Issuing credentials directly to the MATTR mobile wallet

David Renwick • Aug 12, 2021 • 4 min read

Summary: We explore how to issue credentials using secure messaging.

At MATTR, we’ve pioneered a way to request and receive credentials using OpenID Connect (OIDC) capability.

However, if you already have a robust mechanism in place to authenticate users, then setting up additional OIDC capability is unnecessary. Sending credentials using secure Decentralized Identifier (DID) messaging or directly with a QR code is a safe, convenient alternative. In this article, we’ll explore this alternative method in more detail.

The MATTR mobile wallet supports two main channels for issuing a credential:

  • OpenID Credential Provider
  • Secure DID messaging

Note: We’re building DID messaging on the JOSE stack to facilitate signing and encryption.

OpenID Credential Provider

If you haven’t yet authenticated a user, using OpenID Credential Provider offers a secure way to authenticate a user at the point of credential creation. It involves setting up and configuring an OpenID Provider to work alongside the MATTR VII OIDC Bridge Extension — simple if you’re already using OIDC infrastructure, but more complex to set up from scratch.

Secure DID messaging

If you’ve already authenticated a user through another method, issuing a credential through a secure DID message is a reliable alternative to OIDC. This approach works well if you’re authenticating users through a website login or even in person (like a classroom or training centre).

Let’s see how this might work in practice.

1. Authentication

Before issuing a credential, you need to authenticate the user. The most common way to do this is having a user login to a session on your website.

2. Linking

Now that you’ve authenticated the user, you need to link their DID to the session of the user. This DID will be generated by the wallet they are using to hold the credential. You can obtain it in a few different ways:

  • If the user already has a credential you’ve issued, and you trust they are still in control of the subject DID in the credential, you can create a new credential based off the DID inside the credential.

  • If the user needs to link their DID from their mobile wallet, you can use a DID Auth flow to make sure you’re obtaining a validated DID that the user can prove they own.

  • If you needed to verify credential data from the user as part of the transaction anyway, you’ll need to use the Holder DID from the Verifiable Presentation as the determining DID.

For very simple use cases like demo and testing, if a user has the MATTR mobile wallet they can use a Public DID — they can simply copy the DID and pass it to you out-of-band.

3. Constructing the credential and message

Now that the DID is ‘known’ and we’ve authenticated the user, a Verifiable Credential is created using the MATTR VII platform. This credential is then packaged into a secure DID message format to be delivered to the recipient. Because the subject DID is known, the DID message can be encrypted to ensure the data is safe in transit. Use the messaging endpoints to easily perform this step.

4. Delivery

The MATTR mobile wallet can read DID messages in either a secure DID message, QR code or deep-link.

Sending a secure DID message is an easy way to push messages to mobile wallet holders. Once the message has been encrypted, it can be sent to the subject DID and the MATTR VII platform will route the encrypted message to the holder.

QR codes and deep-links typically make the messages too large to be reliably read by most smartphones. To solve this, we embed a URL to an endpoint hosting the DID message. Then, the MATTR mobile wallet simply follows a redirect to obtain the message.

5. Storing the credential

Once the MATTR mobile wallet receives the message, the user can view the credential to make sure it’s correct, then store the credential in the wallet. At this stage, the wallet will also perform some checks to verify the credential, including:

  • Validation of the credential proof
  • Resolving the issuer DID document
  • Checking that the issuer is publishing a valid DID-to-Domain linkage credential.

The checks are clearly visible to the user, and there’s assurance that when it comes time for a user to present their credential, it’ll be accepted by trusted verifiers.

Wrap up

If you’re already using a secure mechanism to authenticate your users, then setting up OIDC capability isn’t necessary. As we’ve explored, sending credentials using secure DID messaging directly or via a QR code or deep-link is safe, convenient and allows users to obtain their credentials directly.

Try this out for yourself now on the MATTR VII platform and in the MATTR mobile wallet.


Sign up today for a free trial of our MATTR VII platform to experience the powerful capabilities that can be deployed in the context of your organization.

This blog was originally posted on Medium.

Get in touch with us

Our technologies give you powerful ways to build trust and prove things about people. If you’ve got a use case and want to see what it might look like, we’d love to talk to you about it.

An integrated set of capabilities on a platform built for scale