Building Blocks of Decentralised Identity
Decentralised Identifiers
Decentralised Identifiers (DIDs) is a unique digital identifier that individuals issue, manage, and store themselves rather than relying on a centralized authority. Central to the DID framework is the use of cryptographic key pairs: a public key that is openly published for verification purposes, and a private key that remains confidential, ensuring security and authenticity. DIDs empower individuals to assert their identity independently, offering a self-sovereign form of identification. This autonomy enables individuals to provide verifiable facts about themselves to others in a secure and privacy-preserving manner, a cornerstone in the evolving landscape of digital interactions and trust.
A DID is assigned to Affinidi Vault user upon their successful registration.
The DID method used by Affinidi Vault is
did:key
Verifiable Credentials
Verifiable Credentials (VCs) is a digital attestations that are cryptographically signed and verifiable, making them tamper-evident and reliable. VCs can represent various facets of an individual’s identity, from academic achievements and employment history to medical records. These credentials place control and privacy squarely in the hands of the individual, who can store and manage them in a digital identity wallet, for instance, Affinidi Vault.
Email VC is issued to Affinidi Vault users after successful account creation and it is signed by Affinidi. These verifiable credentials are stored in the Affinidi Vault and shared with user consent.
Affinidi Vault issues VCs using the W3C Data Model
Verifiable Presentations
Verifiable Presentations (VPs) is a collection of one or more VCs, packaged in a specific way for presentation to a “verifier” such as a service provider. VPs are digitally signed by the holder (using their private key) to prove control over the included VCs. They allow you to selectively disclose only the relevant information from your VCs, preserving privacy. The verifier can then cryptographically validate the VP. VPs are important as they offer a more secure and privacy-conscious way to prove your identity compared to sharing raw VCs. For example, to prove your age at an age-restricted venue, you can present a VP containing only your birthdate without revealing your nationality or address, as compared to the current method of showing your driver’s license or identification card.
sequenceDiagram actor User participant Affinidi Vault participant Affinidi Login User->>Affinidi Vault: User confirm consent to share data Affinidi Vault->>Affinidi Vault: Generate Verifiable Presentation (VP) of shared VCs Affinidi Vault->>Affinidi Login: Send the Verifiable Presentations (VP Token)
OpenID for Verifiable Presentations
OpenID for Verifiable Presentations (OID4VP) is an extension to the OpenID Connect (OIDC) standard that enables users to be their own identity provider without relying on third-party providers. This extension incorporates the Presentation Exchange Protocol, allowing for the request and presentation of verifiable credentials. Explore our documentation on how Affinidi Login utilises Presentation Exchange Protocol to enable developers to verify the identity of the user.
With OID4VP, the “VP Token” is introduced, a new token type for conveying Verifiable Presentations (VPs). It utilizes the Presentation Exchange Protocol from the Decentralized Identity Foundation (DIF) within the OIDC “claims” request parameter. This integration specifies the credential requirements for applications and assists verifiers in processing the presented credentials.
Here is the representation of OID4VP implementation with Affinidi Login and Affinidi Vault, which stores the verifiable credentials of the user and enables consent management for data sharing.
sequenceDiagram actor User participant Affinidi Login participant Affinidi Vault Affinidi Login->>Affinidi Vault: Initialise request to the Vault with Authorisation request Affinidi Vault->>User: Show Consent screen to share data User->>Affinidi Vault: User confirm consent to share data Affinidi Vault->>Affinidi Vault: Generate Verifiable Presentation (VP) Affinidi Vault->>Affinidi Login: Redirect to Affinidi Login with the VP Token Response Affinidi Login->>User: Show extension loading screen Affinidi Login->>Affinidi Login: Extract VP Token from the Response
Affinidi Login converts the VP Token into a standard format called “ID Token”. It sends the ID Token to the requestor (an application or website) to verify the user’s identity.
OpenID for Verifiable Credential Issuance
OpenID for Verifiable Credential Issuance (OID4VCI) is an extension to the OpenID Connect (OIDC) standard that provides the mechanism for Issuers to issue Verifiable Credentials to Affinidi Vault users and obtain the credentials. This extension uses the OAuth 2.0 authorisation flow to obtain authorisation to receive Verifiable Credentials, enabling the issuance process to benefit from the established security and flexibility of the OAuth 2.0 framework.
sequenceDiagram actor User participant Affinidi Vault participant Credential Issuance Service User->>Affinidi Vault: Enters the Transaction Code to view the Credential Offer Affinidi Vault->>Credential Issuance Service: Resolves Offer URI and get the Credential Offer with Access Token Note over Affinidi Vault, Credential Issuance Service: Affinidi Vault will exchange Trx Code and Pre-Auth Code <br /> for the Access Token to Get the Credential Credential Issuance Service->>Credential Issuance Service: Validate credential proof Credential Issuance Service->>Credential Issuance Service: Update Credential Offer as Claimed Credential Issuance Service->>Affinidi Vault: Return the Verifiable Credential Affinidi Vault->>User: Presented the Verifiable Credential User->>Affinidi Vault: Accepts the Verifiable Credential Affinidi Vault->>Affinidi Vault: Securely Stores the Verifiable Credential
The Issuer sends the claim link to the Affinidi Vault user that contains the Credential Offer URI. The Credential Offer URI is used to get the required access token to retrieve the issued credential. The user can choose to accept the credential and store it in the Affinidi Vault or reject the credential offer.
Set up the Affinidi Vault and developer tools to get started with Affinidi Trust Network.
Glad to hear it! Please tell us how we can improve more.
Sorry to hear that. Please tell us how we can improve.
Thank you for sharing your feedback so we can improve your experience.