-
Notifications
You must be signed in to change notification settings - Fork 516
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Combination of terse web hooks without --preserve-exchange-records makes completing a present proof 2.0 impossible #3065
Comments
To confirm — the issue is not that ACA-Py has already deleted the record before the controller can retrieve it — that is expected/intended behaviour. The controller shouldn’t be trying to retrieve the record after the end of the protocol. Rather the issue is that the “terse" webhook that was added at some point into the code base (for good reason — it carries too much information) does not include the required information for the verifier — the presentation — that is needed by the controller. Do I have that right? |
Can we replicate this with the demo? If so what are the steps? I removed the |
You just need to check the webhook to see what data comes back in it. If it is insufficient, it is a problem. The timing issue is not the problem. The controller/verifier should NOT be trying to retrieve the record via the API when that flag is not set. |
@swcurran that is correct. I see that the response to the |
The issue is that in our case we don't even seem to manage to verify the presentation before it is deleted. Her are some of our logs
It is surprising that this doesn't happen with the demo |
Are you saying that ACA-Py doesn’t verify the presentation, or that the controller doesn’t? We need to be pretty clear on that. AFAIK:
That flow MUST be used when the deployment does not set the |
Sorry I should clarify. As of now the demo controller simply uses the The response to verify-presentation did seem to contain a presentation. This however seems to regularly fail due to the record being deleted before verification has even completed. There seems to be a race condition here since the controller is sometimes able to verify the presentation. The web hook never contains the presentation it's self.
This is likely the case and the reason that when the controller manually verify the record is already deleted leading to the above stack trace. |
Hmm. As far as I could tell the webhook response always contained the required presentation result in the demo at least. There's some code here https://github.com/hyperledger/aries-cloudagent-python/blob/main/aries_cloudagent/protocols/present_proof/v2_0/models/pres_exchange.py#L205 related to the generated webhook payload. I was actually looking at it, because the The above logs look like the controller is using the rest api..? |
Hmm strange, I will run the demo to compare. Maybe there is some code in the demo I am missing. As of now I do see that class being returned but no presentation is actually included. These are the different web hook results coming from vc-authn
|
Let me know if I am missing something |
Ya we can ignore that error since as mentioned we want to make all the info in the webhook it's self so this stack trace was irrelevant. |
Maybe the vc-authn controller is parsing out the presentation somehow? I'd check out the demo with debug logs and different configs and see if it's what you are expecting. Unless, I was doing something wrong, the webhook payload I was seeing contained a lot more information. |
Ok, I will give that a try |
I don’t like that there is an endpoint to verify the presentation. That should happen automagically on receipt. Is the presentation not verified until that is called? If that is the case, the protocol state object should not be removed until that endpoint is called. |
By default it is done automatically (at least with 2.0) then it is deleted. Manual verification doesn't seem to be necessary if you have auto verification set or leave it unassigned. |
So, what I was doing with the webhook payload was my fault. The dockerfile for the demo had a random env variable setting So, the payload without |
Good stuff. Agree — we need to fix the webhook. @Gavinok — can you take a pass at what you think needs to be in the payload for a random verifier? |
Certainly, I'm just digging through the debug web hook now. This may take some time to determine what fields are necessary with the 2.0 format |
I'm just looking into this now (I was away last week) but I don't think the presentation exchange record should be deleted before the presentation is verified, so maybe that's the solution, rather than tinkering with the webhook payload contents? |
The presentation exchange record is deleted upon sending or receiving an |
There is a aca-py setting whether to auto-verify or not. The record deletion looks like it happens when the ACK is sent (or received) and this is triggered by the verification. So, if auto-verify is set, then the verification will happen automatically, the ACK will be sent and the record deleted. If auto-verify is not set, then the verify-endpoint must be called, at which point the ACK will be sent and the record deleted. So in any case, the record isn't deleted until after verification. |
The webhook is emitted automatically, when the pres_exch record is saved, here: The contents of the "abbreviated" webhook are defined here: ... so it looks relatively straightforward to add the presentation to the webhook, if this is what we want. |
I don’t understand why there would need to be controller involvement in the verification. If a presentation is received in response to a presentation request, I would think that ACA-Py would verify it and put into the web-hook the presentation and result. That should certainly be the case for Given how you have described it, if |
The field that was needed in our case was the "by_format" field from the webhook when the state transition switches to "done" https://github.com/bcgov/vc-authn-oidc/blob/88d16bc669186d80c4986e2583a495575b989994/oidc-controller/api/routers/acapy_handler.py#L51 |
@jamshale how do you get the demo to use abbreviated webhooks? For me even when I comment out that setting I get the full webhooks in the events :-S |
@ianco This env variable was overriding the command line argument. https://github.com/hyperledger/aries-cloudagent-python/blob/main/docker/Dockerfile.demo#L7 And then I also commented out the command line argument https://github.com/hyperledger/aries-cloudagent-python/blob/main/demo/runners/support/agent.py#L588 |
As the verifier it is impossible to complete a present proof 2.0 transaction without the
--preserve-exchange-records
flag.When the webhook confirming a proof request has been completed acapy will already delete the record before the controller can retrieve it.
The text was updated successfully, but these errors were encountered: