Implementing Restrictions on Proofs
Both the requested_attributes
and requested_predicates
fields have a
restrictions
field.
The restrictions
field is crucial for specifying conditions on the credentials
used to respond to proofs.
Restrictions are applied the same way to requested_attributes
and
requested_predicates
.
Fields to Restrict On
The fields in the list below can be used to apply restrictions to proofs:
schema_name
schema_id
schema_version
schema_issuer_did
(DID of the entity that issued the schema)issuer_did
(DID of the issuer of the credential)cred_def_id
(ID of the credential definition)attr::attr-name::value
(whereattr-name
is the name of an attribute in a credential)
Example Payload of Restrictions in Proofs
Below is an example body of a proof request with restrictions on the
requested_attributes
:
{
"comment": "test",
"type": "indy",
"indy_proof_request": {
"requested_attributes": {
"g_name": {
"name": "name",
"restrictions": [
{
"schema_name": "demo",
"schema_id": "EoNkijxxJx3RSpnFPQvweP:2:demo:0.1.0",
"schema_version": "0.1.0",
"schema_issuer_did": "EoNkijxxJx3RSpnFPQvweP",
"issuer_did": "8c7aBwbxcN8y6mEKBavq54",
"cred_def_id": "8c7aBwbxcN8y6mEKBavq54:3:CL:16:cred_def_1",
"attr::surname::value": "Demo"
}
]
}
},
"requested_predicates": {}
},
"save_exchange_record": false,
"connection_id": "8277590e-ffb5-4437-9226-3a06e1f22031"
}
Applying all of the schema restrictions to a proof request can be overkill.
In ACA-Py, the schema_id
is made up of the schema name, version, and schema
issuer DID.
Therefore, if a restriction is applied to the schema_id
, then effectively the
schema_name
, schema_version
, and schema_issuer_did
restrictions have also
been applied.
The last restriction in the list "attr::surname::value":"Demo"
ensures that
the credential has an attribute named surname
with the value Demo
.
Example Proof Flow with Restrictions
Below is the result of listing the credentials in a holder's wallet.
All of the credentials have the attributes name
and surname
, but all three of
the credentials are based on unique schemas and credential definitions with
extra/different attributes.
GET /v1/wallet/credentials
{
"results": [
{
"attrs": {
"surname": "Demo",
"name": "Alice"
},
"cred_def_id": "3aMAZrkZkA7odBfZkEL15Y:3:CL:16:cred_def_1",
"cred_rev_id": null,
"referent": "4225da38-975b-4efc-93a8-32577cc5ba46",
"rev_reg_id": null,
"schema_id": "S73FJ6deq6fRhBEfiTckkA:2:Demo1:0.0.1"
},
{
"attrs": {
"is_cool": "True",
"surname": "Demo",
"sa_citizen": "yes",
"name": "Alice"
},
"cred_def_id": "3aMAZrkZkA7odBfZkEL15Y:3:CL:18:cred_def_3",
"cred_rev_id": null,
"referent": "76d3f7be-4367-48f4-86d9-05343ddd48d4",
"rev_reg_id": null,
"schema_id": "S73FJ6deq6fRhBEfiTckkA:2:Demo3:0.0.3"
},
{
"attrs": {
"sa_citizen": "yes",
"name": "Alice",
"surname": "Demo"
},
"cred_def_id": "3aMAZrkZkA7odBfZkEL15Y:3:CL:17:cred_def_2",
"cred_rev_id": null,
"referent": "3a100d3e-13cb-457b-8248-ad61589514c3",
"rev_reg_id": null,
"schema_id": "S73FJ6deq6fRhBEfiTckkA:2:Demo2:0.0.2"
}
]
}
No Restrictions on Proof Request
When sending a proof request for the attribute surname
, with no restrictions, we
see that the holder can respond with any one of the credentials:
POST /v1/verifier/send-request
{
"type": "indy",
"indy_proof_request": {
"requested_attributes": {
"get_surname": {
"name": "surname",
"restrictions": []
}
},
"requested_predicates": {}
},
"save_exchange_record": true,
"connection_id": "696f19ef-6cb9-4ca3-a729-9d02f0c47e1e"
}
When the holder checks what credentials can respond to the proof by calling the
route below with the proof_id
, we see that the holder can respond with any of the credentials, as all of them
can satisfy the get_surname
property in the requested_attributes
.
