Same device presentation flow within app

[Eragoneq]

Hello everyone,

I was testing the verifier server and looking over the functionality to verify certain credentials of the user, however I would like to try, integrate and test it within another app to allow app-2-app verification. Are there possibly other repos or a way to integrate same functionality without the whole webserver?

Thank you in advance!

[babisRoutis]

Dear @Eragoneq ,

The verifier-endpoint has been implemented as a trusted intermediate between a wallet and a higher-level application (we call it simply verifier in the sequence diagrams found in the readme file). The main idea was/is that the later application doesn't have to implement the whole openid4vp, rather it can delegate this to the verifier endpoint.

Some example of such higher-level applications are:

• https://github.com/eu-digital-identity-wallet/eudi-web-verifier : That's a angular-based web application that supports cross device and same device scenarios depending on whether you are accessing via pc or mobile browser.
• https://github.com/eu-digital-identity-wallet/eudi-web-booking-service-demo: That's a server-side web application in typescript that also supports cross and same device scenarios
• https://github.com/eu-digital-identity-wallet/eudi-srv-web-walletdriven-rpcentric-signer-qtsp-java/tree/main/authorization_server: That's an authorization server (based on SpringBoot) that let the user login by presenting its PID.

You can find the published VerifierAPI, with many examples, https://verifier-backend.eudiw.dev/swagger-ui#/verifier%20api/initializeTransaction

Unfortunately, the verifier-endpoint cannot be used in a form that is embedded to another mobile application, without extended changes. Note though that the verifier endpoint can be used from a mobile application (acting as a "reader' or verifier) running on the same mobile phone that hosts the wallet. Yet, that's also requires the verifier-endpoint deployed to web.

[Eragoneq]

Hmm, I suppose that the best solution for now would be to use a deployed server, however I also saw some mention of the App Verifier that is being developed: App Verifier for Proximity (Android).
It's code has not been published yet from what I see, however it almost matches the functionality that I would try to implement. I've studied the code it is based on, but for some reason the current version only supports the proximity and it removed the button for app-2-app communication. This might not be the right place to ask about the app (as it's the web verifier), but shouldn't that app implement the given functionality or is it mainly planned to focus on web authentication?

[babisRoutis]

Hmm, I suppose that the best solution for now would be to use a deployed server, however I also saw some mention of the App Verifier that is being developed: App Verifier for Proximity (Android). It's code has not been published yet from what I see, however it almost matches the functionality that I would try to implement. I've studied the code it is based on, but for some reason the current version only supports the proximity and it removed the button for app-2-app communication. This might not be the right place to ask about the app (as it's the web verifier), but shouldn't that app implement the given functionality or is it mainly planned to focus on web authentication?

Dear @Eragoneq

The application that you mention is only for mso_mdoc in close proximity using BLE/NFC as defined in ISO-18013-5 (Not openId4vp).

For OpenId4VP, especially as defined in HAIP and ISO profiles, you need a web endpoint to interact with the wallet. In the future, there would be support for Digital Credential API, yet until then a web endpoint is required.

Keep in mind though the following important distinction: The verifier endpoint (app on this repo) can be used (or driven if you will) by any kind of application (The verifier). It could a web app (server or client side) or even another mobile app.

Hope that helps.

[Eragoneq]

Hi,

I have attempted to recreate the whole setup locally, however I found a few issues along the way, which I'm not sure if they are documented properly or I may have done something wrong when applying the configuration.

• I used the wallet app with the self-signed certificates enabled.
• When using a default configuration of the verifier there seems to be a mismatch between the signing algorithms used, as verifier uses RS256, while my app was throwing exceptions for not being able to use given algorithm.
• I enabled a keystore and setup ES256 on the verifier.
• Got stuck on the ClientIdScheme, which was not accepted by the client. I have added a pre-registered scheme for the client and set up the same name on verifier, however the app still gives "InvalidClientId" error in such case.

I might have missed some step in the configuration, but it seems that there are some missing steps to get the basic demo working.

[dzarras]

Hi @Eragoneq,

Which version/tag of the Verifier Endpoint are you using?
If you are using the latest/edge tag please be informed that this version has adopted the unified Client Id/Client Id Scheme as defined by OpenId4VP draft22. This is a breaking change, and not all EUDI components have been adapted to it.

Please use Verifier Endpoint v0.1.9, and let us know if this works for you.

