The document provides information about decentralized identities and verifiable credentials. It discusses how a university administrator can configure the issuance of digital student ID credentials on the Microsoft identity platform. This includes customizing the look and feel of the credentials, defining the data included in credentials, and specifying requirements for credential issuance such as authentication methods. It also shows how a student can request the issuance of a new credential by sending an OpenID request containing credential details and requirements. The goal is to allow students to securely prove their student status to other applications and services using self-sovereign digital credentials.

1. Microsoft identity platform
July 16, 2020
Community call
Decentralized Identities
Matthijs Hoekstra
Microsoft
@mahoekst

2. Introduction
• First things first
• Please note: We are recording this call so those unable to attend can benefit from the recording.
• This call is designed for developers who implement or are interested in implementing Microsoft identity platform
solutions.
• What kind of topics will we discuss?
• We will address development related topics submitted to us by the community for discussion.
• We build a pipeline of topics for the next few weeks, please submit your feedback and topic suggestions -
https://aka.ms/IDDevCommunityCallSurvey
• View recordings on the Microsoft 365 Developer YouTube channel - https://aka.ms/M365DevYouTube
• Follow us on Twitter @Microsoft365Dev and @azuread
• This is NOT a support channel. Please use Stack Overflow to ask your immediate support related questions.
• When is the next session?
• Community Calls: Monthly – 3rd Thursday of every month
• Next Identity Developer Community Call: Aug 20th

5. Your Identity == App(username, password)

6. u s e r n a m e
l l l l l l l lYour Identity > App(username, password)

7. Your Identity > App(username, password)
play
purchases
education
achievements
interests
work citizenship
u s e r n a m e
l l l l l l l l

8. Your Identity > App(username, password)
u s e r n a m e
l l l l l l l l
play
purchases education
achievements
interests
work citizenship

9. Your Identity App(username, password)
Endless breaches
of personal data
Billions spent
on audits
1B+ displaced
without any ID
?
In some cases,
disappear

10. • Privacy and control of
my identity and data
• Protection from hacks
• Protection from breaches
Individuals
• Trust, and Verify
• Collaborate with everyone
• Reduce risk for GDPR, KYC/AML
Organizations
• ID for cross border & agency
• Digital ID for refugees
• Social and financial inclusion
for everyone
Governments

11. u s e r n a m e
l l l l l l l l
play
purchases education
achievements
interests
work citizenship

12. u s e r n a m e
l l l l l l l l

13. Each of us needs digital identity we own and
control, one which securely and privately stores all
elements of our digital identity.
This self-owned identity must seamlessly integrate
into our lives and give us complete control over
how our identity data is accessed and used.

16. To: Alice Smith
ContosoRegistrar
5/6/2020 9:30 AM
YourDigital Student IT isavailable
CR
CR
Add to Wallet
Contoso Registrar
Wed 9:30AMYourDigitalStudentITisavailable
Hi Alice, Your digital student ID is here. Contoso

17. To: Alice Smith
ContosoRegistrar
5/6/2020 9:30 AM
YourDigital Student IT isavailable
CR
CR
Add to Wallet
Contoso Registrar
Wed 9:30AMYourDigitalStudentITisavailable
Hi Alice, Your digital student ID is here. Contoso

18. To: Alice Smith
ContosoRegistrar
5/6/2020 9:30 AM
YourDigital Student IT isavailable
CR
CR
Add to Wallet
Contoso Registrar
Wed 9:30AMYourDigitalStudentITisavailable
Hi Alice, Your digital student ID is here. Contoso

41. Users
Identity Hub
Universal Resolver
People,Apps,
andDevices
Stage: Working Implementations
Stage: Working Implementations
W3C Decentralized Identifiers
Stage: Published Standard
Decentralized Systems · Blockchains and Ledgers
CCG
DID Authentication
W3C Verifiable Credentials
Stage: Published Standard
User Agent
Stage: Working Implementations
did://
Join, collaborate, and contribute

43. Public key infrastructure

44. What’s an Verifiable Credential?

45. Configure credential issuance
Administrator
Contoso admin sets up an issuer
that will produce verifiable
credentials:
1. Provide an Azure Key Vault
2. Associate a verified
DNS domain
3. A DID is registered

46. Configure credential look and feel
Administrator
Contoso admin customizes
branding of their credentials.
1. Choose a card color.
2. Upload icons & images.
3. Provide helpful text.

47. Markup for defining look & feel of a card
{
"locale": "en-US",
"contract": "https://identity.microsoft.com/76B0B89D-4D7D...”,
"card": {
"title": "Student ID Card",
"issuedBy": "Contoso University",
"backgroundColor": "#000000",
"textColor": "#FFFFFF",
"logo": {
"uri": "https://contosouniversity.edu/studentIdCard/logo.png",
"description": “Student ID Card Logo"
},
}
"consent": {
"title": "Do you want to be issued this card...?",
"instructions": "You will need to sign into your school..."
},
"claims": {
"vc.credentialSubject.studentId": {
"type": "Number",
"label": “Student ID Number"
},
"vc.credentialSubject.expiration": {
"type": "Date",
"label": "Card Expires At"
},
"vc.credentialSubject.studentProfilePicture": {
"type": "base64Image",
"label": "Profile Picture",
"description": "A student’s profile picture"
}
}
}

48. {
"locale": "en-US",
"contract": "https://identity.microsoft.com/76B0B89D-4D7D...”,
"card": {
"title": "Student ID Card",
"issuedBy": "Contoso University",
"backgroundColor": "#000000",
"textColor": "#FFFFFF",
"logo": {
"uri": "https://contosouniversity.edu/studentIdCard/logo.png",
"description": “Student ID Card Logo"
},
}
"consent": {
"title": "Do you want to be issued this card...?",
"instructions": "You will need to sign into your school..."
},
"claims": {
{
"locale": "en-US",
"contract": "https://identity.microsoft.com/76B0B89D-4D7D...”,
"card": {
"title": "Student ID Card",
"issuedBy": "Contoso University",
"backgroundColor": "#000000",
"textColor": "#FFFFFF",
"logo": {
"uri": "https://contosouniversity.edu/studentIdCard/logo.png",
"description": “Student ID Card Logo"
},
}
"consent": {
"title": "Do you want to be issued this card...?",
"instructions": "You will need to sign into your school..."
},
"claims": {
"vc.credentialSubject.studentId": {
"type": "Number",
"label": “Student ID Number"
},
"vc.credentialSubject.expiration": {
"type": "Date",
"label": "Card Expires At"
},
"vc.credentialSubject.studentProfilePicture": {
"type": "base64Image",
"label": "Profile Picture",
"description": "A student’s profile picture"
}
}
}
Markup for defining look & feel of a card
Customize the look
& feel of the card

