Credential
Base class for credentials.
When a Credential is created, it is not certified. In order to use the Credential for presentation, call Credential.certify to certify the credential. This is usually done by sending metadata about the Credential to the issuer and getting issuer-signed data back, including the validity-period the credential.
An unique identifier for the credential is available in the Credential.identifier property which is set at credential creation time.
Since credentials can be valid for only a limited time, applications are likely wanting to replace them on a regular basis. To this end, the Credential class has the Credential.replacementForIdentifier property. For a high-level helper using this infrastructure, see DocumentUtil.managedCredentialHelper.
Each credential has a domain associated with it which is a textual string chosen by the application. This can be used to group credentials together and update a single domain independently of another one. For example, a Document may have
10 MDocCredentials for normal use in the domain "mdoc", each requiring user authentication to present.
10 MDocCredentials for age-attestation in the domain "mdoc_age_attestation" which are provisioned with only age attributes and the portrait image. These don't require user authentication to present. At presentation time the application can pick a credential from "mdoc_age_attestation" domain if the verifier's request only includes age attestation. Since user authentication is not required to present these, this could be used to implement a pre-consent flow where the information is shared at the moment the user taps their device against the verifier.
A credential may be invalidated and this is tracked in the Credential.isInvalidated property. For example this may happen if underlying key material for the credential is no longer usable, see SecureArea.getKeyInvalidated for example.
Credential may be subclassed (for example, see SecureAreaBoundCredential and MdocCredential) and applications and libraries may bring their own implementations. An application will need to register its implementations with the CredentialLoader instance they use with their DocumentStore instance.
Each concrete implementation of Credential must have constructor(document: Document, dataItem: DataItem) to construct an instance from serialized data. This is used by CredentialLoader.loadCredential which is used when loading a Document instance from disk and deserializing its Credential instances.
Inheritors
Properties
Identifies credential type.
Indicates whether the credential has been certified yet.
The issuer-provided data associated with the credential.
How many times the credential has been used in an identity presentation.
The point in time the issuer-provided data is valid until.
Functions
Method which can be overridden by Credential subclasses to add any additional information when serializing a credential.
Initialize this object using serialized data.
Gets the claims in the credential.
Increases usage count of the credential.
Indicates whether the credential has been invalidated.