential" ] // the type of the credential, used by verifiers to request
},
"validityInterval": 2592000, // expiration of a credential, in seconds
"attestations": {
"selfIssued": {}, // values the user can provide directly
"presentations": {}, // credentials the user must provide
"idTokens": [ // identity providers the user must authenticate with
{
"mapping": { // define which claims should be included in credentials
"studentId": { "claim": “studentId" },
"firstName": { "claim": "given_name" },
"lastName": { "claim": "family_name" }
},
"configuration": "https://contoso.edu/.well-known/openid-configuration",
"client_id": "40be4fb5-7f3a-470b-aa37-66ed43821bd7",
"redirect_uri": “https://contosouniversity.edu/verify"
}
],
},
}
51. {
"credentialIssuer": "https://portableidentitycards.azure-api...",
"issuer": "did:ion:z6MkjRagNiMu91DduvCvgEsqLZDVzrJzFrwahc4tXLt9DoHd",
"vc": {
"type": [ "https://contosouniversity.edu/StudentIdCredential" ] // the type of the credential, used
},
"validityInterval": 2592000, // expiration of a credential, in seconds
"attestations": {
"selfIssued": {}, // values the user can provide directly
"presentations": {}, // credentials the user must provide
"idTokens": [ // identity providers the user must authenticate with
{
"mapping": { // define which claims should be included in credentials
"studentId": { "claim": “studentId" },
"firstName": { "claim": "given_name" },
"lastName": { "claim": "family_name" }
},
"configuration": "https://contoso.edu/.well-known/openid-configuration",
"client_id": "40be4fb5-7f3a-470b-aa37-66ed43821bd7",
"redirect_uri": “https://contosouniversity.edu/verify"
{
"credentialIssuer": "https://portableidentitycards.azure-api...",
"issuer": "did:ion:z6MkjRagNiMu91DduvCvgEsqLZDVzrJzFrwahc4tXLt9DoHd",
"vc": {
"type": [ "https://contosouniversity.edu/StudentIdCredential" ] // the type of the credential, used by verifiers to request
},
"validityInterval": 2592000, // expiration of a credential, in seconds
"signingKeys": [ // details of the signing keys used to issue credentials
{
"kid": "did:ion:test:EiBBk-jMkByqfJPKTSYJENy5XKRIq8p...",
"key": "https://mykeyvault12.vault.azure.net/...",
"authorization": { "method": "msi" }
}
]
"attestations": {
"selfIssued": {}, // values the user can provide directly
"presentations": {}, // credentials the user must provide
"idTokens": [ // identity providers the user must authenticate with
{
"mapping": { // define which claims should be included in credentials
"studentId": { "claim": “studentId" },
"firstName": { "claim": "given_name" },
"lastName": { "claim": "family_name" }
},
"configuration": "https://contoso.edu/.well-known/openid-configuration",
"client_id": "40be4fb5-7f3a-470b-aa37-66ed43821bd7",
"redirect_uri": “https://contosouniversity.edu/verify"
}
],
},
}
Contract describes requirements for issuance
Configure properties of the issued credential
52. "validityInterval": 2592000, // expiration of a credential, in seconds
"signingKeys": [ // details of the signing keys used to issue credentials
{
"kid": "did:ion:test:EiBBk-jMkByqfJPKTSYJENy5XKRIq8p...",
"key": "https://mykeyvault12.vault.azure.net/...",
"authorization": { "method": "msi" }
}
]
"attestations": {
"selfIssued": {}, // values the user can provide directly
"presentations": {}, // credentials the user must provide
"idTokens": [ // identity providers the user must authenticate with
{
"mapping": { // define which claims should be included in credentials
"studentId": { "claim": “studentId" },
"firstName": { "claim": "given_name" },
"lastName": { "claim": "family_name" }
},
"configuration": "https://contoso.edu/.well-known/openid-configuration",
"client_id": "40be4fb5-7f3a-470b-aa37-66ed43821bd7",
"redirect_uri": “https://contosouniversity.edu/verify"
}