49. }
"consent": {
"title": "Do you want to be issued this card...?",
"instructions": "You will need to sign into your school..."
},
"claims": {
"vc.credentialSubject.studentId": {
"type": "Number",
"label": “Student ID Number"
},
"vc.credentialSubject.expiration": {
"type": "Date",
"label": "Card Expires At"
},
"vc.credentialSubject.studentProfilePicture": {
"type": "base64Image",
"label": "Profile Picture",
"description": "A student’s profile picture"
}
}
}
Markup for defining look & feel of a card
Provide text strings
for credential data
{
"locale": "en-US",
"contract": "https://identity.microsoft.com/76B0B89D-4D7D...”,
"card": {
"title": "Student ID Card",
"issuedBy": "Contoso University",
"backgroundColor": "#000000",
"textColor": "#FFFFFF",
"logo": {
"uri": "https://contosouniversity.edu/studentIdCard/logo.png",
"description": “Student ID Card Logo"
},
}
"consent": {
"title": "Do you want to be issued this card...?",
"instructions": "You will need to sign into your school..."
},
"claims": {
"vc.credentialSubject.studentId": {
"type": "Number",
"label": “Student ID Number"
},
"vc.credentialSubject.expiration": {
"type": "Date",
"label": "Card Expires At"
},
"vc.credentialSubject.studentProfilePicture": {
"type": "base64Image",
"label": "Profile Picture",
"description": "A student’s profile picture"
}
}
}

50. Contract describes requirements for issuance
{
"credentialIssuer": "https://portableidentitycards.azure-api...",
"issuer": "did:ion:z6MkjRagNiMu91DduvCvgEsqLZDVzrJzFrwahc4tXLt9DoHd",
"vc": {
"type": [ "https://contosouniversity.edu/StudentIdCredential" ] // the type of the credential, used by verifiers to request
},
"validityInterval": 2592000, // expiration of a credential, in seconds
"attestations": {
"selfIssued": {}, // values the user can provide directly
"presentations": {}, // credentials the user must provide
"idTokens": [ // identity providers the user must authenticate with
{
"mapping": { // define which claims should be included in credentials
"studentId": { "claim": “studentId" },
"firstName": { "claim": "given_name" },
"lastName": { "claim": "family_name" }
},
"configuration": "https://contoso.edu/.well-known/openid-configuration",
"client_id": "40be4fb5-7f3a-470b-aa37-66ed43821bd7",
"redirect_uri": “https://contosouniversity.edu/verify"
}
],
},
}

51. {
"credentialIssuer": "https://portableidentitycards.azure-api...",
"issuer": "did:ion:z6MkjRagNiMu91DduvCvgEsqLZDVzrJzFrwahc4tXLt9DoHd",
"vc": {
"type": [ "https://contosouniversity.edu/StudentIdCredential" ] // the type of the credential, used
},
"validityInterval": 2592000, // expiration of a credential, in seconds
"attestations": {
"selfIssued": {}, // values the user can provide directly
"presentations": {}, // credentials the user must provide
"idTokens": [ // identity providers the user must authenticate with
{
"mapping": { // define which claims should be included in credentials
"studentId": { "claim": “studentId" },
"firstName": { "claim": "given_name" },
"lastName": { "claim": "family_name" }
},
"configuration": "https://contoso.edu/.well-known/openid-configuration",
"client_id": "40be4fb5-7f3a-470b-aa37-66ed43821bd7",
"redirect_uri": “https://contosouniversity.edu/verify"
{
"credentialIssuer": "https://portableidentitycards.azure-api...",
"issuer": "did:ion:z6MkjRagNiMu91DduvCvgEsqLZDVzrJzFrwahc4tXLt9DoHd",
"vc": {
"type": [ "https://contosouniversity.edu/StudentIdCredential" ] // the type of the credential, used by verifiers to request
},
"validityInterval": 2592000, // expiration of a credential, in seconds
"signingKeys": [ // details of the signing keys used to issue credentials
{
"kid": "did:ion:test:EiBBk-jMkByqfJPKTSYJENy5XKRIq8p...",
"key": "https://mykeyvault12.vault.azure.net/...",
"authorization": { "method": "msi" }
}
]
"attestations": {
"selfIssued": {}, // values the user can provide directly
"presentations": {}, // credentials the user must provide
"idTokens": [ // identity providers the user must authenticate with
{
"mapping": { // define which claims should be included in credentials
"studentId": { "claim": “studentId" },
"firstName": { "claim": "given_name" },
"lastName": { "claim": "family_name" }
},
"configuration": "https://contoso.edu/.well-known/openid-configuration",
"client_id": "40be4fb5-7f3a-470b-aa37-66ed43821bd7",
"redirect_uri": “https://contosouniversity.edu/verify"
}
],
},
}
Contract describes requirements for issuance
Configure properties of the issued credential

52. "validityInterval": 2592000, // expiration of a credential, in seconds
"signingKeys": [ // details of the signing keys used to issue credentials
{
"kid": "did:ion:test:EiBBk-jMkByqfJPKTSYJENy5XKRIq8p...",
"key": "https://mykeyvault12.vault.azure.net/...",
"authorization": { "method": "msi" }
}
]
"attestations": {
"selfIssued": {}, // values the user can provide directly
"presentations": {}, // credentials the user must provide
"idTokens": [ // identity providers the user must authenticate with
{
"mapping": { // define which claims should be included in credentials
"studentId": { "claim": “studentId" },
"firstName": { "claim": "given_name" },
"lastName": { "claim": "family_name" }
},
"configuration": "https://contoso.edu/.well-known/openid-configuration",
"client_id": "40be4fb5-7f3a-470b-aa37-66ed43821bd7",
"redirect_uri": “https://contosouniversity.edu/verify"
}
],
{
"credentialIssuer": "https://portableidentitycards.azure-api...",
"issuer": "did:ion:z6MkjRagNiMu91DduvCvgEsqLZDVzrJzFrwahc4tXLt9DoHd",
"vc": {
"type": [ "https://contosouniversity.edu/StudentIdCredential" ] // the type of the credential, used by verifiers to request
},
"validityInterval": 2592000, // expiration of a credential, in seconds
"signingKeys": [ // details of the signing keys used to issue credentials
{
"kid": "did:ion:test:EiBBk-jMkByqfJPKTSYJENy5XKRIq8p...",
"key": "https://mykeyvault12.vault.azure.net/...",
"authorization": { "method": "msi" }
}
]
"attestations": {
"selfIssued": {}, // values the user can provide directly
"presentations": {}, // credentials the user must provide
"idTokens": [ // identity providers the user must authenticate with
{
"mapping": { // define which claims should be included in credentials
"studentId": { "claim": “studentId" },
"firstName": { "claim": "given_name" },
"lastName": { "claim": "family_name" }
},
"configuration": "https://contoso.edu/.well-known/openid-configuration",
"client_id": "40be4fb5-7f3a-470b-aa37-66ed43821bd7",
"redirect_uri": “https://contosouniversity.edu/verify"
}
],
},
}
Contract describes requirements for issuance
Define requirements
to issue a new credential

