In this blog post I will cover the setup Verifiable Credentials but first.
Table of Contents
What are Verifiable credentials?
We use IDs in our daily lives. We have drivers licenses that we use as evidence of our ability to operate a car. Universities issue diplomas that prove we attained a level of education. We use passports to prove who we are to authorities as we arrive to other countries. The data model describes how we could handle these types of scenarios when working over the internet but in a secure manner that respects users’ privacy. You can get additional information in The Verifiable Credentials Data Model 1.0.
In short, verifiable credentials are data objects consisting of claims made by the issuer attesting information about a subject. These claims are identified by schema and include the DID issuer and subject. The issuer’s DID creates a digital signature as proof that they attest to this information.
How to setup underlying resources?
Prerequisites
- If you don’t have Azure subscription, create one for free.
- Sign up for Azure Active Directory Premium editions subscription in your tenant.
- Ensure that you have the global administrator permission for the directory you want to configure.
- Ensure that you have PowerShell 7.0.6 LTS-x64, PowerShell 7.1.3-x64, or later installed.
Create a Service Principal
Connect to to Azure AD with Connect-AzAccount -TenantId switch
If You will use Connect-AzAccount with out any switches, You will get an warning.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
# These commands install and import the Az module if ((Get-Module -ListAvailable -Name "Az.Accounts") -eq $null) { Install-Module -Name "Az.Accounts" -Scope CurrentUser } if ((Get-Module -ListAvailable -Name "Az.Resources") -eq $null) { Install-Module "Az.Resources" -Scope CurrentUser } # Replace <your-tenant-ID> with your Azure AD tenant ID Connect-AzAccount -TenantId <your-tenant-ID> # The AppId bbb94529-53a3-4be5-a069-7eaf2712b826 refers to the Verifiable Credentials Microsoft service. New-AzADServicePrincipal -ApplicationId "bbb94529-53a3-4be5-a069-7eaf2712b826" -DisplayName "Verifiable Credential Request Service" # You can check the Enterprise application with the following get-AzADServicePrincipal -ApplicationId bbb94529-53a3-4be5-a069-7eaf2712b826 |
Or You can check the Application from Enterprise applications.
Create a key Vault
You can create the Key vault with the following command
1 2 3 |
# Choose a name, Resource group and geographical location New-AzKeyVault -Name Cloudparnerkeyvault001 -ResourceGroupName "Professional_RSG" -Location "North Europe" |
And then You can see it inside Your portal.
Permissions
You can add the permissions with the following.
1 2 3 4 5 6 7 |
# Setting right permissions for Your user to Key vault Set-AzKeyVaultAccessPolicy -VaultName "Cloudparnerkeyvault001" -UserPrincipalName firstname.lastname@domain.fi -PermissionsToKeys get,list,update,create,import,delete,recover,backup,restore,sign # And rights for the Service Principal Set-AzKeyVaultAccessPolicy -VaultName "Cloudparnerkeyvault001" -UserPrincipalName bbb94529-53a3-4be5-a069-7eaf2712b826 -PermissionsToKeys get,sign |
Then You can see the permissions inside the Key vault.
App registration
1 2 3 |
# Add App registration with the following New-AzADApplication -DisplayName Verifiable-credentials-app |
App registration permissions
Add permissions to the App for the API created in the earlier steps.
And grant admin consent.
And done.
Set up Verifiable Credentials
Prerequisites
- Set up a tenant for Azure AD Verifiable Credentials.
- To clone the repository that hosts the sample app, install GIT.
- Visual Studio Code, or similar code editor.
- .NET 5.0.
- ngrok (free).
- A mobile device with Microsoft Authenticator:
- Android version 6.2108.5654 or later installed.
- iOS version 6.5.82 or later installed.
Create a storage account
You can create a storage account with PowerShell.
1 2 3 4 5 6 7 |
# Creating the storage account New-AzStorageAccount -ResourceGroupName professional_rsg -Name cloudpartnervcstorage -Location northeurope -SkuName Standard_LRS # Grant Your user access to Storage account New-AzRoleAssignment -SignInName firstname.lastname@domain.fi -RoleDefinitionName 'Storage Blob Data Reader' -Scope /subscriptions/You Subscription ID/resourceGroups/professional_rsg/providers/Microsoft.Storage/storageAccounts/cloudpartnervcstorage |
Create container under Storage account
1 2 3 4 5 6 7 8 9 10 11 12 13 |
# Get storage account keys $StorageAccountKeys = Get-AzStorageAccountKey -ResourceGroupName professional_rsg -Name cloudpartnervcstorage # Select first key and expand value $Key0 = $StorageAccountKeys | Select-Object -First 1 -ExpandProperty Value # Put key1 value to $Context variable # Create new container with context New-AzstorageContainer -Context $Context -Name cloudpartnervccontainer |
Remove public access from Storage Account
1 2 3 |
# Removing the public access from the Storage account Set-AzStorageAccount -ResourceGroupName professional_rsg -Name cloudpartnervcstorage -PublicNetworkAccess Disabled |
Create configuration files
Azure AD Verifiable Credentials uses two JSON configuration files, the rules file and the display file.
- The rules file describes important properties of verifiable credentials. In particular, it describes the claims that subjects (users) need to provide before a verifiable credential is issued for them.
- The display file controls the branding of the credential and styling of the claims.
Create two files, first one VerifiedCredentialExpertDisplay.json
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
{ "default": { "locale": "en-US", "card": { "title": "Verified Credential Expert", "issuedBy": "Microsoft", "backgroundColor": "#2E4053", "textColor": "#ffffff", "logo": { "uri": "https://didcustomerplayground.blob.core.windows.net/public/VerifiedCredentialExpert_icon.png", "description": "Verified Credential Expert Logo" }, "description": "Use your verified credential to prove to anyone that you know all about verifiable credentials." }, "consent": { "title": "Do you want to get your Verified Credential?", "instructions": "Sign in with your account to get your card." }, "claims": { "vc.credentialSubject.firstName": { "type": "String", "label": "First name" }, "vc.credentialSubject.lastName": { "type": "String", "label": "Last name" } } } } |
And the second one VerifiedCredentialExpertRules.json
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
{ "attestations": { "idTokens": [ { "id": "https://self-issued.me", "mapping": { "firstName": { "claim": "$.given_name" }, "lastName": { "claim": "$.family_name" } }, "configuration": "https://self-issued.me", "client_id": "", "redirect_uri": "" } ] }, "validityInterval": 2592001, "vc": { "type": [ "VerifiedCredentialExpert" ] } } |
Upload the configuration files
Open the container You created earlier and upload the json files
And done.
Creating Verifiable credentials
Search for Verifiable and open Credentials, then Create.
Select the files that we just uploaded.
And done.
Final thoughts
With Verifiable credentials you will be able to provide other proof of Your identity like passport, driving license, work agreement or even a school diploma.
Really nice feature but the setup in Preview mode is a little bit difficult, hopefully I made it a little bit easier for all.
In the upcoming parts I will be connecting this setup to Azure B2C with Custom policies!