],
{
"credentialIssuer": "https://portableidentitycards.azure-api...",
"issuer": "did:ion:z6MkjRagNiMu91DduvCvgEsqLZDVzrJzFrwahc4tXLt9DoHd",
"vc": {
"type": [ "https://contosouniversity.edu/StudentIdCredential" ] // the type of the credential, used by verifiers to request
},
"validityInterval": 2592000, // expiration of a credential, in seconds
"signingKeys": [ // details of the signing keys used to issue credentials
{
"kid": "did:ion:test:EiBBk-jMkByqfJPKTSYJENy5XKRIq8p...",
"key": "https://mykeyvault12.vault.azure.net/...",
"authorization": { "method": "msi" }
}
]
"attestations": {
"selfIssued": {}, // values the user can provide directly
"presentations": {}, // credentials the user must provide
"idTokens": [ // identity providers the user must authenticate with
{
"mapping": { // define which claims should be included in credentials
"studentId": { "claim": “studentId" },
"firstName": { "claim": "given_name" },
"lastName": { "claim": "family_name" }
},
"configuration": "https://contoso.edu/.well-known/openid-configuration",
"client_id": "40be4fb5-7f3a-470b-aa37-66ed43821bd7",
"redirect_uri": “https://contosouniversity.edu/verify"
}
],
},
}
Contract describes requirements for issuance
Define requirements
to issue a new credential
67. Format of an issued verifiable credential
// Verifiable Credential as a JWT
{
"alg": "RS256",
"typ": "JWT",
"kid": "did:example:issuer#keys-1"
}.
{
"sub": "did:ion:njn9416416zgf1qp316n1lkjl5n1jap980h1", // The user’s DID
"jti": "http://contosouniversity.edu/credentials/3732",
"iss": "did:ion:z6MkjRagNiMu91DduvCvgEsqLZDVzrJzFrwahc4tXLt9DoHd ", // The issuer’s DID
"nbf": 1541493724,
"iat": 1541493724,
"exp": 1573029723, // The expiration of the credential
"vc": {
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://contosouniversity.edu"
],
"type": ["VerifiableCredential", "StudentIDCredential"], // The type of the credential
"credentialSubject": { // The claims in the credential
"studentId": "21905716"
},
"credentialStatus": {
"type": "CredentialRevocatinMechanism",
"id": "https://credentials.msidentity.microsoft.com/api/v1.0/portable/status”
}
}
}.
KLJo5GAyBND3LDTn9H7FQokEsUEi8jKwXhGvoN3JtRa51xrNDgXDb0cq1UTY...
68. // Verifiable Credential as a JWT
{
"alg": "RS256",
"typ": "JWT",
"kid": "did:example:issuer#keys-1"
}.
{
"sub": "did:ion:njn9416416zgf1qp316n1lkjl5n1jap980h1", // The user’s DID
"jti": "http://contosouniversity.edu/credentials/3732",
"iss": "did:ion:z6MkjRagNiMu91DduvCvgEsqLZDVzrJzFrwahc4tXLt9DoHd ", // The issuer’s DID
"nbf": 1541493724,
"iat": 1541493724,
"exp": 1573029723, // The expiration of the credential
"nonce": "660!6345FSer",
"vc": {
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://contosouniversity.edu"
],
"type": ["VerifiableCredential", "StudentIDCredential"], // The type of the credential
"credentialSubject": { // The claims in the credential
Follows W3C standard for
Decentralized Identifiers.
// Verifiable Credential as a JWT
{
"alg": "RS256",
"typ": "JWT",
"kid": "did:example:issuer#keys-1"
}.
{
"sub": "did:ion:njn9416416zgf1qp316n1lkjl5n1jap980h1", // The user’s DID
"jti": "http://contosouniversity.edu/credentials/3732",
"iss": "did:ion:z6MkjRagNiMu91DduvCvgEsqLZDVzrJzFrwahc4tXLt9DoHd ", // The issuer’s DID
"nbf": 1541493724,
"iat": 1541493724,
"exp": 1573029723, // The expiration of the credential
"nonce": "660!6345FSer",
"vc": {
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://contosouniversity.edu"
],
"type": ["VerifiableCredential", "StudentIDCredential"], // The type of the credential
"credentialSubject": { // The claims in the credential
"studentId": "21905716"
},
"credentialStatus": {
"type": "CredentialRevocatinMechanism",
"id": "https://credentials.msidentity.microsoft.com/api/v1.0/portable/status”
}
}
}.
