feat(core): support configurable proof format for anoncreds (#904)

* feat(core): support configurable proof format for anoncreds

Signed-off-by: Yuki I <[email protected]>

* test(core): isolate tests to prevent pollution and improve logging

Signed-off-by: Yuki I <[email protected]>

* refactor(core): add config validation and improve proof format fallback

Signed-off-by: Yuki I <[email protected]>

* fix(build): align proof format config with project standards

Signed-off-by: Yuki I <[email protected]>

* style(core): apply black code formatting

Signed-off-by: Yuki I <[email protected]>

---------

Signed-off-by: Yuki I <[email protected]>
Co-authored-by: Yuki I <[email protected]>

Author: MonolithicMonk

README.md

@@ -54,6 +54,8 @@ In order to use the VC OIDC authentication, a couple of extra steps are required
   so, the following command can be used to post a configuration requesting a BC Wallet Showcase Person credential:
 - Though not implemented in this built-in config, proof-request configurations can optionally include substitution variables. Details can be found [here](docs/ConfigurationGuide.md#proof-substitution-variables)
 
+**Note:** The following demo commands are for an **Indy-based** credential ecosystem. The application defaults to the `indy` proof format, so these examples work out-of-the-box. You can switch to `anoncreds` by setting the `ACAPY_PROOF_FORMAT` environment variable.
+
 ```bash
 curl -X 'POST' \
   'http://localhost:5000/ver_configs/' \

docker/docker-compose.yaml

@@ -44,6 +44,7 @@ services:
       - CONTROLLER_PRESENTATION_RECORD_RETENTION_HOURS=${CONTROLLER_PRESENTATION_RECORD_RETENTION_HOURS}
       - CONTROLLER_VARIABLE_SUBSTITUTION_OVERRIDE=${CONTROLLER_VARIABLE_SUBSTITUTION_OVERRIDE}
       - CONTROLLER_TEMPLATE_DIR=${CONTROLLER_TEMPLATE_DIR}
+      - ACAPY_PROOF_FORMAT=${ACAPY_PROOF_FORMAT}
       - ACAPY_TENANCY=${AGENT_TENANT_MODE}
       - ACAPY_AGENT_URL=${AGENT_ENDPOINT}
       - ACAPY_ADMIN_URL=${AGENT_ADMIN_URL}
@@ -211,4 +212,4 @@ volumes:
   controller-db-data:
   keycloak-db-data:
   agent-wallet-db:
-  redis-data:
+  redis-data:

docker/manage

@@ -207,6 +207,7 @@ configureEnvironment() {
   #controller app settings
   export INVITATION_LABEL=${INVITATION_LABEL:-"VC-AuthN"}
   export SET_NON_REVOKED="True"
+  export ACAPY_PROOF_FORMAT=${ACAPY_PROOF_FORMAT:-indy}
   export USE_OOB_LOCAL_DID_SERVICE=${USE_OOB_LOCAL_DID_SERVICE:-"true"}
   export USE_CONNECTION_BASED_VERIFICATION=${USE_CONNECTION_BASED_VERIFICATION:-"true"}
   export WALLET_DEEP_LINK_PREFIX=${WALLET_DEEP_LINK_PREFIX:-"bcwallet://aries_proof-request"}

docs/ConfigurationGuide.md

@@ -76,6 +76,7 @@ Several functions in ACAPy VC-AuthN can be tweaked by using the following enviro
 
 | Variable                  | Type                                   | What it does                                                                                                                                                                                                                                                                                                                                                                                                                                           | NOTES                                                                                                                                   |
 | ------------------------- | -------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------- |
+| ACAPY_PROOF_FORMAT        | string ("indy" or "anoncreds")         | Sets the proof format for ACA-Py presentation requests. Use `anoncreds` for modern AnonCreds support or `indy` for legacy Indy-based ecosystems.                                                                                                                                                                                                                                                                                                          | Defaults to `indy` for backward compatibility with existing deployments.                                                                |