53. Request issuance
Student

54. Request issuance
Student

55. Request issuance
Student

56. Request issuance
Student

57. Request issuance of a credential · OpenID request
// JWT header
{
"alg": "ES256K",
"typ": "JWT",
"kid": "did:ion:z6MkjRagNiMu91DduvCvgEsqLZDVzrJzFrwahc4tXLt9DoHd#veri-key1"
}
.
// JWT payload
{
"iss": "did:ion:z6MkjRagNiMu91DduvCvgEsqLZDVzrJzFrwahc4tXLt9DoHd",
"response_type": "id_token",
"client_id": "https://contosouniversity.edu/presentation/request",
"redirect_uri": "https://contosouniveristy.edu/presentation/response",
"scope": "openid did_authn",
"state": "af0ifjsldkj",
"nonce": "n-0S6_WzA2Mj",
"response_mode" : "form_post",
"prompt": "create",
"registration" : {
"client_name": "Contoso University",
"jwks_uri" : "https://uniresolver.io/1.0/identifiers/did:ion:z6MkjR...",
"id_token_signed_response_alg" : [ "ES256K", "EdDSA", "RS256" ]
},
"attestations": {
"presentations": [
{
"credentialType": "https://contosouniversity.edu/StudentIdCredential",
"contracts": ["https://credentials.msidentity.microsoft.com/.../studentId"]
}
]
}
}
.
// JWT signature
KLJo5GAyBND3LDTn9H7FQokEsUEi8jKwXhGvoN3JtRa51xrNDgXDb0cq1UTYB-rK4Ft9YVmR1NI_ZOF8oGc_...

58. "client_id": "https://contosouniversity.edu/presentation/request",
"redirect_uri": "https://contosouniveristy.edu/presentation/response",
"scope": "openid did_authn",
"state": "af0ifjsldkj",
"nonce": "n-0S6_WzA2Mj",
"response_mode" : "form_post",
"prompt": "create",
"registration" : {
"client_name": "Contoso University",
"jwks_uri" : "https://uniresolver.io/1.0/identifiers/did:ion:z6MkjR...",
"id_token_signed_response_alg" : [ "ES256K", "EdDSA", "RS256" ]
},
"attestations": {
"presentations": [
{
"credentialType": "https://contosouniversity.edu/StudentIdCredential",
"contracts": ["https://credentials.msidentity.microsoft.com/.../studentId"]
}
]
}
}
.
// JWT signature
KLJo5GAyBND3LDTn9H7FQokEsUEi8jKwXhGvoN3JtRa51xrNDgXDb0cq1UTYB-rK4Ft9YVmR1NI_ZOF8oGc_...
// JWT header
{
"alg": "ES256K",
"typ": "JWT",
"kid": "did:ion:z6MkjRagNiMu91DduvCvgEsqLZDVzrJzFrwahc4tXLt9DoHd#veri-key1"
}
.
// JWT payload
{
"iss": "did:ion:z6MkjRagNiMu91DduvCvgEsqLZDVzrJzFrwahc4tXLt9DoHd",
"response_type": "id_token",
"client_id": "https://contosouniveristy.edu/presentation/response",
"scope": "openid did_authn",
"state": "af0ifjsldkj",
"nonce": "n-0S6_WzA2Mj",
"response_mode" : "form_post",
"registration" : {
"jwks_uri" : "https://uniresolver.io/1.0/identifiers/did:ion:z6MkjR...",
"id_token_signed_response_alg" : [ "ES256K", "EdDSA", "RS256" ]
},
"contract": "https://credentials.msidentity.microsoft.com/.../studentId"
}
.
// JWT signature
KLJo5GAyBND3LDTn9H7FQokEsUEi8jKwXhGvoN3JtRa51xrNDgXDb0cq1UTYB-rK4Ft9YVmR1NI_ZOF8oGc_7wAp
8PHbF2HaWodQIoOBxxT-4WNqAxft7ET6lkH-4S6Ux3rSGAmczMohEEf8eCeN-jC8WekdPl6zKZQj0YPB
1rx6X0-xlFBs7cl6Wt8rfBP_tZ9YgVWrQmUWypSioc0MUyiphmyEbLZagTyPlUyflGlEdq
Request issuance of a credential · OpenID request

59. {
"iss": "did:ion:z6MkjRagNiMu91DduvCvgEsqLZDVzrJzFrwahc4tXLt9DoHd",
"response_type": "id_token",
"client_id": "https://contosouniveristy.edu/presentation/response",
"scope": "openid did_authn",
"state": "af0ifjsldkj",
"nonce": "n-0S6_WzA2Mj",
"response_mode" : "form_post",
"registration" : {
"jwks_uri" : "https://uniresolver.io/1.0/identifiers/did:ion:z6MkjR...",
"id_token_signed_response_alg" : [ "ES256K", "EdDSA", "RS256" ]
},
"attestations": {
"presentations": [
{
"credentialType": "https://contosouniversity.edu/StudentIdCredential",
"contracts": ["https://credentials.msidentity.microsoft.com/.../studentId"]
}
]
}
}
.
KLJo5GAyBND3LDTn9H7FQokEsUEi8jKwXhGvoN3JtRa51xrNDgXDb0cq1UTYB-rK4Ft9YVmR1NI_ZOF8oGc_7wAp
8PHbF2HaWodQIoOBxxT-4WNqAxft7ET6lkH-4S6Ux3rSGAmczMohEEf8eCeN-jC8WekdPl6zKZQj0YPB
// JWT header
{
"alg": "ES256K",
"typ": "JWT",
"kid": "did:ion:z6MkjRagNiMu91DduvCvgEsqLZDVzrJzFrwahc4tXLt9DoHd#veri-key1"
}
.
// JWT payload
{
"iss": "did:ion:z6MkjRagNiMu91DduvCvgEsqLZDVzrJzFrwahc4tXLt9DoHd",
"response_type": "id_token",
"client_id": "https://contosouniveristy.edu/presentation/response",
"scope": "openid did_authn",
"state": "af0ifjsldkj",
"nonce": "n-0S6_WzA2Mj",
"response_mode" : "form_post",
"registration" : {
"jwks_uri" : "https://uniresolver.io/1.0/identifiers/did:ion:z6MkjR...",
"id_token_signed_response_alg" : [ "ES256K", "EdDSA", "RS256" ]
},
"contract": "https://credentials.msidentity.microsoft.com/.../studentId"
}
.
// JWT signature
KLJo5GAyBND3LDTn9H7FQokEsUEi8jKwXhGvoN3JtRa51xrNDgXDb0cq1UTYB-rK4Ft9YVmR1NI_ZOF8oGc_7wAp
8PHbF2HaWodQIoOBxxT-4WNqAxft7ET6lkH-4S6Ux3rSGAmczMohEEf8eCeN-jC8WekdPl6zKZQj0YPB
1rx6X0-xlFBs7cl6Wt8rfBP_tZ9YgVWrQmUWypSioc0MUyiphmyEbLZagTyPlUyflGlEdq
Request issuance of a credential · OpenID request
Request points to
a specific contract

