Setup vc-oauthn-oidc for PoC with CLBC

[cvarjao]

Courthouse Libraries of BC (CLBC) is looking into standing up a new we service based on Drupal. In this new web app they would like to look into integrating with LSBC Member Card as the most effectively way of identifying accredited lawyers in good standing.

Acceptance Criteria

• An OIDC gateway/proxy is setup for them which uses a proof request for authentication
• For the PoC, the proof request will be based on the Member Card issued by the showcase
• (Bonus) CLBC is able to configure the application endpoints themselves

[swcurran]

Summary of what I think would be needed to setup.

• We need a technical resource/point of contact on our side to work with their point of contact.
  • Emiliano has done this in the past -- not sure who has the knowledge to do that in his place.
  • Meetings:
    • Overview of what is going to happen -- demo, theory of operation, integration points.
    • Understanding of their environment/tech stack. What OpenIDConnect capability is in Drupal?
    • Periodic meetings/support to complete the integration.
• Deploy a dev/test/prod instance of ACA-Py+vc-authn-oidc, including a Postgres wallet instance, and ideally (but not crucial) a Redis setup.
  • Mostly an SRE task. Effort depends on the state of the templates for deploying this. Identical to Access to Audio?
  • I would guess this is a few days at most.
  • AFAIK - we don't have traction deployed and ready for this, so that is not an option. We could use this to spin up a "vc-authn-oidc" Traction instance, with a plan to use that for future vc-authn-oidc deployments.
• Coordinate CLBC's access to the different instances
  • Authentication for use of the endpoints.
  • Define their presentation request for the vc-authn-oidc instance.
• Documentation
  • Technical - what they need to do to maintain their environment, testing in Dev/Test
  • End user

Interesting idea -- could they use the same instance as Access to Audio? They are doing exactly the same thing -- could they just use that deployment that is already in use?

[WadeBarnes]

I'm thinking they could integrate with the existing KeyCloak/vc-authn instances we are using for ACM (A2A) and DEMS for LSBC. There are already proof requests configured for the LSBC Member Card alone, or the Member Card plus Person Credential.

Drupal can integrate with KeyCloak realms; https://www.drupal.org/project/keycloak

[esune]

I had a quick chat with Aaron yesterday, and it sounds like CLBC would like to add a verified email to the proof request. What is to be confirmed is whether this is true and whether https://email-verification.vonx.io can be used, or a new service would need to be developed/deployed (note: be mindful/careful with the proliferation of services we need to maintain, we have too many already).

Integration with the same keycloak realm ACM is using would be the way to go and path of least friction.