Thanks.

[Eragoneq]

I used the docker image for latest, which from what I've seen points to v0.1.9, but I have set it explicitly now and the issue remains.
For the app I used the code from the main branch, but I also see that it should match 2025.1.20-Demo Latest release with my added code for self-signed certificates and pre-registered client.

Modified eu/europa/ec/corelogic/config/ConfigWalletCoreImpl.kt:

withClientIdSchemes(
    listOf(ClientIdScheme.X509SanDns, ClientIdScheme.Preregistered(listOf(
        PreregisteredVerifier("EudiTest", "EudiTest", "https://192.168.178.172")
    )))
)

Environment config for verifier:

environment:
  VERIFIER_PUBLICURL: "https://192.168.178.172"
  VERIFIER_RESPONSE_MODE: "DirectPostJwt"
  VERIFIER_ORIGINALCLIENTID: "EudiTest"
  VERIFIER_CLIENTIDSCHEME: "pre-registered"

Android app debug log

REQUEST: https://192.168.178.172/wallet/request.jwt/mu5Kau5TcGii-khaau3LRGE-3XglILC2ZHcBs138uinHdynzTlocrirn2iRaOqedvXOuAqA9ltvKqD0NpKaZSw
METHOD: HttpMethod(value=GET)
COMMON HEADERS
-> Accept: application/oauth-authz-req+jwt; application/jwt; application/json
-> Accept-Charset: UTF-8
CONTENT HEADERS
-> Content-Length: 0
BODY Content-Type: null
BODY START

BODY END
...
RESPONSE: 200 OK
METHOD: HttpMethod(value=GET)
FROM: https://192.168.178.172/wallet/request.jwt/mu5Kau5TcGii-khaau3LRGE-3XglILC2ZHcBs138uinHdynzTlocrirn2iRaOqedvXOuAqA9ltvKqD0NpKaZSw
COMMON HEADERS
-> cache-control: no-cache, no-store, max-age=0, must-revalidate
-> content-length: 1786
-> content-type: application/oauth-authz-req+jwt
-> expires: 0
-> pragma: no-cache
-> referrer-policy: no-referrer
-> set-cookie: SERVERUSED=server1; path=/
-> vary: Origin; Access-Control-Request-Method; Access-Control-Request-Headers
-> x-android-received-millis: 1737555785480
-> x-android-response-source: NETWORK 200
-> x-android-selected-protocol: http/1.1
-> x-android-sent-millis: 1737555785432
-> x-content-type-options: nosniff
-> x-frame-options: DENY
-> x-xss-protection: 0
BODY Content-Type: application/oauth-authz-req+jwt
BODY START
eyJraWQiOiJteWtleSIsInR5cCI6Im9hdXRoLWF1dGh6LXJlcStqd3QiLCJhbGciOiJFUzI1NiJ9.eyJyZXNwb25zZV91cmkiOiJodHRwczovLzE5Mi4xNjguMTc4LjE3Mi93YWxsZXQvZGlyZWN0X3Bvc3QiLCJjbGllbnRfaWRfc2NoZW1lIjoicHJlLXJlZ2lzdGVyZWQiLCJyZXNwb25zZV90eXBlIjoidnBfdG9rZW4iLCJub25jZSI6ImJkYzRmY2Q2LTEzM2QtNDhhZC1iZGRmLTRjMDU1YjI2NTNjZiIsImNsaWVudF9pZCI6IlZlcmlmaWVyIiwicmVzcG9uc2VfbW9kZSI6ImRpcmVjdF9wb3N0Lmp3dCIsImF1ZCI6Imh0dHBzOi8vc2VsZi1pc3N1ZWQubWUvdjIiLCJzY29wZSI6IiIsInByZXNlbnRhdGlvbl9kZWZpbml0aW9uIjp7ImlkIjoiNDdkYzBhODYtZmE4YS00NzBmLWI2NmYtNWY5MDNjZTUyYTJjIiwiaW5wdXRfZGVzY3JpcHRvcnMiOlt7ImlkIjoiZXUuZXVyb3BhLmVjLmV1ZGkucGlkLjEiLCJuYW1lIjoiUGVyc29uIElkZW50aWZpY2F0aW9uIERhdGEgKFBJRCkiLCJwdXJwb3NlIjoiIiwiZm9ybWF0Ijp7Im1zb19tZG9jIjp7ImFsZyI6WyJFUzI1NiIsIkVTMzg0IiwiRVM1MTIiXX19LCJjb25zdHJhaW50cyI6eyJmaWVsZHMiOlt7InBhdGgiOlsiJFsnZXUuZXVyb3BhLmVjLmV1ZGkucGlkLjEnXVsnZmFtaWx5X25hbWUnXSJdLCJpbnRlbnRfdG9fcmV0YWluIjpmYWxzZX1dfX1dfSwic3RhdGUiOiJtdTVLYXU1VGNHaWkta2hhYXUzTFJHRS0zWGdsSUxDMlpIY0JzMTM4dWluSGR5bnpUbG9jcmlybjJpUmFPcWVkdlhPdUFxQTlsdHZLcUQwTnBLYVpTdyIsImlhdCI6MTczNzU1NTc4MCwiY2xpZW50X21ldGFkYXRhIjp7ImF1dGhvcml6YXRpb25fZW5jcnlwdGVkX3Jlc3BvbnNlX2FsZyI6IkVDREgtRVMiLCJhdXRob3JpemF0aW9uX2VuY3J5cHRlZF9yZXNwb25zZV9lbmMiOiJBMTI4Q0JDLUhTMjU2IiwiaWRfdG9rZW5fZW5jcnlwdGVkX3Jlc3BvbnNlX2FsZyI6IlJTQS1PQUVQLTI1NiIsImlkX3Rva2VuX2VuY3J5cHRlZF9yZXNwb25zZV9lbmMiOiJBMTI4Q0JDLUhTMjU2Iiwiandrc191cmkiOiJodHRwczovLzE5Mi4xNjguMTc4LjE3Mi93YWxsZXQvamFybS9tdTVLYXU1VGNHaWkta2hhYXUzTFJHRS0zWGdsSUxDMlpIY0JzMTM4dWluSGR5bnpUbG9jcmlybjJpUmFPcWVkdlhPdUFxQTlsdHZLcUQwTnBLYVpTdy9qd2tzLmpzb24iLCJzdWJqZWN0X3N5bnRheF90eXBlc19zdXBwb3J0ZWQiOlsidXJuOmlldGY6cGFyYW1zOm9hdXRoOmp3ay10aHVtYnByaW50Il0sImlkX3Rva2VuX3NpZ25lZF9yZXNwb25zZV9hbGciOiJSUzI1NiJ9fQ.U7cHPZ98Dndk56pHriczpvNp1_H-Wy7tYadh_TOmN7lwXLBdQl5MRj9zylnBWKbn35xe96rbmPhZKCtWSmI9YQ
BODY END

