Skip to content

Inform user of revoked credentials#765

Closed
Gavinok wants to merge 5 commits intoopenwallet-foundation:mainfrom
Gavinok:errors-to-ui
Closed

Inform user of revoked credentials#765
Gavinok wants to merge 5 commits intoopenwallet-foundation:mainfrom
Gavinok:errors-to-ui

Conversation

@Gavinok
Copy link
Contributor

@Gavinok Gavinok commented May 12, 2025

This PR resolves #704

I have added a new "Revoked" state to auth sessions that will be displayed as seen below when the provided credential has been revoked

image

In addition, the failed state has now had the revoked possibility removed from the list of possible errors. Something we should consider looking into is if the other possible errors would make sense. "Expired" credentials could mean a failed requested_predicate which we should specify.

I also am not sure what we could really mean by a "missing" credential. Is this for when a wallet holds a credential which is not on the ledger? This should not be possible with the BC wallet

Gavin Jaeger-Freeborn added 3 commits May 9, 2025 11:09
Basic handling of revoked credentials error
300d3e2 
Signed-off-by: Gavin Jaeger-Freeborn <gavinfreeborn@google.com>
Update the UI to alert the user of the revoked credential
91bd39b 
Signed-off-by: Gavin Jaeger-Freeborn <gavinfreeborn@google.com>
Merge branch 'main' into errors-to-ui
9257d8a
@Gavinok Gavinok requested review from esune and loneil May 12, 2025 19:52
@coveralls
Copy link

coveralls commented May 12, 2025
edited
Loading

Pull Request Test Coverage Report for Build 15006433657

Details

  • 12 of 12 (100.0%) changed or added relevant lines in 2 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage increased (+0.2%) to 88.02%
Totals Coverage Status
Change from base Build 14889016103: 0.2%
Covered Lines: 720
Relevant Lines: 818
💛 - Coveralls

@Gavinok Gavinok marked this pull request as draft May 12, 2025 21:15
Added tests for is_revoked
e29a6ea 
Signed-off-by: Gavin Jaeger-Freeborn <gavinfreeborn@google.com>
@Gavinok Gavinok marked this pull request as ready for review May 13, 2025 18:00
esune
esune requested changes May 13, 2025
View reviewed changes
Copy link
Member

@esune esune left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thinking about the message in the UI: can we surface which credential is revoked, or just that "a credential" is revoked? In scenarios where the proof-request includes more than one credential restriction (e.g.: Person credential and LSBC credential for BCGov's lawyer use-case) it would be helpful to know which credential did not pass the revocation check. If this is not possible, we may just want to update the message to indicate that one or more crdentials that are part of the response to the proof-request ae revoked.

Changed logging types
b7f0e24 
Signed-off-by: Gavin Jaeger-Freeborn <gavinfreeborn@google.com>
@Gavinok
Copy link
Contributor Author

Gavinok commented May 13, 2025

Thinking about the message in the UI: can we surface which credential is revoked, or just that "a credential" is revoked? In scenarios where the proof-request includes more than one credential restriction (e.g.: Person credential and LSBC credential for BCGov's lawyer use-case) it would be helpful to know which credential did not pass the revocation check. If this is not possible, we may just want to update the message to indicate that one or more crdentials that are part of the response to the proof-request ae revoked.

Ya we can get the cred_def_id so from there we can get the tag. Would that be enough or is there something else we would need?

@esune
Copy link
Member

esune commented May 13, 2025

For missing: I do not think that use-case is currently possible, at least not with BC Wallet, as you would be prevented from submitting the response if you don;t hold all the credentials that are required. In general, it could be that the proof-request requires one or more credentials and the response does not send the correct ones in the response - unsure on how likely this scenario is though.

Thinking about the message in the UI: can we surface which credential is revoked, or just that "a credential" is revoked? In scenarios where the proof-request includes more than one credential restriction (e.g.: Person credential and LSBC credential for BCGov's lawyer use-case) it would be helpful to know which credential did not pass the revocation check. If this is not possible, we may just want to update the message to indicate that one or more crdentials that are part of the response to the proof-request ae revoked.

Ya we can get the cred_def_id so from there we can get the tag. Would that be enough or is there something else we would need?

For troubleshooting purposes knowing the cred_def_id would certainly be helpful as it would allow us to figure out which credential is causing the verification to fail.

@Gavinok
Copy link
Contributor Author

Gavinok commented May 14, 2025

I realized that the revoked field I am using is unfortunately not only filled for revoked fields based on further testing. Jamie has suggested trying to use the /issued/details endpoint so I will try migrating the is_revoked method to using it

@Gavinok
Copy link
Contributor Author

Gavinok commented May 15, 2025

What should be informing us about the revoked credential is the verified_msgs we get back which seem to be empty. I have opened an issue to track the handling of this openwallet-foundation/acapy#3724

For more context see https://github.com/openwallet-foundation/acapy/blob/main/open-api/swagger.json#L13336

@Gavinok Gavinok closed this May 15, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@esune esune esune requested changes

@loneil loneil Awaiting requested review from loneil

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

If a completed present proof 2.0 webhook is not verified (failed state) see what we can log and/or bring to the UI

3 participants

@Gavinok @coveralls @esune