Token Binding with Verifiable Credentials

Update: 21 July '22
Our Identity for All hackathon submission was runner up finalist.

It’s only been four months since the last Microsoft Hackathon targeted at my area of expertise. And Microsoft are back with another one. This time it is the Microsoft Identity for All Hackathon again hosted by DevPost. This hackathon is targeted more at developers than security experts with the challenge of building a solution on the Microsoft Identity Platform. I put the call out to the team from our last win to see who was up to the task to give up nights and a couple of weekends. Elias EkonomouChristian Chung-Tak-ManFarzan Akhtar were up for the challenge.

After a number of brainstorming sessions to define what we’d like to build we agreed on building an Azure Web App for an online Metaverse Event. The Web App would be built entirely on the Azure Platform. It would combine Bring Your Own IDentity (BYOID), Identity Proofing and Decentralised Identity. The key component though was to implement a rudimentary implementation of token binding with verifiable credentials.

Token binding is the concept of ensuring that an actor using a credential is the one to which it was issued and for the purpose (resource) it was intended.

Event Web App Overview

To set the scene for the purpose of the Event WebApp we conceived an upcoming event from Orange Interstellar Corporation. Orange Interstellar is ready to unveil their latest Interstellar Sports Utility Vehicle. Rumour has it the Interstellar Sports Utility Vehicle can also come with an optional interstellar jetbike.

The event will be an online event in the Metaverse. It would be attended by industry A-Listers and interstellar transportation influencers who are the recipients of an exclusive and illustrious personalised platinum ticket invitation.

Event Web App Architecture

The architecture below shows the flows of enrolling (redeeming) a platinum invite. Enrolling uses Self-Service Sign-Up to an Azure AD Web App utilising Azure Active Directory External Identities. They would then be issued a VerifiedID Verifiable Credential that will also include a facial biometric. The facial image is our form of token binding with verifiable credentials.

The event entry flow is also shown below. The attendee presents their verifiable credential after taking a selfie which is compared to the image taken during enrolment. The Azure Cognitive Services FaceAPI determines if the facial images are a match. If they are and the verifiable credential is valid the attendee is admitted to the event.

token binding with verifiable credentials

Demo’s

Here is a demo of the end solution showing an invitee redeeming their invite and receiving a verifiable credential with associated facial biometric.

Orange Interstellar Corp – SUV Event Launch

Orange Interstellar Corp is using Microsoft Azure to ensure the participants to their event are indeed those who have been invited. Build in Node.js and ASP.NET Core, using Azure services like Entra, Face and others. Submitted for the Microsoft Identity for All Hackathon. Built by Darren Robinson, Elias Ekonomou, Christian Chung-Tak-Man and Farzan Akhtar.

Of course, there will be people that try to sign up and attend the event that aren’t invited. Here is a demo of what happens when someone who isn’t on the guest list attempts to sign up.

Microsoft Identity for All Hackathon demo of a non-invitee trying to RSVP for an event

A brief technical description of our submission in the Microsoft Identity for All Hackathon. This video provides the demo of an individual who was not on the exclusive invite list trying to RSVP. https://devpost.com/software/orange-interstellar-corporation-event-webapp

What about all the technical details?

Want to know more? Our submission here on DevPost goes into a lot more detail including all the Azure services we used to build this solution. The code is also on GitHub in a repository here.