 | SET_NON_REVOKED           | bool                                   | if True, the `non_revoked` attributed will be added to each of the present-proof request `requested_attribute` and `requested_predicate` with 'from=0' and'to=`int(time.time())`                                                                                                                                                                                                                                                                       |                                                                                                                                         |
 | USE_OOB_LOCAL_DID_SERVICE | bool                                   | Instructs ACAPy VC-AuthN to use a local DID, it must be used when the agent service is not registered on the ledger with a public DID                                                                                                                                                                                                                                                                                                                  | Use this when `ACAPY_WALLET_LOCAL_DID` is set to `true` in the agent.                                                                   |
 | WALLET_DEEP_LINK_PREFIX   | string                                 | Custom URI scheme and host to use for deep links (e.g. `{WALLET_DEEP_LINK_PREFIX}?c_i={connection invitation payload`)                                                                                                                                                                                                                                                                                                                                 | Default bcwallet://aries_proof-request                                                                                                  |

oidc-controller/api/core/acapy/client.py

@@ -50,8 +50,10 @@ def create_presentation_request(
         self, presentation_request_configuration: dict
     ) -> CreatePresentationResponse:
         logger.debug(">>> create_presentation_request")
+
+        format_key = settings.ACAPY_PROOF_FORMAT
         present_proof_payload = {
-            "presentation_request": {"indy": presentation_request_configuration}
+            "presentation_request": {format_key: presentation_request_configuration}
         }
 
         resp_raw = requests.post(
@@ -215,9 +217,10 @@ def send_presentation_request_by_connection(
         """
         logger.debug(">>> send_presentation_request_by_connection")
 
+        format_key = settings.ACAPY_PROOF_FORMAT
         present_proof_payload = {
             "connection_id": connection_id,
-            "presentation_request": {"indy": presentation_request_configuration},
+            "presentation_request": {format_key: presentation_request_configuration},
         }
 
         resp_raw = requests.post(

oidc-controller/api/core/acapy/tests/test_client.py

@@ -587,3 +587,65 @@ async def test_send_problem_report_sends_correct_payload(requests_mock):
     # Verify the request was made with correct parameters
     assert requests_mock.last_request.json() == {"description": description}
     assert requests_mock.call_count == 1
+
+
+@pytest.mark.asyncio
+async def test_create_presentation_request_uses_configured_proof_format(requests_mock):
+    # Verify payload key respects ACAPY_PROOF_FORMAT
+    requests_mock.post(
+        settings.ACAPY_ADMIN_URL + CREATE_PRESENTATION_REQUEST_URL,
+        headers={},
+        json=json.dumps(create_presentation_response_http),
+        status_code=200,
+    )
+
+    # Patch the setting to 'anoncreds'
+    with mock.patch.object(settings, "ACAPY_PROOF_FORMAT", "anoncreds"):
+        with mock.patch.object(
+            CreatePresentationResponse,
+            "model_validate",
+            return_value={"result": "success"},
+        ):
+            client = AcapyClient()
+            client.agent_config.get_headers = mock.MagicMock(
+                return_value={"x-api-key": ""}
+            )
+
+            client.create_presentation_request(presentation_request_configuration)
+
+            # Inspect the actual JSON body sent to ACA-Py
+            request_json = requests_mock.last_request.json()
+            assert "anoncreds" in request_json["presentation_request"]
+            assert "indy" not in request_json["presentation_request"]
+
+
+@pytest.mark.asyncio
+async def test_send_presentation_request_by_connection_uses_configured_proof_format(
+    requests_mock,
+):
+    # Verify connection-based request also respects ACAPY_PROOF_FORMAT
+    requests_mock.post(
