Workflow
End-to-End Workflow for Inji Mobile Wallet
Credential Download via OpenID4VCI Flow
This workflow describes how Inji Wallet downloads a Verifiable Credential (VC) from an issuing authority using the OpenID4VCI protocol.
Actors:
Inji Wallet: Orchestrates the process, interacts with VCI Client and Secure Keystore.
Secure Keystore: Signs cryptographic proofs.
VCI Client: Manages OpenID4VCI communication with the Issuing Authority.
Authorization Server: Authenticates the user (e.g., eSignet).
Issuing Authority: Issues the VC.
VC Verifier: Verifies credential authenticity.
Pixelpass: Handles QR code generation and encoding.
Workflow Steps:
Key Pair Generation: On first use, Inji Wallet generates and securely stores a cryptographic key pair via the Secure Keystore.
VC Download Request: User initiates VC download (via UIN/VID or KBI). Wallet instructs VCI Client to start the OpenID4VCI issuance flow.
User Authentication: VCI Client redirects the user to the Authorization Server. User authenticates (OTP, KBI, etc.). Authorization Server returns an auth code.
Token Exchange: Wallet exchanges the auth code for an access token and nonce from the Authorization Server.
Proof Construction: Wallet creates a proof JWT with the nonce, sends it to Secure Keystore for signing, and receives the signed proof JWT.
Credential Issuance Request: VCI Client sends the signed proof JWT to the Issuing Authority. Issuer returns the VC.
Credential Verification: Wallet verifies the VC with the VC Verifier (checks signature and schema). If verification fails, an error is shown.
VC Storage and Rendering: Verified credentials are securely stored. For some credentials, a QR code is cached for offline use.
Verifiable Presentation (VP) Sharing via OpenID4VP Flow
This workflow explains how Inji Wallet shares selected VCs with a verifier (Relying Party) using the OpenID4VP protocol.
Actors:
User: Selects credentials and provides consent.
Inji Wallet: Manages the process, interacts with OpenID4VP Module and Secure Keystore.
Secure Keystore: Signs VP tokens.
OpenID4VP Module: Validates requests and structures the VP token.
Relying Party (Verifier): Requests and validates credentials.
Workflow Steps:
QR Code Creation: The verifier generates a QR code containing the authentication request.
QR Code Scan: User scans the QR code in Inji Wallet, which extracts the auth request.
Auth Request Validation: Wallet passes the request to the OpenID4VP Module for validation (issuer, signature, expiry, audience).
Display Matching VCs & User Consent: Wallet finds matching credentials, displays them, and the user selects which to share and gives consent.
Construct Unsigned VP Token: Wallet sends selected VCs and metadata to the OpenID4VP Module, which constructs the VP token (unsigned).
Sign VP Token: OpenID4VP Module sends the unsigned VP token to Secure Keystore for signing. The signed VP token is returned.
Send Auth Response to Verifier: Wallet sends the signed VP token and presentation_submission to the verifier. The verifier validates the response and, if successful, completes the transaction.
Features Flow
This document delineates the workflow for essential functionalities of Inji Wallet.
1. First App Launch
After installing the application for the first time, the user will be asked to set up unlock method for it. The app supports biometric or PIN-based locks. For more details, refer to the End User Guide.
Launch with passcode unlock method

Launch with biometric unlock method

2. Downloading, Verifying and storing credentials
Residents have the ability to download a Verifiable Credential (VC) for themselves, their family members, or friends using a single mobile device. This can be done through two methods:
While downloading the VCs, the credentials are validated and verified for the authenticity of the issuer using the signature and the proof type provided in the VC.
Downloading VC using OpenID for VC Issuance Flow (eSignet)
Download via eSignet
Below sections are going to detail as how Inji Wallet as an OIDC client to OpenID4VCI method of downloading a VC and illustrated implementations.
Download credentials using UIN / VID:
This method of VC download illustrates the OpenID4VCI method of download using UIN / VID issued to the resident. In this, eSignet plays the authentication and authorisation end point to connect to the credential provider (Reference Implementation: MOSIP). To understand more about Onboarding Mimoto (Inji BFF) as an OIDC client to support credential issuance from any issuer who support OpenID4VCI protocol refer here.
Download credentials using Knowledge Based Identification (KBI)
This method of VC download illustrates the OpenID4VCI method of download using KBI (Knowledge Based Identification). In this, eSignet plays the authentication, authorisation and credential issuance end point to connect to the credential provider. To understand more about Onboarding Mimoto (Inji BFF) as an OIDC client to support credential issuance from any issuer who supports OpenID4VCI protocol, refer here.

Appendix:
The term βidentifierβ in the architecture diagram refers to the unique identifier which can be used to download the credential on the esignet login Page
eSignet supports Various types of authorizations, ACR value is configured based on the Issuers' need to include the authorization mode in the authorization page
Types of Authorization Supported for Credential Download by eSignet are:
Login With OTP: Credential download using OTP Based authentication to authorize the user
Illustrated Implementation: National ID credentials download
Login With KBI: Credential download using KBI to authorize the user. The knowledge (as described by the credential issuer to authorize) is exposed to eSignet from Registry (Issuer) through eSignet Issuance Plugins
Illustrated Implementation: Insurance ID credentials download
3. Sharing of credentials
The credentials are shared in a peer-to-peer model with the verifier application. The data exchange between devices is done using the BLE Protocol. For more information, refer to Tuvali documentation.

4. QR code login process
Residents can use Inji Wallet to log in to any service provider app (integrated with e-Signet) by just scanning a QR code from their portal.
The app performs offline face auth after scanning the QR code to verify the user's presence.
Once the presence is verified, the resident is given the option to choose the optional information to be shared with the service provider portal.
After consent is provided, the app sends a WLA (Wallet local auth) token which is a JWT token to the relying party.
The resident is then given the access to the portal after the token verification.
Step 1: VC activation process


Step 2: QR code login

5. Data backup and restore
From Settings screen, users can access Backup settings screen. In Backup settings screen, users can configure their preferences for data backup. The setting, configured once during the application's lifecycle, determines whether Google Drive or iCloud will be utilized based on the device platform. To restore backup data to the mobile wallet, users must log in to the same account and configure settings within the app accordingly. Additionally, restored Verifiable Credentials (VCs) should be re-activated to enable QR Code login functionality.


Last updated
Was this helpful?