Skip to main content

Login with Verifiable Credentials

This guide covers the passwordless login flow using Procivis One's own services as both issuer and verifier. The BFF issues a login credential to an authenticated user, and the OpenID Bridge later accepts that credential as proof of identity in place of a username and password. While this flow is used internally to enable credential-based login to the Procivis One Desk, it also serves as a reference implementation for building your own passwordless login experience on top of Procivis One.

Issue a login credential with BFF

he BFF can issue a login credential that can be used for subsequent logins.

You can see the flow in action in our trial environment, where Desk users can request a login credential from their profile page.

Two authorization scopes

This workflow demonstrates how different authorization scopes work together:

  • User scope (1. Desk to BFF)
    • The user requests a login credential through Desk. The BFF validates that the user has permission to request a login credential, but the user does not need permission to issue credentials.
  • Technical user scope (2. & 3. BFF to Core)
    • The BFF calls the Core as a technical user with its own app token. The Core validates that the BFF technical user has permission to create and share credentials of the specific type requested, within the designated tenant and issuer configuration. The Core does not check the end user's permissions - only the BFF's.

Permission isolation and tenant segmentation

This separation of scopes enables important security boundaries:

  • Users can request credentials without issuing privileges: End users do not need broad credential issuance permissions. The BFF mediates the request and ensures the credential contains the correct user information.
  • BFF operates in its own tenant: The BFF technical user is scoped to a dedicated tenant used exclusively for login credential issuance. This prevents the BFF from issuing credentials that belong to regular user workflows or other tenant contexts.
  • Principle of least privilege: Each actor (user, BFF) has only the minimum permissions necessary for its role, limiting the radius of any potential compromise.

Verify login credential with OpenID Bridge

The Bridge and Core can be used to consume verifiable credentials as part of the OAuth 2.0/Authorization Code Flow:

Click to expand

You can see the flow in action in our trial environment where users can login to the Procivis One Desk using a credential issued from the Desk.

note

Login with credential does not require STS authentication mode.