60. "kid": "did:ion:z6MkjRagNiMu91DduvCvgEsqLZDVzrJzFrwahc4tXLt9DoHd#veri-key1"
}
.
// JWT payload
{
"iss": "did:ion:z6MkjRagNiMu91DduvCvgEsqLZDVzrJzFrwahc4tXLt9DoHd",
"response_type": "id_token",
"client_id": "https://contosouniveristy.edu/presentation/response",
"scope": "openid did_authn",
"state": "af0ifjsldkj",
"nonce": "n-0S6_WzA2Mj",
"response_mode" : "form_post",
"registration" : {
"jwks_uri" : "https://uniresolver.io/1.0/identifiers/did:ion:z6MkjR...",
"id_token_signed_response_alg" : [ "ES256K", "EdDSA", "RS256" ]
},
"contract": "https://credentials.msidentity.microsoft.com/.../studentId"
}
.
// JWT signature
KLJo5GAyBND3LDTn9H7FQokEsUEi8jKwXhGvoN3JtRa51xrNDgXDb0cq1UTYB-rK4Ft9YVmR1NI_ZOF8oGc_7wAp
8PHbF2HaWodQIoOBxxT-4WNqAxft7ET6lkH-4S6Ux3rSGAmczMohEEf8eCeN-jC8WekdPl6zKZQj0YPB
1rx6X0-xlFBs7cl6Wt8rfBP_tZ9YgVWrQmUWypSioc0MUyiphmyEbLZagTyPlUyflGlEdq
// JWT header
{
"alg": "ES256K",
"typ": "JWT",
"kid": "did:ion:z6MkjRagNiMu91DduvCvgEsqLZDVzrJzFrwahc4tXLt9DoHd#veri-key1"
}
.
// JWT payload
{
"iss": "did:ion:z6MkjRagNiMu91DduvCvgEsqLZDVzrJzFrwahc4tXLt9DoHd",
"response_type": "id_token",
"client_id": "https://contosouniveristy.edu/presentation/response",
"scope": "openid did_authn",
"state": "af0ifjsldkj",
"nonce": "n-0S6_WzA2Mj",
"response_mode" : "form_post",
"registration" : {
"jwks_uri" : "https://uniresolver.io/1.0/identifiers/did:ion:z6MkjR...",
"id_token_signed_response_alg" : [ "ES256K", "EdDSA", "RS256" ]
},
"contract": "https://credentials.msidentity.microsoft.com/.../studentId"
}
.
// JWT signature
KLJo5GAyBND3LDTn9H7FQokEsUEi8jKwXhGvoN3JtRa51xrNDgXDb0cq1UTYB-rK4Ft9YVmR1NI_ZOF8oGc_7wAp
8PHbF2HaWodQIoOBxxT-4WNqAxft7ET6lkH-4S6Ux3rSGAmczMohEEf8eCeN-jC8WekdPl6zKZQj0YPB
1rx6X0-xlFBs7cl6Wt8rfBP_tZ9YgVWrQmUWypSioc0MUyiphmyEbLZagTyPlUyflGlEdq
Request issuance of a credential · OpenID request
Request is signed
by the issuer

61. Sign in
Student
Student browses to the Contoso
U portal and installs the PIC.
1. Go to the portal
2. Scan the code
3. Authenticate

62. OpenID request & response to university identity provider
https://contosouniversity.edu/openid/authorize?
client_id=eae8b7f2-dd72-4f63-98f0-2d5399d61508
&redirect_uri=openid://response
&state=ajflafn3o2n651oh56161631
&response_mode=fragment
&response_type=id_token
&scope=openid
// JWT header
{
"alg": "ES256K",
"typ": "JWT",
"kid": “fjaklnk3n153n15"
}
.
// JWT payload
{
"iss": "https://contosouniversity.edu",
"state": "af0ifjsldkj",
"nonce": "n-0S6_WzA2Mj",
"exp": 1311281970,
"iat": 1311280970,
"firstName": "Alice",
"lastName": "Smith"
"studentId": “21905716"
}
.
// JWT signature
hhbXBsZS5jb20va2V5cy9mb28uandrIiwibmJmIjoxNTQxNDkzNzI0LCJpYXQiO

63. https://contosouniversity.edu/openid/authorize?
client_id=eae8b7f2-dd72-4f63-98f0-2d5399d61508
&redirect_uri=openid://response
&state=ajflafn3o2n651oh56161631
&response_mode=fragment
&response_type=id_token
&scope=openid
// JWT header
{
"alg": "ES256K",
"typ": "JWT",
"kid": “fjaklnk3n153n15"
}
.
// JWT payload
{
"iss": "https://contosouniversity.edu",
"state": "af0ifjsldkj",
"nonce": "n-0S6_WzA2Mj",
https://contosouniversity.edu/openid/authorize?
client_id=eae8b7f2-dd72-4f63-98f0-2d5399d61508
&redirect_uri=openid://response
&state=ajflafn3o2n651oh56161631
&response_mode=fragment
&response_type=id_token
&scope=openid
// JWT header
{
"alg": "ES256K",
"typ": "JWT",
"kid": “fjaklnk3n153n15"
}
.
// JWT payload
{
"iss": "https://contosouniversity.edu",
"state": "af0ifjsldkj",
"nonce": "n-0S6_WzA2Mj",
"exp": 1311281970,
"iat": 1311280970,
"firstName": "Alice",
"lastName": "Smith"
"studentId": “21905716"
}
.
// JWT signature
hhbXBsZS5jb20va2V5cy9mb28uandrIiwibmJmIjoxNTQxNDkzNzI0LCJpYXQiO
OpenID request & response to university identity provider
A standard OpenID Connect
authorize request

64. // JWT header
{
"alg": "ES256K",
"typ": "JWT",
"kid": “fjaklnk3n153n15"
}
.
// JWT payload
{
"iss": "https://contosouniversity.edu",
"state": "af0ifjsldkj",
"nonce": "n-0S6_WzA2Mj",
"exp": 1311281970,
"iat": 1311280970,
"firstName": "Alice",
"lastName": "Smith"
"studentId": “21905716"
}
.
// JWT signature
hhbXBsZS5jb20va2V5cy9mb28uandrIiwibmJmIjoxNTQxNDkzNzI0LCJpYXQiO
https://contosouniversity.edu/openid/authorize?
client_id=eae8b7f2-dd72-4f63-98f0-2d5399d61508
&redirect_uri=openid://response
&state=ajflafn3o2n651oh56161631
&response_mode=fragment
&response_type=id_token
&scope=openid
// JWT header
{
"alg": "ES256K",
"typ": "JWT",
"kid": “fjaklnk3n153n15"
}
.
// JWT payload
{
"iss": "https://contosouniversity.edu",
"state": "af0ifjsldkj",
"nonce": "n-0S6_WzA2Mj",
"exp": 1311281970,
"iat": 1311280970,
"firstName": "Alice",
"lastName": "Smith"
"studentId": “21905716"
}
.
// JWT signature
hhbXBsZS5jb20va2V5cy9mb28uandrIiwibmJmIjoxNTQxNDkzNzI0LCJpYXQiO
OpenID request & response to university identity provider
An id_token is returned to Authenticator
as a proof