Invalid resolution: InvalidClientId

[babisRoutis]

The deployment option VERIFIER_ORIGINALCLIENTID was introduce in main for 0.2.x .
It is not applicable to v0.1.9

For this reason, in your installation the client_id defaults to "Verifier".

You can see this if you decode the contents of the JAR (From the android log) which is actually a JWT

{
  "response_uri": "https://192.168.178.172/wallet/direct_post",
  "client_id_scheme": "pre-registered",
  "response_type": "vp_token",
  "nonce": "bdc4fcd6-133d-48ad-bddf-4c055b2653cf",
  "client_id": "Verifier",
....
}

You can either use the env VERIFIER_CLIENTID to customize the clien_id (this is the applicable property for v0.1.9), or you can configure the wallet to use the 'Verifier' value for the pre-registered client

[dzarras]

@Eragoneq The list of applicable environment variables for v0.1.9 can be found here

[Eragoneq]

You're right, I didn't see that the README had any fresh changes, after changing it property it passed through the client_id.

One question I'd still leave is that, why the app does not accept RS256, if it's set as default in the verifier?

Invalid resolution: InvalidJarJwt(cause=JAR is signed with RS256 which is not supported)

[babisRoutis]

Dear @Eragoneq

You can also skip pre-registered scheme by using x5c_san_dns.
You can get a signing key and the corresponding pub certificate for your verifier (used to sign the authorization request) using this service : https://registry.serviceproviders.eudiw.dev/

[babisRoutis]

One question I'd still leave is that, why the app does not accept RS256, if it's set as default in the verifier?

Invalid resolution: InvalidJarJwt(cause=JAR is signed with RS256 which is not supported)

@Eragoneq
Ah yes. We should change the default value to an EC alg.
The reason for which the wallet rejects RS256 is that it has been configured (correctly) to trust only EC algorithms for this purpose.