KLJo5GAyBND3LDTn9H7FQokEsUEi8jKwXhGvoN3JtRa51xrNDgXDb0cq1UTY...
Format of an issued verifiable credential
69. "iss": "did:ion:z6MkjRagNiMu91DduvCvgEsqLZDVzrJzFrwahc4tXLt9DoHd ", // The issuer’s DID
"nbf": 1541493724,
"iat": 1541493724,
"exp": 1573029723, // The expiration of the credential
"nonce": "660!6345FSer",
"vc": {
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://contosouniversity.edu"
],
"type": ["VerifiableCredential", "StudentIDCredential"], // The type of the credential
"credentialSubject": { // The claims in the credential
"studentId": "21905716"
},
"credentialStatus": {
"type": "CredentialRevocatinMechanism",
"id": "https://credentials.msidentity.microsoft.com/api/v1.0/portable/status”
}
}
}.
KLJo5GAyBND3LDTn9H7FQokEsUEi8jKwXhGvoN3JtRa51xrNDgXDb0cq1UTY...
Follows W3C standard
for verifiable credentials.
// Verifiable Credential as a JWT
{
"alg": "RS256",
"typ": "JWT",
"kid": "did:example:issuer#keys-1"
}.
{
"sub": "did:ion:njn9416416zgf1qp316n1lkjl5n1jap980h1", // The user’s DID
"jti": "http://contosouniversity.edu/credentials/3732",
"iss": "did:ion:z6MkjRagNiMu91DduvCvgEsqLZDVzrJzFrwahc4tXLt9DoHd ", // The issuer’s DID
"nbf": 1541493724,
"iat": 1541493724,
"exp": 1573029723, // The expiration of the credential
"nonce": "660!6345FSer",
"vc": {
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://contosouniversity.edu"
],
"type": ["VerifiableCredential", "StudentIDCredential"], // The type of the credential
"credentialSubject": { // The claims in the credential
"studentId": "21905716"
},
"credentialStatus": {
"type": "CredentialRevocatinMechanism",
"id": "https://credentials.msidentity.microsoft.com/api/v1.0/portable/status”
}
}
}.
KLJo5GAyBND3LDTn9H7FQokEsUEi8jKwXhGvoN3JtRa51xrNDgXDb0cq1UTY...
Format of an issued verifiable credential
70. "exp": 1573029723, // The expiration of the credential
"nonce": "660!6345FSer",
"vc": {
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://contosouniversity.edu"
],
"type": ["VerifiableCredential", "StudentIDCredential"], // The type of the credential
"credentialSubject": { // The claims in the credential
"studentId": "21905716"
},
"credentialStatus": {
"type": "CredentialRevocatinMechanism",
"id": "https://credentials.msidentity.microsoft.com/api/v1.0/portable/status”
}
}
}.
KLJo5GAyBND3LDTn9H7FQokEsUEi8jKwXhGvoN3JtRa51xrNDgXDb0cq1UTY...
Credential is signed by issuer’s DID
// Verifiable Credential as a JWT
{
"alg": "RS256",
"typ": "JWT",
"kid": "did:example:issuer#keys-1"
}.
{
"sub": "did:ion:njn9416416zgf1qp316n1lkjl5n1jap980h1", // The user’s DID
"jti": "http://contosouniversity.edu/credentials/3732",
"iss": "did:ion:z6MkjRagNiMu91DduvCvgEsqLZDVzrJzFrwahc4tXLt9DoHd ", // The issuer’s DID
"nbf": 1541493724,
"iat": 1541493724,
"exp": 1573029723, // The expiration of the credential
"nonce": "660!6345FSer",
"vc": {
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://contosouniversity.edu"
],
"type": ["VerifiableCredential", "StudentIDCredential"], // The type of the credential
"credentialSubject": { // The claims in the credential
"studentId": "21905716"
},
"credentialStatus": {
"type": "CredentialRevocatinMechanism",
"id": "https://credentials.msidentity.microsoft.com/api/v1.0/portable/status”
}
}
}.
KLJo5GAyBND3LDTn9H7FQokEsUEi8jKwXhGvoN3JtRa51xrNDgXDb0cq1UTY...
Format of an issued verifiable credential
85. Help RPs to work with
Verifiable Credentials
Validate tokens (SI, id
tokens, VCs, VPs,
Issuance and Present
SIOP)
Create SIOP requests
Supports signing
with/or without Key
Vault
Serves as a
specification for
customers using other
stacks
90. Recording will be available soon on our
Microsoft 365 Developer YouTube channel
https://aka.ms/M365DevYouTube
(subscribe today)
Follow us on Twitter
@Microsoft365Dev and @azuread
Next call: August 20th at 9:00am PST
https://aka.ms/IDDevCommunityCalendar
Thank you
Editor's Notes
This is all about trust and privacy
Ease of use and security, fido, mfa, passwordless
Don’t do much in assurance privacy, data etc.
This is the next set of technologies to do this at scale. The need of trust, cross domain trust
Compliance training, inside domain boundary, compliant or not compliant. 3rd party giving training giving your, every system is special, We are standardizing on protocol not API.
NHS, 2 scenarios together, don’t want to use 2 stacks to complete this..
Common need is trust verification across trust boundaries. In some scenarios it might require privacy.
Key points to land are lots of progress on open standards. The core parts of the scenario can now be built using published standards:
Credential format: Verifiable Credentials https://www.w3.org/TR/vc-data-model/
Decentralized Identifiers https://w3c.github.io/did-core/
Authentication based on Open ID Connect (OIDC) Self-issued Open ID Provider (SIOP) https://identity.foundation/did-siop/
Credential exchange based on existing OIDC https://en.wikipedia.org/wiki/OpenID_Connect
Highlights:
This document is hosted at /.well-known/did-configuration
Contains DID with signature
Highlights:
This document is hosted at /.well-known/did-configuration
Contains DID with signature
Highlights:
This document is hosted at /.well-known/did-configuration
Contains DID with signature
Highlights:
Card color, title, text (in bold)
Highlights:
Card color, title, text (in bold)
Highlights:
Card color, title, text (in bold)
Highlihgts:
Data source is the OpenID provider described in the “configuration” property
Credential contents described in “mapping” section.
Highlights:
Card color, title, text (in bold)
Highlights:
Card color, title, text (in bold)
Highlights:
Request is signed by contoso university’s DID
Request includes “contract”, which instructs Authenticator on how to get the credential
Highlights:
Card color, title, text (in bold)
Highlights:
Card color, title, text (in bold)
Highlights:
Card color, title, text (in bold)
Highlights:
This is just your typical OpenID Connect federation flow, nothing special here.
Claims are returned in resulting id_token, pictured above.
Highlights:
This is just your typical OpenID Connect federation flow, nothing special here.
Claims are returned in resulting id_token, pictured above.
Highlights:
This is just your typical OpenID Connect federation flow, nothing special here.
Claims are returned in resulting id_token, pictured above.
Highlights:
Iss=Contoso University, Subject=Alice
Claims are provided in “credentialSubject”, according to VC standard.
Highlights:
Iss=Contoso University, Subject=Alice
Claims are provided in “credentialSubject”, according to VC standard.
Highlights:
Iss=Contoso University, Subject=Alice
Claims are provided in “credentialSubject”, according to VC standard.
Highlights:
Iss=Contoso University, Subject=Alice
Claims are provided in “credentialSubject”, according to VC standard.
Card Added
Allow and Deny
Permission Requested
Consistent
Highlihgts:
Request issued by Bookstore
“Attestations” contains criteria for requested credentials, in this case, type=Student ID
https://identity.foundation/presentation-exchange/
Highlihgts:
Request issued by Bookstore
“Attestations” contains criteria for requested credentials, in this case, type=Student ID
Highlihgts:
Request issued by Bookstore
“Attestations” contains criteria for requested credentials, in this case, type=Student ID
Highlihgts:
Request issued by Bookstore
“Attestations” contains criteria for requested credentials, in this case, type=Student ID
Highlights:
Credential returned to bookstore in “_claim_sources” field according to OpenID standard
Highlights:
Credential returned to bookstore in “_claim_sources” field according to OpenID standard