65. Add a Card
Student

66. Add a Card
Student

67. Format of an issued verifiable credential
// Verifiable Credential as a JWT
{
"alg": "RS256",
"typ": "JWT",
"kid": "did:example:issuer#keys-1"
}.
{
"sub": "did:ion:njn9416416zgf1qp316n1lkjl5n1jap980h1", // The user’s DID
"jti": "http://contosouniversity.edu/credentials/3732",
"iss": "did:ion:z6MkjRagNiMu91DduvCvgEsqLZDVzrJzFrwahc4tXLt9DoHd ", // The issuer’s DID
"nbf": 1541493724,
"iat": 1541493724,
"exp": 1573029723, // The expiration of the credential
"vc": {
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://contosouniversity.edu"
],
"type": ["VerifiableCredential", "StudentIDCredential"], // The type of the credential
"credentialSubject": { // The claims in the credential
"studentId": "21905716"
},
"credentialStatus": {
"type": "CredentialRevocatinMechanism",
"id": "https://credentials.msidentity.microsoft.com/api/v1.0/portable/status”
}
}
}.
KLJo5GAyBND3LDTn9H7FQokEsUEi8jKwXhGvoN3JtRa51xrNDgXDb0cq1UTY...

68. // Verifiable Credential as a JWT
{
"alg": "RS256",
"typ": "JWT",
"kid": "did:example:issuer#keys-1"
}.
{
"sub": "did:ion:njn9416416zgf1qp316n1lkjl5n1jap980h1", // The user’s DID
"jti": "http://contosouniversity.edu/credentials/3732",
"iss": "did:ion:z6MkjRagNiMu91DduvCvgEsqLZDVzrJzFrwahc4tXLt9DoHd ", // The issuer’s DID
"nbf": 1541493724,
"iat": 1541493724,
"exp": 1573029723, // The expiration of the credential
"nonce": "660!6345FSer",
"vc": {
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://contosouniversity.edu"
],
"type": ["VerifiableCredential", "StudentIDCredential"], // The type of the credential
"credentialSubject": { // The claims in the credential
Follows W3C standard for
Decentralized Identifiers.
// Verifiable Credential as a JWT
{
"alg": "RS256",
"typ": "JWT",
"kid": "did:example:issuer#keys-1"
}.
{
"sub": "did:ion:njn9416416zgf1qp316n1lkjl5n1jap980h1", // The user’s DID
"jti": "http://contosouniversity.edu/credentials/3732",
"iss": "did:ion:z6MkjRagNiMu91DduvCvgEsqLZDVzrJzFrwahc4tXLt9DoHd ", // The issuer’s DID
"nbf": 1541493724,
"iat": 1541493724,
"exp": 1573029723, // The expiration of the credential
"nonce": "660!6345FSer",
"vc": {
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://contosouniversity.edu"
],
"type": ["VerifiableCredential", "StudentIDCredential"], // The type of the credential
"credentialSubject": { // The claims in the credential
"studentId": "21905716"
},
"credentialStatus": {
"type": "CredentialRevocatinMechanism",
"id": "https://credentials.msidentity.microsoft.com/api/v1.0/portable/status”
}
}
}.
KLJo5GAyBND3LDTn9H7FQokEsUEi8jKwXhGvoN3JtRa51xrNDgXDb0cq1UTY...
Format of an issued verifiable credential

69. "iss": "did:ion:z6MkjRagNiMu91DduvCvgEsqLZDVzrJzFrwahc4tXLt9DoHd ", // The issuer’s DID
"nbf": 1541493724,
"iat": 1541493724,
"exp": 1573029723, // The expiration of the credential
"nonce": "660!6345FSer",
"vc": {
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://contosouniversity.edu"
],
"type": ["VerifiableCredential", "StudentIDCredential"], // The type of the credential
"credentialSubject": { // The claims in the credential
"studentId": "21905716"
},
"credentialStatus": {
"type": "CredentialRevocatinMechanism",
"id": "https://credentials.msidentity.microsoft.com/api/v1.0/portable/status”
}
}
}.
KLJo5GAyBND3LDTn9H7FQokEsUEi8jKwXhGvoN3JtRa51xrNDgXDb0cq1UTY...
Follows W3C standard
for verifiable credentials.
// Verifiable Credential as a JWT
{
"alg": "RS256",
"typ": "JWT",
"kid": "did:example:issuer#keys-1"
}.
{
"sub": "did:ion:njn9416416zgf1qp316n1lkjl5n1jap980h1", // The user’s DID
"jti": "http://contosouniversity.edu/credentials/3732",
"iss": "did:ion:z6MkjRagNiMu91DduvCvgEsqLZDVzrJzFrwahc4tXLt9DoHd ", // The issuer’s DID
"nbf": 1541493724,
"iat": 1541493724,
"exp": 1573029723, // The expiration of the credential
"nonce": "660!6345FSer",
"vc": {
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://contosouniversity.edu"
],
"type": ["VerifiableCredential", "StudentIDCredential"], // The type of the credential
"credentialSubject": { // The claims in the credential
"studentId": "21905716"
},
"credentialStatus": {
"type": "CredentialRevocatinMechanism",
"id": "https://credentials.msidentity.microsoft.com/api/v1.0/portable/status”
}
}
}.
KLJo5GAyBND3LDTn9H7FQokEsUEi8jKwXhGvoN3JtRa51xrNDgXDb0cq1UTY...
Format of an issued verifiable credential

70. "exp": 1573029723, // The expiration of the credential
"nonce": "660!6345FSer",
"vc": {
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://contosouniversity.edu"
],
"type": ["VerifiableCredential", "StudentIDCredential"], // The type of the credential
"credentialSubject": { // The claims in the credential
"studentId": "21905716"
},
"credentialStatus": {
"type": "CredentialRevocatinMechanism",
"id": "https://credentials.msidentity.microsoft.com/api/v1.0/portable/status”
}
}
}.
KLJo5GAyBND3LDTn9H7FQokEsUEi8jKwXhGvoN3JtRa51xrNDgXDb0cq1UTY...
Credential is signed by issuer’s DID
// Verifiable Credential as a JWT
{
"alg": "RS256",
"typ": "JWT",
"kid": "did:example:issuer#keys-1"
}.
{
"sub": "did:ion:njn9416416zgf1qp316n1lkjl5n1jap980h1", // The user’s DID
"jti": "http://contosouniversity.edu/credentials/3732",
"iss": "did:ion:z6MkjRagNiMu91DduvCvgEsqLZDVzrJzFrwahc4tXLt9DoHd ", // The issuer’s DID
"nbf": 1541493724,
"iat": 1541493724,
"exp": 1573029723, // The expiration of the credential
"nonce": "660!6345FSer",
"vc": {
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://contosouniversity.edu"
],
"type": ["VerifiableCredential", "StudentIDCredential"], // The type of the credential
"credentialSubject": { // The claims in the credential
"studentId": "21905716"
},
"credentialStatus": {
"type": "CredentialRevocatinMechanism",
"id": "https://credentials.msidentity.microsoft.com/api/v1.0/portable/status”
}
}
}.
KLJo5GAyBND3LDTn9H7FQokEsUEi8jKwXhGvoN3JtRa51xrNDgXDb0cq1UTY...
Format of an issued verifiable credential