The idea is that wallet may interact with an (arbitrary) verifier, provided that the verifier satisfies the wallet's acceptable conditions.

@dzarras
Please open an issue for the default alg of the verifier to EC (p-256).

[Eragoneq]

Dear @Eragoneq

You can also skip pre-registered scheme by using x5c_san_dns. You can get a signing key and the corresponding pub certificate for your verifier (used to sign the authorization request) using this service : https://registry.serviceproviders.eudiw.dev/

For now it works fine with the pre-registered and custom app, but thank you for the information.

I still seem to have a problem remaining with the custom key, as I receive the error:

Invalid resolution: InvalidJarJwt(cause=Invalid signature Signed JWT rejected: Another algorithm expected, or no matching key(s) found)

This is what the /public-keys.json returns and I thought it should use a correct algorithm to match the app. Are there any requirements for the kid or anything else I might have missed?

{
  "keys": [
    {
      "kty": "EC",
      "x5t#S256": "AKov_84oPd8VMCjDK_LQwMo6ezH-iDX3uDdK8i9o714",
      "nbf": 1737488049,
      "crv": "P-256",
      "kid": "mykey",
      "x5c": [
        "MIIB8TCCAZagAwIBAgIJAOyFm30icfQUMAoGCCqGSM49BAMCMGwxEDAOBgNVBAYTB1Vua25vd24xEDAOBgNVBAgTB1Vua25vd24xEDAOBgNVBAcTB1Vua25vd24xEDAOBgNVBAoTB1Vua25vd24xEDAOBgNVBAsTB1Vua25vd24xEDAOBgNVBAMTB1Vua25vd24wHhcNMjUwMTIxMTkzNDA5WhcNMjYwMTIxMTkzNDA5WjBsMRAwDgYDVQQGEwdVbmtub3duMRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYDVQQKEwdVbmtub3duMRAwDgYDVQQLEwdVbmtub3duMRAwDgYDVQQDEwdVbmtub3duMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEyB7M/pRyuG6d0EyW70c4viOkX1xVU/pIFhC1rhJ9cslSBVZiOSdZAseqO3JxPLOgPwlGaGJZpvoYwQskwTCmnKMhMB8wHQYDVR0OBBYEFMxm6GP17QeU/U0OIKIgRyABrhrYMAoGCCqGSM49BAMCA0kAMEYCIQDoV3xV4542ka1q+vrOmyiLgP+1WTxMl1/xtTSazos5pwIhAPVhxIUka+T7iNrheU3ao8iBgPpBXi3Ag8px0zjkuDPN"
      ],
      "x": "yB7M_pRyuG6d0EyW70c4viOkX1xVU_pIFhC1rhJ9csk",
      "y": "UgVWYjknWQLHqjtycTyzoD8JRmhiWab6GMELJMEwppw",
      "exp": 1769024049
    }
  ]
}

[dzarras]

Dear @Eragoneq
You can also skip pre-registered scheme by using x5c_san_dns. You can get a signing key and the corresponding pub certificate for your verifier (used to sign the authorization request) using this service : https://registry.serviceproviders.eudiw.dev/

For now it works fine with the pre-registered and custom app, but thank you for the information.

I still seem to have a problem remaining with the custom key, as I receive the error:

Invalid resolution: InvalidJarJwt(cause=Invalid signature Signed JWT rejected: Another algorithm expected, or no matching key(s) found)

This is what the /public-keys.json returns and I thought it should use a correct algorithm to match the app. Are there any requirements for the kid or anything else I might have missed?

