aries-cloudagent-python icon indicating copy to clipboard operation
aries-cloudagent-python copied to clipboard
verified publisher icon hyperledger

Unable to fetch credential definition details from ledger using did:web

Open NB-PrasadKatkar opened this issue 10 months ago • 7 comments

Description I am trying to fetch a credential definition from the ledger using the HTTP GET endpoint: /credential-definitions/{cred_def_id}

My agent is running on the latest ACA-Py release and is configured with a did:web as the public DID. When attempting to retrieve the credential definition, ACA-Py tries to resolve the public DID but fails, resulting in the following error:

indy_vdr.error.VdrError: Request failed: client request invalid: InvalidClientRequest('prasad.github.io', 1739295285303260321, "validation error [SafeRequest]: should not contain the following chars ['.'] (identifier=prasad.github.io)")

Steps to Reproduce

  1. Configure an ACA-Py agent with did:web as the public DID.
  2. Attempt to fetch a credential definition using /credential-definitions/{cred_def_id}.
  3. Observe the error when ACA-Py tries to resolve did:web.

Environment

  • ACA-Py Version: v1.2.2
  • DID Method: did:web
  • Ledger: Bcovrin test
  • Deployment: Docker

Additional Context Any insights into resolving this issue or potential workarounds would be appreciated.

NB-PrasadKatkar avatar Feb 28 '25 07:02 NB-PrasadKatkar

Might be related to #3462

esune avatar Mar 07 '25 22:03 esune

You shouldn't set a did:web to the public did. It is very indy specific right now. This should be prevented. There is ongoing work to allow the public did to be different types and not interfere with did:indy operations, but it isn't going to be completed for some time.

However, it shouldn't fail to read the indy ledger because of an invalid public did so this should still be looked at. I'm not aware of why it tries to use the public did when reading the indy ledger.

jamshale avatar Mar 12 '25 15:03 jamshale

@NB-PrasadKatkar can you provide examples of how:

  • You are creating the did:web and setting it as public
  • Which credential definition are you trying to fetch, and from which ledger? Is the ledger configured in your agent at least as a read-only ledger?

I did some quick testing using Traction Sandbox:

  • I was able to create a did:web without issues
  • When I tried to set it as public, I got an error stating there was no connection to the endorser: this should not be required for did:web
  • I connected to the BCovrin Test endorser, which sets a new public did automatically in the sandbox environment
  • I was now able to set my did:web as public (note this is not going to be resolvable):
{
  "result": {
    "did": "did:web:esune.github.io",
    "verkey": ---redacted---,
    "posture": "posted",
    "key_type": "ed25519",
    "method": "web",
    "metadata": {
      "posted": true
    }
  }
}
  • I was able to fetch credential definitions from BCovrin Test, CANdy Dev and CANdy Prod without incurring in the issue you flagged.

@jamshale 's recommendation still stands, but trying to pinpoint what might be going wrong in your case in order to determine the course of action in ACA-Py

esune avatar Mar 12 '25 19:03 esune

@jamshale @esune, I am using single Agent as Endorser and setting the did:web as public after posting the DID. I am trying to fetch indy Credential Definition from the bcovrin ledger. Also, If I try to resolve the did:sov when the did:web is public it gives the same error.

Attaching the video:

https://github.com/user-attachments/assets/dfde8455-7128-4c28-859c-b1a4e24dfe8c

NB-PrasadKatkar avatar Apr 14 '25 09:04 NB-PrasadKatkar

@NB-PrasadKatkar do you mind re-uploading the video? It seems like the file got corrupted and cannot be played. Alternatively (or in addition), if you can list the steps to reproduce it would be great.

esune avatar Apr 14 '25 17:04 esune

https://github.com/user-attachments/assets/72dc49cc-e59a-4b11-b8de-2318ec35bae6

Steps to Reproduce:

  1. Start an ACA-Py agent (version 1.2.4).
  2. Create a did:web using the POST /wallet/did/create endpoint.
  3. Host the did:web on a server where it can be publicly resolved.
  4. Set the created DID as public using the POST /wallet/did/public endpoint.
  5. Retrieve an existing did:sov, for example, from BCOVRIN Test Ledger.
  6. Attempt to resolve the did:sov using GET /resolver/resolve/{did}.

Alternatively, for credential definition resolution:

  1. Retrieve an Indy credential definition ID from IndyScan (e.g., DpmUAZoZyADXmed1NMrJPZ:3:CL:2751642:default) or create a new credential definition.
  2. Attempt to fetch the credential definition details using GET /credential-definitions/{cred_def_id}.

NB-PrasadKatkar avatar Apr 15 '25 07:04 NB-PrasadKatkar

Thank you @NB-PrasadKatkar, I could reproduce the issue following the instructions (the video is still not showing, but the step-by-step list was helpful). I tracked the error down to the rust function that is throwing the error in indy-vdr, trying to undersdtand whether there is an actual issue with the library or we need to change the structure of the data sent in the request.

esune avatar Apr 16 '25 22:04 esune