‘Getting the “Issue Microsoft Entra Verified ID credentials from an application” flow working

For a change, a non-B2C article!

Verified credentials could well be the next big thing in Identity. So I was keen to jump in and have a look 😃

You can read up on the concepts here.

First you have to configure your tenant. This was pretty straightforward although it took ages to publish the tenant — way more than the two hours it says is the max.

Note that there are two VC options — “did.web” and “did.ion”. You have to pick one and the only way to change is to delete the whole thing and start again. “did.ion” is described in the FAQ.

The Github sample is here.

There are three .NET samples there:

The first two don’t specify the did type, but the third (the B2C one) uses “did:ion” so I decided to go with that.

This is the link to the article that I used for the first sample.

I had a number of problems getting the sample working that I’ve documented here.

The sample uses NET 5.0 which is no longer supported so I simply upgraded the framework to NET 7.0.

You have to use ngrok if you are running the sample on localhost (the default). This is to make localhost public.

When you run the sample, it opens a web site on:

https://localhost:44380/

This URL is not mentioned in the documentation.

If you try (as per the documentation):

ngrok http 5000

and then use the ngrok URL e.g.

https://fd86-122-60-56-37.ngrok-free.app 

you get:

ERR_NGROK_8012

Traffic was successfully tunneled to the ngrok agent, but the agent failed to establish a connection to the upstream web service at localhost:5000.

If you try:

ngrok http https://localhost:44380

and then the ngrok URL, you get:

HTTP Error 400. The request hostname is invalid.

The command you need is:

ngrok http https://localhost:44380 --host-header="localhost:44380"

You then see the screen:

and you can try and follow the steps in the first sample article.

You will get an error about “YOURPUBLICREACHABLEHOSTNAME” when you click on the buttons.

This is because you have to update that string in:

• issuance_request_config.json
• presentation_request_config — TrueIdentitySample.json
• presentation_request_config.json

to the ngrok string e.g.

"url": "https://cb5b-122-60-56-37.ngrok-free.app/api/issuer/issuanceCallback",

My appsettings.json looks like:

"AppSettings": {
    "Endpoint": "https://verifiedid.did.msidentity.com/v1.0/",
    "VCServiceScope": "3db474b9-6a0c-4840-96ac-1fceb342124f/.default",
    "Instance": "https://login.microsoftonline.com/{0}",

    "TenantId": "00...6c79",
    "ClientId": "6d...3838",
    "ClientSecret": "hn...NbR0",
    "CertificateName": "",
    "IssuerAuthority": "did:ion:EiCFr...:fQ",
    "VerifierAuthority": "did:ion:EiCFr...fQ",
    "CredentialManifest": "https://verifiedid.did.msidentity.com/v1.0/tenants/00d...9816c79/verifiableCredentials/contracts/114d...f00/manifest"
  }

You should now be good to go.

All good!