{
"keys": [
{
"kty": "EC",
"x5t#S256": "AKov_84oPd8VMCjDK_LQwMo6ezH-iDX3uDdK8i9o714",
"nbf": 1737488049,
"crv": "P-256",
"kid": "mykey",
"x5c": [
"MIIB8TCCAZagAwIBAgIJAOyFm30icfQUMAoGCCqGSM49BAMCMGwxEDAOBgNVBAYTB1Vua25vd24xEDAOBgNVBAgTB1Vua25vd24xEDAOBgNVBAcTB1Vua25vd24xEDAOBgNVBAoTB1Vua25vd24xEDAOBgNVBAsTB1Vua25vd24xEDAOBgNVBAMTB1Vua25vd24wHhcNMjUwMTIxMTkzNDA5WhcNMjYwMTIxMTkzNDA5WjBsMRAwDgYDVQQGEwdVbmtub3duMRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYDVQQKEwdVbmtub3duMRAwDgYDVQQLEwdVbmtub3duMRAwDgYDVQQDEwdVbmtub3duMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEyB7M/pRyuG6d0EyW70c4viOkX1xVU/pIFhC1rhJ9cslSBVZiOSdZAseqO3JxPLOgPwlGaGJZpvoYwQskwTCmnKMhMB8wHQYDVR0OBBYEFMxm6GP17QeU/U0OIKIgRyABrhrYMAoGCCqGSM49BAMCA0kAMEYCIQDoV3xV4542ka1q+vrOmyiLgP+1WTxMl1/xtTSazos5pwIhAPVhxIUka+T7iNrheU3ao8iBgPpBXi3Ag8px0zjkuDPN"
],
"x": "yB7M_pRyuG6d0EyW70c4viOkX1xVU_pIFhC1rhJ9csk",
"y": "UgVWYjknWQLHqjtycTyzoD8JRmhiWab6GMELJMEwppw",
"exp": 1769024049
}
]
}

@Eragoneq Could you please provide the debug output of the Android app where the JAR is printed, so that we can further debug the issue?

Concerning your questions:

• No there are no special requirements for the kid. When the Verifier Endpoint is configured using the pre-registered Client Id scheme, it will set the kid header claim of the JAR to the kid of your configured signing key.
• For the JAR signing algorithm, the requirement is that it must be compatible with the JAR signing key. If it's not compatible, you will notice failures in the logs of the Verifier Endpoint when trying to sign the JAR.

You can find the implementation details here.

[Eragoneq]

There's not much more listed there, as it just fails when fetching the keys from the Verifier.

Log

REQUEST: https://192.168.178.172/wallet/request.jwt/H6fsAkNMMpE1LWuGnu4DxEFGcxML-53l11-KFdcpJaUEhzgxpoGWjuIOViKBzPU_Cgf23YQQGwsv3lG5dgI3IA
                                                                                                    METHOD: HttpMethod(value=GET)
                                                                                                    COMMON HEADERS
                                                                                                    -> Accept: application/oauth-authz-req+jwt; application/jwt; application/json
                                                                                                    -> Accept-Charset: UTF-8
                                                                                                    CONTENT HEADERS
                                                                                                    -> Content-Length: 0
                                                                                                    BODY Content-Type: null
                                                                                                    BODY START
                                                                                                    