71. Card added
Student

72. Verify Student ID
Bookstore

73. Request Permission
Bookstore

74. Request presentation of a credential: OpenID request
// JWT header
{
"alg": "ES256K",
"typ": "JWT",
"kid": "did:ion:nmafdanafdaf12jkln1ln1hazhjanfu1#veri-key1"
}
.
// JWT payload
{
"iss": "did:ion:nmafdanafdaf12jkln1ln1hazhjanfu1",
"response_type": "id_token",
"client_id": "https://bookstore.com/presentation/request",
"redirect_uri": "https://bookstore.com/presentation/response",
"scope": "openid did_authn",
"state": "af0ifjsldkj",
"nonce": "n-0S6_WzA2Mj",
"response_mode" : "form_post",
"registration" : {
"client_name": "Fabrikam Bookstore",
"jwks_uri" : "https://uniresolver.io/1.0/identifiers/did:ion:z6MkjR...",
"id_token_signed_response_alg" : [ "ES256K", "EdDSA", "RS256" ]
},
"attestations": {
"presentations": [
{ "credentialType": "https://contosouniversity.edu/StudentIdCredential" }
]
}
}
.
// JWT signature
KLJo5GAyBND3LDTn9H7FQokEsUEi8jKwXhGvoN3JtRa51xrNDgXDb0cq1UTYB-rK4Ft9YVmR1NI_ZOF8oGc_7wAp
8PHbF2HaWodQIoOBxxT-4WNqAxft7ET6lkH-4S6Ux3rSGAmczMohEEf8eCeN-jC8WekdPl6zKZQj0YPB
1rx6X0-xlFBs7cl6Wt8rfBP_tZ9YgVWrQmUWypSioc0MUyiphmyEbLZagTyPlUyflGlEdq

75. "client_id": "https://bookstore.com/presentation/response",
"scope": "openid did_authn",
"state": "af0ifjsldkj",
"nonce": "n-0S6_WzA2Mj",
"response_mode" : "form_post",
"registration" : {
"jwks_uri" : "https://uniresolver.io/1.0/identifiers/ did:ion:nmaf...",
"id_token_signed_response_alg" : [ "ES256K", "EdDSA", "RS256" ]
},
"attestations": {
"presentations": [
{ "credentialType": "https://contosouniversity.edu/StudentIdCredential" }
]
}
}
.
// JWT signature
KLJo5GAyBND3LDTn9H7FQokEsUEi8jKwXhGvoN3JtRa51xrNDgXDb0cq1UTYB-rK4Ft9YVmR1NI_ZOF8oGc_7wAp
8PHbF2HaWodQIoOBxxT-4WNqAxft7ET6lkH-4S6Ux3rSGAmczMohEEf8eCeN-jC8WekdPl6zKZQj0YPB
1rx6X0-xlFBs7cl6Wt8rfBP_tZ9YgVWrQmUWypSioc0MUyiphmyEbLZagTyPlUyflGlEdq
// JWT header
{
"alg": "ES256K",
"typ": "JWT",
"kid": "did:ion:nmafdanafdaf12jkln1ln1hazhjanfu1#veri-key1"
}
.
// JWT payload
{
"iss": "did:ion:nmafdanafdaf12jkln1ln1hazhjanfu1",
"response_type": "id_token",
"client_id": "https://bookstore.com/presentation/response",
"scope": "openid did_authn",
"state": "af0ifjsldkj",
"nonce": "n-0S6_WzA2Mj",
"response_mode" : "form_post",
"registration" : {
"jwks_uri" : "https://uniresolver.io/1.0/identifiers/ did:ion:nmaf...",
"id_token_signed_response_alg" : [ "ES256K", "EdDSA", "RS256" ]
},
“attestations":
"id_token": {
"https://contosouniversity.edu/StudentIdCredential": {
"essential": "true",
"purpose": "To prove you are a student.",
}
}
}
.
// JWT signature
KLJo5GAyBND3LDTn9H7FQokEsUEi8jKwXhGvoN3JtRa51xrNDgXDb0cq1UTYB-rK4Ft9YVmR1NI_ZOF8oGc_7wAp
8PHbF2HaWodQIoOBxxT-4WNqAxft7ET6lkH-4S6Ux3rSGAmczMohEEf8eCeN-jC8WekdPl6zKZQj0YPB
1rx6X0-xlFBs7cl6Wt8rfBP_tZ9YgVWrQmUWypSioc0MUyiphmyEbLZagTyPlUyflGlEdq
Request presentation of a credential: OpenID request

76. "client_id": "https://bookstore.com/presentation/response",
"scope": "openid did_authn",
"state": "af0ifjsldkj",
"nonce": "n-0S6_WzA2Mj",
"response_mode" : "form_post",
"registration" : {
"jwks_uri" : "https://uniresolver.io/1.0/identifiers/ did:ion:nmaf...",
"id_token_signed_response_alg" : [ "ES256K", "EdDSA", "RS256" ]
},
"attestations": {
"presentations": [
{ "credentialType": "https://contosouniversity.edu/StudentIdCredential" }
]
}
}
.
// JWT signature
KLJo5GAyBND3LDTn9H7FQokEsUEi8jKwXhGvoN3JtRa51xrNDgXDb0cq1UTYB-rK4Ft9YVmR1NI_ZOF8oGc_7wAp
8PHbF2HaWodQIoOBxxT-4WNqAxft7ET6lkH-4S6Ux3rSGAmczMohEEf8eCeN-jC8WekdPl6zKZQj0YPB
1rx6X0-xlFBs7cl6Wt8rfBP_tZ9YgVWrQmUWypSioc0MUyiphmyEbLZagTyPlUyflGlEdq
Request describes the requested
credentials.
// JWT header
{
"alg": "ES256K",
"typ": "JWT",
"kid": "did:ion:nmafdanafdaf12jkln1ln1hazhjanfu1#veri-key1"
}
.
// JWT payload
{
"iss": "did:ion:nmafdanafdaf12jkln1ln1hazhjanfu1",
"response_type": "id_token",
"client_id": "https://bookstore.com/presentation/response",
"scope": "openid did_authn",
"state": "af0ifjsldkj",
"nonce": "n-0S6_WzA2Mj",
"response_mode" : "form_post",
"registration" : {
"jwks_uri" : "https://uniresolver.io/1.0/identifiers/ did:ion:nmaf...",
"id_token_signed_response_alg" : [ "ES256K", "EdDSA", "RS256" ]
},
“attestations":
"id_token": {
"https://contosouniversity.edu/StudentIdCredential": {
"essential": "true",
"purpose": "To prove you are a student.",
}
}
}
.
// JWT signature
KLJo5GAyBND3LDTn9H7FQokEsUEi8jKwXhGvoN3JtRa51xrNDgXDb0cq1UTYB-rK4Ft9YVmR1NI_ZOF8oGc_7wAp
8PHbF2HaWodQIoOBxxT-4WNqAxft7ET6lkH-4S6Ux3rSGAmczMohEEf8eCeN-jC8WekdPl6zKZQj0YPB
1rx6X0-xlFBs7cl6Wt8rfBP_tZ9YgVWrQmUWypSioc0MUyiphmyEbLZagTyPlUyflGlEdq
Request presentation of a credential: OpenID request