+        settings.ACAPY_ADMIN_URL + SEND_PRESENTATION_REQUEST_URL,
+        headers={},
+        json=json.dumps(create_presentation_response_http),
+        status_code=200,
+    )
+
+    with mock.patch.object(settings, "ACAPY_PROOF_FORMAT", "anoncreds"):
+        with mock.patch.object(
+            CreatePresentationResponse,
+            "model_validate",
+            return_value={"result": "success"},
+        ):
+            client = AcapyClient()
+            client.agent_config.get_headers = mock.MagicMock(
+                return_value={"x-api-key": ""}
+            )
+
+            client.send_presentation_request_by_connection(
+                "conn_id", presentation_request_configuration
+            )
+
+            request_json = requests_mock.last_request.json()
+            assert "anoncreds" in request_json["presentation_request"]
+            assert "indy" not in request_json["presentation_request"]

oidc-controller/api/core/config.py

@@ -204,6 +204,8 @@ class GlobalConfig(BaseSettings):
 
     ACAPY_ADMIN_URL: str = os.environ.get("ACAPY_ADMIN_URL", "http://localhost:8031")
 
+    ACAPY_PROOF_FORMAT: str = os.environ.get("ACAPY_PROOF_FORMAT", "indy")
+
     MT_ACAPY_WALLET_ID: str | None = os.environ.get("MT_ACAPY_WALLET_ID")
     MT_ACAPY_WALLET_KEY: str = os.environ.get("MT_ACAPY_WALLET_KEY", "random-key")
 
@@ -301,3 +303,9 @@ def get_configuration() -> GlobalConfig:
 
 
 settings = get_configuration()
+
+# Add startup validation for ACAPY_PROOF_FORMAT
+if settings.ACAPY_PROOF_FORMAT not in ["indy", "anoncreds"]:
+    raise ValueError(
+        f"ACAPY_PROOF_FORMAT must be 'indy' or 'anoncreds', got '{settings.ACAPY_PROOF_FORMAT}'"
+    )

oidc-controller/api/core/oidc/issue_token_service.py

@@ -12,6 +12,7 @@
 from ...authSessions.models import AuthSession
 from ...verificationConfigs.models import ReqAttr, VerificationConfig
 from ...core.models import RevealedAttribute
+from ..config import settings
 
 logger: structlog.typing.FilteringBoundLogger = structlog.getLogger(__name__)
 
@@ -50,27 +51,44 @@ def get_claims(
         )
 
         presentation_claims: dict[str, Claim] = {}
+
+        # Make fallback logic more robust by checking both pres_request and pres.
+        # This handles in-flight sessions during configuration changes and guards against malformed data.
+        pres_request = auth_session.presentation_exchange.get("pres_request", {})
+        pres = auth_session.presentation_exchange.get("pres", {})
+        proof_format = settings.ACAPY_PROOF_FORMAT
+
+        if proof_format not in pres_request or proof_format not in pres:
+            if "indy" in pres_request and "indy" in pres:
+                logger.debug(
+                    f"Configured proof format '{proof_format}' not found in record, falling back to 'indy'"
+                )
+                proof_format = "indy"
+            elif "anoncreds" in pres_request and "anoncreds" in pres:
+                logger.debug(
+                    f"Configured proof format '{proof_format}' not found in record, falling back to 'anoncreds'"
+                )
+                proof_format = "anoncreds"
+
         logger.info(
-            "pres_request_token"
-            + str(
-                auth_session.presentation_exchange["pres_request"]["indy"][
-                    "requested_attributes"
-                ]
-            )
+            "Extracted requested attributes from presentation request",
+            requested_attributes=auth_session.presentation_exchange["pres_request"][
+                proof_format
+            ]["requested_attributes"],
         )
 
         referent: str
         requested_attr: ReqAttr
         try:
             for referent, requested_attrdict in auth_session.presentation_exchange[
                 "pres_request"
-            ]["indy"]["requested_attributes"].items():
+            ][proof_format]["requested_attributes"].items():
                 requested_attr = ReqAttr(**requested_attrdict)
                 logger.debug(
                     f"Processing referent: {referent}, requested_attr: {requested_attr}"
                 )
                 revealed_attrs: dict[str, RevealedAttribute] = (
-                    auth_session.presentation_exchange["pres"]["indy"][
+                    auth_session.presentation_exchange["pres"][proof_format][
                         "requested_proof"
                     ]["revealed_attr_groups"]
                 )