                                                                                                    BODY END
2025-01-22 17:27:39.853  6109-6254  TrafficStats            eu.europa.ec.euidi                   D  tagSocket(6) with statsTag=0xffffffff, statsUid=-1
2025-01-22 17:27:39.866  6109-6122  europa.ec.euidi         eu.europa.ec.euidi                   I  Background concurrent mark compact GC freed 151303(7385KB) AllocSpace objects, 16(2448KB) LOS objects, 49% free, 12MB/24MB, paused 311us,25.709ms total 109.787ms
2025-01-22 17:27:39.984  6109-6457  EUDI Wallet DEMO-DEBUG  eu.europa.ec.euidi                   D  RESPONSE: 200 OK
                                                                                                    METHOD: HttpMethod(value=GET)
                                                                                                    FROM: https://192.168.178.172/wallet/request.jwt/H6fsAkNMMpE1LWuGnu4DxEFGcxML-53l11-KFdcpJaUEhzgxpoGWjuIOViKBzPU_Cgf23YQQGwsv3lG5dgI3IA
                                                                                                    COMMON HEADERS
                                                                                                    -> cache-control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                    -> content-length: 1447
                                                                                                    -> content-type: application/oauth-authz-req+jwt
                                                                                                    -> expires: 0
                                                                                                    -> pragma: no-cache
                                                                                                    -> referrer-policy: no-referrer
                                                                                                    -> set-cookie: SERVERUSED=server1; path=/
                                                                                                    -> vary: Origin; Access-Control-Request-Method; Access-Control-Request-Headers
                                                                                                    -> x-android-received-millis: 1737563259938
                                                                                                    -> x-android-response-source: NETWORK 200
                                                                                                    -> x-android-selected-protocol: http/1.1
                                                                                                    -> x-android-sent-millis: 1737563259925
                                                                                                    -> x-content-type-options: nosniff
                                                                                                    -> x-frame-options: DENY
                                                                                                    -> x-xss-protection: 0
                                                                                                    BODY Content-Type: application/oauth-authz-req+jwt
                                                                                                    BODY START
                                                                                                    eyJraWQiOiJteWtleSIsInR5cCI6Im9hdXRoLWF1dGh6LXJlcStqd3QiLCJhbGciOiJFUzI1NiJ9.eyJyZXNwb25zZV91cmkiOiJodHRwczovLzE5Mi4xNjguMTc4LjE3Mi93YWxsZXQvZGlyZWN0X3Bvc3QiLCJjbGllbnRfaWRfc2NoZW1lIjoicHJlLXJlZ2lzdGVyZWQiLCJyZXNwb25zZV90eXBlIjoidnBfdG9rZW4iLCJub25jZSI6ImI2NTcwZjZkLWZlMjktNDYwOS1hMTkxLTVmMThiZTlmOTcyMyIsImNsaWVudF9pZCI6IkV1ZGlUZXN0IiwicmVzcG9uc2VfbW9kZSI6ImRpcmVjdF9wb3N0IiwiYXVkIjoiaHR0cHM6Ly9zZWxmLWlzc3VlZC5tZS92MiIsInNjb3BlIjoiIiwicHJlc2VudGF0aW9uX2RlZmluaXRpb24iOnsiaWQiOiJlZThmNGI0OS1hMTIzLTRhYzgtYjc1My03ZjZmZjM5ZGM5NGMiLCJpbnB1dF9kZXNjcmlwdG9ycyI6W3siaWQiOiJldS5ldXJvcGEuZWMuZXVkaS5waWQuMSIsIm5hbWUiOiJQZXJzb24gSWRlbnRpZmljYXRpb24gRGF0YSAoUElEKSIsInB1cnBvc2UiOiIiLCJmb3JtYXQiOnsibXNvX21kb2MiOnsiYWxnIjpbIkVTMjU2IiwiRVMzODQiLCJFUzUxMiJdfX0sImNvbnN0cmFpbnRzIjp7ImZpZWxkcyI6W3sicGF0aCI6WyIkWydldS5ldXJvcGEuZWMuZXVkaS5waWQuMSddWydmYW1pbHlfbmFtZSddIl0sImludGVudF90b19yZXRhaW4iOmZhbHNlfV19fV19LCJzdGF0ZSI6Ikg2ZnNBa05NTXBFMUxXdUdudTREeEVGR2N4TUwtNTNsMTEtS0ZkY3BKYVVFaHpneHBvR1dqdUlPVmlLQnpQVV9DZ2YyM1lRUUd3c3YzbEc1ZGdJM0lBIiwiaWF0IjoxNzM3NTYzMjU0LCJjbGllbnRfbWV0YWRhdGEiOnsiaWRfdG9rZW5fZW5jcnlwdGVkX3Jlc3BvbnNlX2FsZyI6IlJTQS1PQUVQLTI1NiIsImlkX3Rva2VuX2VuY3J5cHRlZF9yZXNwb25zZV9lbmMiOiJBMTI4Q0JDLUhTMjU2Iiwic3ViamVjdF9zeW50YXhfdHlwZXNfc3VwcG9ydGVkIjpbInVybjppZXRmOnBhcmFtczpvYXV0aDpqd2stdGh1bWJwcmludCJdLCJpZF90b2tlbl9zaWduZWRfcmVzcG9uc2VfYWxnIjoiUlMyNTYifX0.BrrQpxbNVvWfycLRbe-s7ExccS5XtZu57DQytU1MG4E0BrbyL2pkAwNI-E8cWwactKgDmshRyqfEBy0wfdHzOg
                                                                                                    BODY END
2025-01-22 17:27:40.089  6109-6109  InsetsSourceConsumer    eu.europa.ec.euidi                   I  applyRequestedVisibilityToControl: visible=true, type=statusBars, host=eu.europa.ec.euidi/eu.europa.ec.assemblylogic.ui.MainActivity
2025-01-22 17:27:40.090  6109-6457  EUDI Wallet DEMO-DEBUG  eu.europa.ec.euidi                   D  REQUEST: https://192.168.178.172/wallet/public-keys.json
                                                                                                    METHOD: HttpMethod(value=GET)
                                                                                                    COMMON HEADERS
                                                                                                    -> Accept: application/json
                                                                                                    -> Accept-Charset: UTF-8
                                                                                                    CONTENT HEADERS
                                                                                                    -> Content-Length: 0
                                                                                                    BODY Content-Type: null
                                                                                                    BODY START
                                                                                                    