GET /v1/verifier/proofs/{proof_id}/credentials
[
{
"cred_info": {
"attrs": {
"name": "Alice",
"surname": "Demo"
},
"cred_def_id": "3aMAZrkZkA7odBfZkEL15Y:3:CL:16:cred_def_1",
"cred_rev_id": null,
"referent": "4225da38-975b-4efc-93a8-32577cc5ba46",
"rev_reg_id": null,
"schema_id": "S73FJ6deq6fRhBEfiTckkA:2:Demo1:0.0.1"
},
"interval": null,
"presentation_referents": ["get_surname"]
},
{
"cred_info": {
"attrs": {
"sa_citizen": "yes",
"surname": "Demo",
"name": "Alice",
"is_cool": "True"
},
"cred_def_id": "3aMAZrkZkA7odBfZkEL15Y:3:CL:18:cred_def_3",
"cred_rev_id": null,
"referent": "76d3f7be-4367-48f4-86d9-05343ddd48d4",
"rev_reg_id": null,
"schema_id": "S73FJ6deq6fRhBEfiTckkA:2:Demo3:0.0.3"
},
"interval": null,
"presentation_referents": ["get_surname"]
},
{
"cred_info": {
"attrs": {
"sa_citizen": "yes",
"surname": "Demo",
"name": "Alice"
},
"cred_def_id": "3aMAZrkZkA7odBfZkEL15Y:3:CL:17:cred_def_2",
"cred_rev_id": null,
"referent": "3a100d3e-13cb-457b-8248-ad61589514c3",
"rev_reg_id": null,
"schema_id": "S73FJ6deq6fRhBEfiTckkA:2:Demo2:0.0.2"
},
"interval": null,
"presentation_referents": ["get_surname"]
}
]
Restriction on Schema ID
Below, the proof request has a restriction on schema_id
:
POST /v1/verifier/send-request
{
"type": "indy",
"indy_proof_request": {
"requested_attributes": {
"get_surname": {
"name": "surname",
"restrictions": [
{
"schema_id": "S73FJ6deq6fRhBEfiTckkA:2:Demo1:0.0.1"
}
]
}
},
"requested_predicates": {}
},
"save_exchange_record": true,
"connection_id": "696f19ef-6cb9-4ca3-a729-9d02f0c47e1e"
}
When the holder checks which credential will satisfy the proof request, only the
credential with the schema_id
that matches the restriction is returned.
GET /v1/verifier/proofs/{proof_id}/credentials
[
{
"cred_info": {
"attrs": {
"name": "Alice",
"surname": "Demo"
},
"cred_def_id": "3aMAZrkZkA7odBfZkEL15Y:3:CL:16:cred_def_1",
"cred_rev_id": null,
"referent": "4225da38-975b-4efc-93a8-32577cc5ba46",
"rev_reg_id": null,
"schema_id": "S73FJ6deq6fRhBEfiTckkA:2:Demo1:0.0.1"
},
"interval": null,
"presentation_referents": ["get_surname"]
}
]
Restriction on Credential Definition ID
When restricting to the credential definition ID (cred_def_id
):
POST /v1/verifier/send-request
{
"type": "indy",
"indy_proof_request": {
"requested_attributes": {
"get_surname": {
"name": "surname",
"restrictions": [
{
"cred_def_id": "3aMAZrkZkA7odBfZkEL15Y:3:CL:17:cred_def_2"
}
]
}
},
"requested_predicates": {}
},
"save_exchange_record": true,
"connection_id": "696f19ef-6cb9-4ca3-a729-9d02f0c47e1e"
}
When the holder checks which credential will satisfy the proof request, only the
credential with the cred_def_id
that matches the restriction is returned.
GET /v1/verifier/proofs/{proof_id}/credentials
[
{
"cred_info": {
"attrs": {
"sa_citizen": "yes",
"name": "Alice",
"surname": "Demo"
},
"cred_def_id": "3aMAZrkZkA7odBfZkEL15Y:3:CL:17:cred_def_2",
"cred_rev_id": null,
"referent": "3a100d3e-13cb-457b-8248-ad61589514c3",
"rev_reg_id": null,
"schema_id": "S73FJ6deq6fRhBEfiTckkA:2:Demo2:0.0.2"
},
"interval": null,
"presentation_referents": ["get_surname"]
}
]
Restriction on Value of Attribute in Credential
When restricting to an attribute value that is in one of the credentials.
In this case, we check that the holder has the attribute is_cool
and the value
is True
.
POST /v1/verifier/send-request
{
"type": "indy",
"indy_proof_request": {
"requested_attributes": {
"get_surname": {
"name": "surname",
"restrictions": [
{
"attr::is_cool::value": "True"
}
]
}
},
"requested_predicates": {}
},
"save_exchange_record": true,
"connection_id": "696f19ef-6cb9-4ca3-a729-9d02f0c47e1e"
}
When the holder checks which credential will satisfy the proof, the credential
with the is_cool
attribute with value True
is returned.
GET /v1/verifier/proofs/{proof_id}/credentials
[
{
"cred_info": {
"attrs": {
"is_cool": "True",
"surname": "Demo",
"sa_citizen": "yes",
"name": "Alice"
},
"cred_def_id": "3aMAZrkZkA7odBfZkEL15Y:3:CL:18:cred_def_3",
"cred_rev_id": null,
"referent": "76d3f7be-4367-48f4-86d9-05343ddd48d4",
"rev_reg_id": null,
"schema_id": "S73FJ6deq6fRhBEfiTckkA:2:Demo3:0.0.3"
},
"interval": null,
"presentation_referents": ["get_surname"]
}
]
Restriction on Attribute Value Not in Credentials
When restricting to an attribute value that is not in any of the credentials:
POST /v1/verifier/send-request
{
"type": "indy",
"indy_proof_request": {
"requested_attributes": {
"get_surname": {
"name": "surname",
"restrictions": [
{
"attr::is_cool::value": "False"
}
]
}
},
"requested_predicates": {}
},
"save_exchange_record": true,
"connection_id": "696f19ef-6cb9-4ca3-a729-9d02f0c47e1e"
}
When the holder checks if they have a credential that satisfies the proof, no credential is returned.
GET /v1/verifier/proofs/{proof_id}/credentials
[]
This indicates to the holder that they do not have any credentials that satisfy the restrictions in the proof request.