77. "state": "af0ifjsldkj",
"nonce": "n-0S6_WzA2Mj",
"response_mode" : "form_post",
"registration" : {
"jwks_uri" : "https://uniresolver.io/1.0/identifiers/ did:ion:nmaf...",
"id_token_signed_response_alg" : [ "ES256K", "EdDSA", "RS256" ]
},
“attestations":
"id_token": {
"https://contosouniversity.edu/StudentIdCredential": {
"essential": "true",
"purpose": "To prove you are a student.",
}
}
}
.
// JWT signature
KLJo5GAyBND3LDTn9H7FQokEsUEi8jKwXhGvoN3JtRa51xrNDgXDb0cq1UTYB-rK4Ft9YVmR1NI_ZOF8oGc_7wAp
8PHbF2HaWodQIoOBxxT-4WNqAxft7ET6lkH-4S6Ux3rSGAmczMohEEf8eCeN-jC8WekdPl6zKZQj0YPB
1rx6X0-xlFBs7cl6Wt8rfBP_tZ9YgVWrQmUWypSioc0MUyiphmyEbLZagTyPlUyflGlEdq
Request is signed by verifier’s DID
// JWT header
{
"alg": "ES256K",
"typ": "JWT",
"kid": "did:ion:nmafdanafdaf12jkln1ln1hazhjanfu1#veri-key1"
}
.
// JWT payload
{
"iss": "did:ion:nmafdanafdaf12jkln1ln1hazhjanfu1",
"response_type": "id_token",
"client_id": "https://bookstore.com/presentation/response",
"scope": "openid did_authn",
"state": "af0ifjsldkj",
"nonce": "n-0S6_WzA2Mj",
"response_mode" : "form_post",
"registration" : {
"jwks_uri" : "https://uniresolver.io/1.0/identifiers/ did:ion:nmaf...",
"id_token_signed_response_alg" : [ "ES256K", "EdDSA", "RS256" ]
},
“attestations":
"id_token": {
"https://contosouniversity.edu/StudentIdCredential": {
"essential": "true",
"purpose": "To prove you are a student.",
}
}
}
.
// JWT signature
KLJo5GAyBND3LDTn9H7FQokEsUEi8jKwXhGvoN3JtRa51xrNDgXDb0cq1UTYB-rK4Ft9YVmR1NI_ZOF8oGc_7wAp
8PHbF2HaWodQIoOBxxT-4WNqAxft7ET6lkH-4S6Ux3rSGAmczMohEEf8eCeN-jC8WekdPl6zKZQj0YPB
1rx6X0-xlFBs7cl6Wt8rfBP_tZ9YgVWrQmUWypSioc0MUyiphmyEbLZagTyPlUyflGlEdq
Request presentation of a credential: OpenID request

78. Approve Permission
Student

79. Presentation of a credential: OpenID Response
// Verifiable Credential included in presentation
{
"alg": "RS256",
"typ": "JWT",
"kid": "did:example:issuer#keys-1"
}.
{
"sub": "did:ion:njn9416416zgf1qp316n1lkjl5n1jap980h1",
"jti": "http://contosouniversity.edu/credentials/3732",
"iss": "did:ion:z6MkjRagNiMu91DduvCvgEsqLZDVzrJzFrwahc4tXLt9DoHd ",
"nbf": 1541493724,
"iat": 1541493724,
"exp": 1573029723,
"vc": {
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://contosouniversity.edu"
],
"type": ["VerifiableCredential", "StudentIDCredential"],
"credentialSubject": {
"studentId": "21905716"
},
"credentialStatus": {
"type": "CredentialRevocatinMechanism",
"id": "https://credentials.msidentity.microsoft.com/api/v1.0/portable/status”
}
}
}.
KLJo5GAyBND3LDTn9H7FQokEsUEi8jKwXhGvoN3JtRa51xrNDgXDb0cq1UTY...
// Sent via HTTP POST
// JWT header
{
"alg": "ES256K",
"typ": "JWT",
"kid": "did:example:subject#key-1"
}
.
// JWT payload
{
"iss": "https://self-issued.me",
"state": "af0ifjsldkj",
"nonce": "n-0S6_WzA2Mj",
"exp": 1311281970,
"iat": 1311280970,
"sub_jwk" : {
"crv":"secp256k1",
"kid":"did:example:subject#verikey-1",
"kty":"EC",
"x":"7KEKZa5xJPh7WVqHJyUpb2MgEe3nA8Rk7eUlXsmBl-M",
"y":"3zIgl_ml4RhapyEm5J7lvU-4f5jiBvZr4KgxUjEhl9o"
},
"sub": "9-aYUQ7mgL2SWQ_LNTeVN2rtw7xFP-3Y2EO9WV22cF0",
"did": "did:ion:njn9416416zgf1qp316n1lkjl5n1jap980h1",
"vp": "eyJhbGciOiJIUzI1NiIsI..." // Verifiable Presentation see content to the right
}
.
// JWT signature
hhbXBsZS5jb20va2V5cy9mb28uandrIiwibmJmIjoxNTQxNDkzNzI0LCJpYXQiO
jE1NDE0OTM3MjQsImV4cCI6MTU3MzAyOTcyMywibm9uY2UiOiI2NjAhNjM0NUZTZXIiLCJ2YyI6eyJAY
29udGV4dCI6WyJodHRwczovL3d3dy53My5vcmcvMjAxOC9jcmVkZW50aWFscy92MSIsImh0dHBzOi8vd