                                                                                                    BODY END
2025-01-22 17:27:40.362  6109-6461  TrafficStats            eu.europa.ec.euidi                   D  tagSocket(126) with statsTag=0xffffffff, statsUid=-1
2025-01-22 17:27:40.433  6109-6456  EUDI Wallet DEMO-DEBUG  eu.europa.ec.euidi                   D  RESPONSE: 200 OK
                                                                                                    METHOD: HttpMethod(value=GET)
                                                                                                    FROM: https://192.168.178.172/wallet/public-keys.json
                                                                                                    COMMON HEADERS
                                                                                                    -> cache-control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                    -> content-length: 921
                                                                                                    -> content-type: application/jwk-set+json;charset=UTF-8
                                                                                                    -> expires: 0
                                                                                                    -> pragma: no-cache
                                                                                                    -> referrer-policy: no-referrer
                                                                                                    -> set-cookie: SERVERUSED=server1; path=/
                                                                                                    -> vary: Origin; Access-Control-Request-Method; Access-Control-Request-Headers
                                                                                                    -> x-android-received-millis: 1737563260406
                                                                                                    -> x-android-response-source: NETWORK 200
                                                                                                    -> x-android-selected-protocol: http/1.1
                                                                                                    -> x-android-sent-millis: 1737563260395
                                                                                                    -> x-content-type-options: nosniff
                                                                                                    -> x-frame-options: DENY
                                                                                                    -> x-xss-protection: 0
                                                                                                    BODY Content-Type: application/jwk-set+json; charset=UTF-8
                                                                                                    BODY START
                                                                                                    {"keys":[{"kty":"EC","x5t#S256":"AKov_84oPd8VMCjDK_LQwMo6ezH-iDX3uDdK8i9o714","nbf":1737488049,"crv":"P-256","kid":"mykey","x5c":["MIIB8TCCAZagAwIBAgIJAOyFm30icfQUMAoGCCqGSM49BAMCMGwxEDAOBgNVBAYTB1Vua25vd24xEDAOBgNVBAgTB1Vua25vd24xEDAOBgNVBAcTB1Vua25vd24xEDAOBgNVBAoTB1Vua25vd24xEDAOBgNVBAsTB1Vua25vd24xEDAOBgNVBAMTB1Vua25vd24wHhcNMjUwMTIxMTkzNDA5WhcNMjYwMTIxMTkzNDA5WjBsMRAwDgYDVQQGEwdVbmtub3duMRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYDVQQKEwdVbmtub3duMRAwDgYDVQQLEwdVbmtub3duMRAwDgYDVQQDEwdVbmtub3duMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEyB7M/pRyuG6d0EyW70c4viOkX1xVU/pIFhC1rhJ9cslSBVZiOSdZAseqO3JxPLOgPwlGaGJZpvoYwQskwTCmnKMhMB8wHQYDVR0OBBYEFMxm6GP17QeU/U0OIKIgRyABrhrYMAoGCCqGSM49BAMCA0kAMEYCIQDoV3xV4542ka1q+vrOmyiLgP+1WTxMl1/xtTSazos5pwIhAPVhxIUka+T7iNrheU3ao8iBgPpBXi3Ag8px0zjkuDPN"],"x":"yB7M_pRyuG6d0EyW70c4viOkX1xVU_pIFhC1rhJ9csk","y":"UgVWYjknWQLHqjtycTyzoD8JRmhiWab6GMELJMEwppw","exp":1769024049}]}
                                                                                                    BODY END
2025-01-22 17:27:40.524  6109-6459  EUDI Wallet DEMO-DEBUG  eu.europa.ec.euidi                   E  Invalid resolution: InvalidJarJwt(cause=Invalid signature Signed JWT rejected: Another algorithm expected, or no matching key(s) found)

[babisRoutis]

The verifier produces a JWT Secured authorization request which is signed correctly.

Unfortunately, though, there is a hard-coded value for the alg to the wallet (here).

@vkanellopoulos : Can you please create an issue for this?