/Webwallet-holder-EHIC

The wallet for the holder of the European Health Insurance Card

Primary LanguageTypeScript

User webwallet EHIC

Work in progress: Docker implementation need to be added

Webwallet for the EHIC project: a webwallet that stores the user's European Health Insurance Card (EHIC) received from the insurance company in the form of a Verifiable Credential upon request.

Running the app locally

Open the terminal in the Angular application and run the following command:

ng serve

The webportal will be available at http://localhost:4201/

How it works

The application starts with a user requesting a European Health Insurance Card in the form of a Verifiable Credential from the insurance webportal. This starts an exchange session.

After the exchange session is created in the issuer's backend server, the Pre-Authorized Code Flow begins generating and sending a request from the issuer of the verifiable credentials to the holder's webwallet, telling the wallet what kind of Credential from the issuer must be requested. The request is accompanied by a pre-authorized code and optional user pin, requiring the end user to enter a PIN when using the pre-authorized code. Instead of sending a request, the issuer can also generate a QR code with the same data:

http://localhost:8080/api/siop/initiateIssuance/
?issuer=http%3A%2F%2Flocalhost%3A8080%2Fissuer-api%2Fdefault%2Foidc%2F
&credential_type=EuropeanHealthInsuranceCard
&pre-authorized_code=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiI1MGQzNzkyNi0yNmRlLTRjOTktODRjMy1jMDk1OTgwMWRkYmEiLCJwcmUtYXV0aG9yaXplZCI6dHJ1ZX0.tubtX-jiDNcQmr4cRlQntTyIXmVuwx2xIhyRL-2kxCg
&user_pin_required=false

After activating this link, a request is sent from the issuer to the backend of the holder's wallet. In the backend, the pre-authorized code is exchanged for an access token on the issuer's token endpoint to retrieve the credentials. This streamlines the user experience. The issuer can choose to make the issue even more secure by setting and requiring a user PIN before receiving the verifiable credential. The obtained access token is then used to request the issuance of the verifiable credential from the issuer's authentication endpoint. The webwallet must include appropriate proof of possession of the key material to which the credential is bound with the request. Once approved, the issuance process starts where the backend wallet starts an “issuer-initiated issuance” session with the response from the issuer, which is presented to the front-end by means of a session Id:

http://localhost:4201/wallet/?sessionId=1665cb2f-76f8-48b1-86d7-c48c5a43510b

Retrieval session information

With this session ID, the wallet portal is able to retrieve the details of the issue request and present it to the holder: image

After clicking 'Accept', an OpenID-based OIDC4SSI/SIOP information exchange protocol starts. image

The wallet backend then communicates with the issuer backend to receive the verifiable credential that completes the issuance process (see image below for a high-level overview of the issuer-initiated exchange process): issuer-initiated exchange process

The wallet navigates to the overview where all obtained login details are listed: Overview Credentials

The user is now in possession of the verifiable credential European Health Insurance Card and can check the details of the data. The verifiable credential contains specific data related to the European Health Insurance Card and its holder, as well as general data about the verifiable credential, as well as the issuer, validity and expiration date of the verifiable credentials: Details EHIC

During the generation of the verifiable credential, the European Health Insurance Card is cryptographically signed with a digital signature by the issuer. This allows the holder's wallet to prove cryptographically that they are in rightful possession of the European Health Insurance Card they are presenting by proving that the device that obtained the identification is the same device it is presented with:

{
"format" : "jwt_vc", 
"proof" : 
   {
     "jwt" :"eyJraWQiOiJkaWQ6a2V5Ono2TWtuMWZ3Q29XNzhTWFNOVk0xRnR2WWFaaHpzcnR4WXlNdnZpRnBHbmhX  cjJ1VyN6Nk1rbjFmd0NvVzc4U1hTTlZNMUZ0dllhWmh6c3J0eFl5TXZ2aUZwR25oV3IydVciLCJ0eXAiOiJKV1QiLCJhbGciOiJFZERTQSJ9.eyJpc3MiOiJkaWQ6a2V5Ono2TWtuMWZ3Q29XNzhTWFNOVk0xRnR2WWFaaHpzcnR4WXlNdnZpRnBHbmhXcjJ1VyIsImF1ZCI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9pc3N1ZXItYXBpL2RlZmF1bHQvb2lkYy8iLCJpYXQiOjE2NzkyNTMyNzEsIm5vbmNlIjoiYTUzOTlmZDUtMzFjNS00MGE5LWI5ZjMtZDI4ZWEyM2UyNGVhIn0.mkqutPlLvOWv__uRAAk_sgiwkx1eEwSId20OPormGzwkHga_azbFeoceDzeMA4z8quZ6hGf8sx98qSPk2BhbDQ", 
"proof_type" : "jwt"
}, 
"type" : "EuropeanHealthInsuranceCard"
}

Signature