80. // Sent via HTTP POST
// JWT header
{
"alg": "ES256K",
"typ": "JWT",
"kid": "did:example:subject#key-1"
}
.
// JWT payload
{
"iss": "https://self-issued.me",
"state": "af0ifjsldkj",
"nonce": "n-0S6_WzA2Mj",
"exp": 1311281970,
"iat": 1311280970,
"sub_jwk" : {
"crv":"secp256k1",
"kid":"did:example:subject#verikey-1",
"kty":"EC",
"x":"7KEKZa5xJPh7WVqHJyUpb2MgEe3nA8Rk7eUlXsmBl-M",
"y":"3zIgl_ml4RhapyEm5J7lvU-4f5jiBvZr4KgxUjEhl9o"
},
"sub": "9-aYUQ7mgL2SWQ_LNTeVN2rtw7xFP-3Y2EO9WV22cF0",
"did": "did:ion:njn9416416zgf1qp316n1lkjl5n1jap980h1",
"vp": {
"@context": [ "https://www.w3.org/2018/credentials/v1"],
"type": ["VerifiablePresentation"],
"verifiableCredential": ["eyJhbGciOiJIUzI1NiIsI..."] }
}
.
// JWT signature
hhbXBsZS5jb20va2V5cy9mb28uandrIiwibmJmIjoxNTQxNDkzNzI0LCJpYXQiO
jE1NDE0OTM3MjQsImV4cCI6MTU3MzAyOTcyMywibm9uY2UiOiI2NjAhNjM0NUZTZXIiLCJ2YyI6eyJAY
29udGV4dCI6WyJodHRwczovL3d3dy53My5vcmcvMjAxOC9jcmVkZW50aWFscy92MSIsImh0dHBzOi8vd
// Verifiable Credential included in presentation
{
"alg": "RS256",
"typ": "JWT",
"kid": "did:example:issuer#keys-1"
}.
{
"sub": "did:ion:njn9416416zgf1qp316n1lkjl5n1jap980h1",
"jti": "http://contosouniversity.edu/credentials/3732",
"iss": "did:ion:z6MkjRagNiMu91DduvCvgEsqLZDVzrJzFrwahc4tXLt9DoHd ",
"nbf": 1541493724,
"iat": 1541493724,
"exp": 1573029723,
"nonce": "660!6345FSer",
"vc": {
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://contosouniversity.edu"
],
"type": ["VerifiableCredential", "StudentIDCredential"],
"credentialSubject": {
"studentId": "21905716"
},
"credentialStatus": {
"type": "CredentialRevocatinMechanism",
"id": "https://credentials.msidentity.microsoft.com/api/v1.0/portable/status”
}
}
}.
KLJo5GAyBND3LDTn9H7FQokEsUEi8jKwXhGvoN3JtRa51xrNDgXDb0cq1UTY...
DID in presentation matches
subject of issued credential
"did:ion:njn9416416zgf1qp316n1lkjl5n1jap980h1"
"did:ion:njn9416416zgf1qp316n1lkjl5n1jap980h1"
// Sent via HTTP POST
// JWT header
{
"alg": "ES256K",
"typ": "JWT",
"kid": "did:example:subject#key-1"
}
.
// JWT payload
{
"iss": "https://self-issued.me",
"state": "af0ifjsldkj",
"nonce": "n-0S6_WzA2Mj",
"exp": 1311281970,
"iat": 1311280970,
"sub_jwk" : {
"crv":"secp256k1",
"kid":"did:example:subject#verikey-1",
"kty":"EC",
"x":"7KEKZa5xJPh7WVqHJyUpb2MgEe3nA8Rk7eUlXsmBl-M",
"y":"3zIgl_ml4RhapyEm5J7lvU-4f5jiBvZr4KgxUjEhl9o"
},
"sub": "9-aYUQ7mgL2SWQ_LNTeVN2rtw7xFP-3Y2EO9WV22cF0",
"did": "did:ion:njn9416416zgf1qp316n1lkjl5n1jap980h1",
"vp": {
"@context": [ "https://www.w3.org/2018/credentials/v1"],
"type": ["VerifiablePresentation"],
"verifiableCredential": ["eyJhbGciOiJIUzI1NiIsI..."] }
}
.
// JWT signature
hhbXBsZS5jb20va2V5cy9mb28uandrIiwibmJmIjoxNTQxNDkzNzI0LCJpYXQiO
jE1NDE0OTM3MjQsImV4cCI6MTU3MzAyOTcyMywibm9uY2UiOiI2NjAhNjM0NUZTZXIiLCJ2YyI6eyJAY
29udGV4dCI6WyJodHRwczovL3d3dy53My5vcmcvMjAxOC9jcmVkZW50aWFscy92MSIsImh0dHBzOi8vd
Presentation of a credential: OpenID Response
// Verifiable Credential included in presentation
{
"alg": "RS256",
"typ": "JWT",
"kid": "did:example:issuer#keys-1"
}.
{
"sub": "did:ion:njn9416416zgf1qp316n1lkjl5n1jap980h1",
"jti": "http://contosouniversity.edu/credentials/3732",
"iss": "did:ion:z6MkjRagNiMu91DduvCvgEsqLZDVzrJzFrwahc4tXLt9DoHd ",
"nbf": 1541493724,
"iat": 1541493724,
"exp": 1573029723,
"nonce": "660!6345FSer",
"vc": {
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://contosouniversity.edu"
],
"type": ["VerifiableCredential", "StudentIDCredential"],
"credentialSubject": {
"studentId": "21905716"
},
"credentialStatus": {
"type": "CredentialRevocatinMechanism",
"id": "https://credentials.msidentity.microsoft.com/api/v1.0/portable/status
}
}
}.
KLJo5GAyBND3LDTn9H7FQokEsUEi8jKwXhGvoN3JtRa51xrNDgXDb0cq1UTY...

81. Verify Permission
Bookstore

84. https://github.com/microsoft/VerifiableCredentials-
Verification-SDK-Typescript
https://github.com/microsoft/VerifiableCredentials-
Crypto-SDK-Typescript
https://github.com/microsoft/VerifiableCredential-
SDK-Android

85. Help RPs to work with
Verifiable Credentials
Validate tokens (SI, id
tokens, VCs, VPs,
Issuance and Present
SIOP)
Create SIOP requests
Supports signing
with/or without Key
Vault
Serves as a
specification for
customers using other
stacks

88. aka.ms/didwhitepaper
aka.ms/opendid
https://didproject.azurewebsites.net/

89. Microsoft 365
https://aka.ms/adaptivecardscommunitycall
https://aka.ms/microsoftgraphcall
https://aka.ms/IDDevCommunityCalendar
https://aka.ms/microsoftteamscommunitycall
https://aka.ms/officeaddinscommunitycall
https://aka.ms/powerappscommunitycall
https://aka.ms/spdev-call
https://aka.ms/spdev-sig-call
https://aka.ms/spdev-spfx-call
https://aka.ms/M365DevCalls

90. Recording will be available soon on our
Microsoft 365 Developer YouTube channel
https://aka.ms/M365DevYouTube
(subscribe today)
Follow us on Twitter
@Microsoft365Dev and @azuread
Next call: August 20th at 9:00am PST
https://aka.ms/IDDevCommunityCalendar
Thank you