Integration Steps

Prerequisites

The legal entity has completed onboarding in the DOME ecosystem.
The LEAR has obtained a valid LEARCredentialMachine through the Issuer service.
DID method supported: did:key.
The ~~confidential client (backend service or secure web app)~~ ~~is registered in the Verifier~~ ~~with its:~~
- client_id ~~(DID or URI).~~
- redirect_uri ~~(for authorization response).~~
- jwks_uri ~~(endpoint exposing the client’s public key set).~~

~~The~~ client’s private key is securely stored (e.g., in an HSM or vault).
Access to developer documentation and environment URLs.

Step 1 – MachineGenerating key pair: did:key + private key

You will need a did:key / private-key pair. It can be obtained through different methods. One option we can propose is to use our Issuer: when issuing a LEARCredentialMachine, a key pair is generated for the client. The corresponding did:key is set as the mandatee.id in the credential ~~issuance~~(which

~~The~~you ~~LEAR~~can ofcheck in the ~~organization~~details ~~issues~~page aafter ~~LEARCredentialMachine~~issuing it --no need to ~~the~~activate ~~backend~~it). ~~service (the confidential client).~~

~~The credential is a Verifiable Credential (VC) in JWT format.~~

~~It is bound to the machine’s DID, derived from its public key.~~

The private key must be kept securely ~~stored~~on your side and is never shared.

~~Outcome:~~
~~The machine (confidential client) holds a valid~~ ~~LEARCredentialMachine~~ ~~and its associated DID key pair.~~

Step 2 – Client configuration

Client type: Confidential.

Obtain
~~Register~~and store the ~~client~~assigned client_id, which should be the did:key generated in the ~~Verifier’s~~previous ~~Authorization Server.~~

~~Provide the~~ jwks_uri ~~exposing the public keys used for signing JWTs.~~
step.
Ensure the redirect_uri is pre-registered and uses HTTPS.
Implement JWT-based client authentication (client_secret_jwt). You client will need a request_uri where a signed JWT token must be exposed (see the authorization request step).

Outcome:
The confidential client is fully configured to authenticate using signed JWTs and perform the Authorization Code Flow.

Step 3 – Registering to the Verifier (Trusted Services List)

The relying party must be registered in the Trusted Services List. The data must match with your client's configuration (see step 2).

Field	Description
clientId	Should be a did:key that identifies your client.
url	The base URL of your service or application.
redirectUris	Must include all the URLs where you expect to receive authentication responses.
scopes	Currently, only openid_learcredential is accepted. This scope allows your service to request the necessary credentials.
clientAuthenticationMethods	Must be set to ["client_secret_jwt"]
authorizationGrantTypes	Must be set to ["authorization_code"] and ["refresh_token"] if needed.
postLogoutRedirectUris	Include URLs where users should be redirected after they log out from your service.
requireAuthorizationConsent	Set to false.
requireProofKey	Set to false.
jwkSetUrl	Since you're using a did:key for your clientId, you do not need to provide your own jwkSetUrl: the verifier can derive your JWKS directly from the did:key. Just add this string: “<verifier-url>/oidc/did/<your-did-key>”.
tokenEndpointAuthenticationSigningAlgorithm	Must be set to ES256, as this is the only supported algorithm.

Step 34 – Authorization request

The confidential client starts the authorization process by redirecting the user to the Authorization Endpoint with athese ~~signed~~parameters ~~Authorization~~:

~~Request~~

~~Object~~

~~This~~

~~object~~
client_id: has to match the one in your client's configuration

redirect_uri: has to match the one in your client's configuration

response_type=code

scope = openid learcredential

state : random string

nonce: random string (this will be added in the ID token, so it is arecommended ~~JWT~~if ~~containing~~you ~~all~~rely ~~authorization~~on ~~parameters,~~the ~~hosted~~ID attoken)
a
request_uri.
:
~~The Authorization Server retrieves this JWT, validates its signature against~~see the ~~client’s~~explanation ~~registered~~below*

jwks_uri

~~, and proceeds with the flow.~~

Non-normative example:

*The request_uri. must expose an Authorization Request Object., which is an JWT and must include these parameters. These parameters must match the ones of your client's configuration (and the ones included in the request as well):

client_id

scope

redirect_uri

The Authorization Server ~~executes~~retrieves ~~the~~this request_uriJWT, tovalidates ~~retrieve~~its ~~the~~signature ~~data of the Authorization Request Object.~~
~~This object is a JWT signed with~~against the client’s ~~private~~registered ~~key.~~
~~The~~jwkSetUrl(that ~~Authorization~~is, ~~Server validates the JWT using~~against the public key ~~registered~~derived ~~under~~from you did:key), and proceeds with the ~~client’s~~flow.

jwks_uri.

Step 45 – Authorization response

After the user successfully authenticates and authorizes access, the Authorization Server redirects back to the client’s redirect_uri with an authorization code.

Non-normative example:

Step 56 – Token request

The client exchanges the authorization code for tokens by calling the Token Endpoint.
In this step, the client authenticates using client_secret_jwt, sending a signed JWT in the client_assertion parameter.

Non-normative example:

Non-normative example of a Token Request:

Outcome:
The Authorization Server validates:

Step 67 – Token response

Non-normative example:

Outcome:

Step 78 – Use access token

The confidential client uses the access_token to call Verifier-protected APIs: