Workflow

End-to-End Workflow for Inji Mobile Wallet

Credential Download via OpenID4VCI Flow

This workflow describes how Inji Wallet downloads a Verifiable Credential (VC) from an issuing authority using the OpenID4VCI protocol.

Actors:

  • Inji Wallet: Orchestrates the process, interacts with VCI Client and Secure Keystore.

  • Secure Keystore: Signs cryptographic proofs.

  • VCI Client: Manages OpenID4VCI communication with the Issuing Authority.

  • Authorization Server: Authenticates the user (e.g., eSignet).

  • Issuing Authority: Issues the VC.

  • VC Verifier: Verifies credential authenticity.

  • Pixelpass: Handles QR code generation and encoding.

Workflow Steps:

  1. Key Pair Generation: On first use, Inji Wallet generates and securely stores a cryptographic key pair via the Secure Keystore.

  2. VC Download Request: User initiates VC download (via UIN/VID or KBI). Wallet instructs VCI Client to start the OpenID4VCI issuance flow.

  3. User Authentication: VCI Client redirects the user to the Authorization Server. User authenticates (OTP, KBI, etc.). Authorization Server returns an auth code.

  4. Token Exchange: Wallet exchanges the auth code for an access token and nonce from the Authorization Server.

  5. Proof Construction: Wallet creates a proof JWT with the nonce, sends it to Secure Keystore for signing, and receives the signed proof JWT.

  6. Credential Issuance Request: VCI Client sends the signed proof JWT to the Issuing Authority. Issuer returns the VC.

  7. Credential Verification: Wallet verifies the VC with the VC Verifier (checks signature and schema). If verification fails, an error is shown.

  8. VC Storage and Rendering: Verified credentials are securely stored. For some credentials, a QR code is cached for offline use.

Verifiable Presentation (VP) Sharing via OpenID4VP Flow

This workflow explains how Inji Wallet shares selected VCs with a verifier (Relying Party) using the OpenID4VP protocol.

Actors:

  • User: Selects credentials and provides consent.

  • Inji Wallet: Manages the process, interacts with OpenID4VP Module and Secure Keystore.

  • Secure Keystore: Signs VP tokens.

  • OpenID4VP Module: Validates requests and structures the VP token.

  • Relying Party (Verifier): Requests and validates credentials.

Workflow Steps:

  1. QR Code Creation: The verifier generates a QR code containing the authentication request.

  2. QR Code Scan: User scans the QR code in Inji Wallet, which extracts the auth request.

  3. Auth Request Validation: Wallet passes the request to the OpenID4VP Module for validation (issuer, signature, expiry, audience).

  4. Display Matching VCs & User Consent: Wallet finds matching credentials, displays them, and the user selects which to share and gives consent.

  5. Construct Unsigned VP Token: Wallet sends selected VCs and metadata to the OpenID4VP Module, which constructs the VP token (unsigned).

  6. Sign VP Token: OpenID4VP Module sends the unsigned VP token to Secure Keystore for signing. The signed VP token is returned.

  7. Send Auth Response to Verifier: Wallet sends the signed VP token and presentation_submission to the verifier. The verifier validates the response and, if successful, completes the transaction.

Features Flow

This document delineates the workflow for essential functionalities of Inji Wallet.

1. First App Launch

After installing the application for the first time, the user will be asked to set up unlock method for it. The app supports biometric or PIN-based locks. For more details, refer to the End User Guide.

Launch with passcode unlock method

Launch with biometric unlock method

2. Downloading, Verifying and storing credentials

Residents have the ability to download a Verifiable Credential (VC) for themselves, their family members, or friends using a single mobile device. This can be done through two methods:

While downloading the VCs, the credentials are validated and verified for the authenticity of the issuer using the signature and the proof type provided in the VC.

  • Downloading VC using OpenID for VC Issuance Flow (eSignet)

Download via eSignet

Below sections are going to detail as how Inji Wallet as an OIDC client to OpenID4VCI method of downloading a VC and illustrated implementations.

Download credentials using UIN / VID:

This method of VC download illustrates the OpenID4VCI method of download using UIN / VID issued to the resident. In this, eSignet plays the authentication and authorisation end point to connect to the credential provider (Reference Implementation: MOSIP). To understand more about Onboarding Mimoto (Inji BFF) as an OIDC client to support credential issuance from any issuer who support OpenID4VCI protocol refer here.

Download credentials using Knowledge Based Identification (KBI)

This method of VC download illustrates the OpenID4VCI method of download using KBI (Knowledge Based Identification). In this, eSignet plays the authentication, authorisation and credential issuance end point to connect to the credential provider. To understand more about Onboarding Mimoto (Inji BFF) as an OIDC client to support credential issuance from any issuer who supports OpenID4VCI protocol, refer here.

Appendix:

  • The term β€œidentifier” in the architecture diagram refers to the unique identifier which can be used to download the credential on the esignet login Page

  • eSignet supports Various types of authorizations, ACR value is configured based on the Issuers' need to include the authorization mode in the authorization page

  • Types of Authorization Supported for Credential Download by eSignet are:

    • Login With OTP: Credential download using OTP Based authentication to authorize the user

      Illustrated Implementation: National ID credentials download

    • Login With KBI: Credential download using KBI to authorize the user. The knowledge (as described by the credential issuer to authorize) is exposed to eSignet from Registry (Issuer) through eSignet Issuance Plugins

      Illustrated Implementation: Insurance ID credentials download

3. Sharing of credentials

The credentials are shared in a peer-to-peer model with the verifier application. The data exchange between devices is done using the BLE Protocol. For more information, refer to Tuvali documentation.

4. QR code login process

  • Residents can use Inji Wallet to log in to any service provider app (integrated with e-Signet) by just scanning a QR code from their portal.

  • The app performs offline face auth after scanning the QR code to verify the user's presence.

  • Once the presence is verified, the resident is given the option to choose the optional information to be shared with the service provider portal.

  • After consent is provided, the app sends a WLA (Wallet local auth) token which is a JWT token to the relying party.

  • The resident is then given the access to the portal after the token verification.

Step 1: VC activation process

Step 2: QR code login

5. Data backup and restore

From Settings screen, users can access Backup settings screen. In Backup settings screen, users can configure their preferences for data backup. The setting, configured once during the application's lifecycle, determines whether Google Drive or iCloud will be utilized based on the device platform. To restore backup data to the mobile wallet, users must log in to the same account and configure settings within the app accordingly. Additionally, restored Verifiable Credentials (VCs) should be re-activated to enable QR Code login functionality.

Last updated

Was this helpful?