[Datev-Develop] Update authorization_details for OID4VCI draft-16 compliance#136
Draft
forkimenjeckayang wants to merge 21 commits intodatev/developfrom
Draft
[Datev-Develop] Update authorization_details for OID4VCI draft-16 compliance#136forkimenjeckayang wants to merge 21 commits intodatev/developfrom
forkimenjeckayang wants to merge 21 commits intodatev/developfrom
Conversation
* Make Keycloak an OpenID4VP verifier for user authentication Closes adorsys/eudiw-app#408 Signed-off-by: Ingrid Kamga <[email protected]> * Address changes requested by @Awambeng Signed-off-by: Ingrid Kamga <[email protected]> * Address more changes requested by @Awambeng Signed-off-by: Ingrid Kamga <[email protected]> * Address more changes requested by @forkimenjeckayang Signed-off-by: Ingrid Kamga <[email protected]> --------- Signed-off-by: Ingrid Kamga <[email protected]>
…n_details at the Token Endpoint (#109) * Add support for parsing and understanding authorization_details at the Token Endpoint Closes keycloak#39278 Closes keycloak#39279 Signed-off-by: forkimenjeckayang <[email protected]> * fix: OID4VCJWTIssuerEndpointTest Signed-off-by: forkimenjeckayang <[email protected]> * update: add javadoc comments to new test files Signed-off-by: forkimenjeckayang <[email protected]> * update: addresed reviewer(s) comment(s) Signed-off-by: forkimenjeckayang <[email protected]> * update: finalized reviewer comments and fixed tests Signed-off-by: forkimenjeckayang <[email protected]> * update: removed unnecessary logging Signed-off-by: forkimenjeckayang <[email protected]> * update: address reviewers comments Signed-off-by: forkimenjeckayang <[email protected]> * update: address reviewer comments Signed-off-by: forkimenjeckayang <[email protected]> --------- Signed-off-by: forkimenjeckayang <[email protected]> Co-authored-by: forkimenjeckayang <[email protected]> Co-authored-by: forkimenjeckayang <[email protected]>
…to jwt proofs or as per new attestation proof type (#110) * Add key attestation requirements to issuer metadata model tree Signed-off-by: Ingrid Kamga <[email protected]> * Rename ProofTypeSupported to ProofTypeMetadata for confusion mitigation Signed-off-by: Ingrid Kamga <[email protected]> * Add key attestation support to JWT proof validation and extend proof types - Introduced a new constant for the 'key_attestation' claim in JwtProofValidator. - Added validation for the 'key_attestation' claim to ensure it is not null. - Updated CredentialRequest to include AttestationProof as a supported proof type. - Registered AttestationProofValidatorFactory in the service configuration. Signed-off-by: Awambeng <[email protected]> * Update attestation proof validator Signed-off-by: Awambeng Rodrick <[email protected]> * Implement key attestation support with validation and trust store management Signed-off-by: Awambeng Rodrick <[email protected]> * Refactor attestation proof validation: enhance error handling, remove unused trust store, and update method signatures for clarity Signed-off-by: Awambeng Rodrick <[email protected]> * Refactor attestation proof validation: streamline validation logic, enhance error handling, and introduce AttestationValidatorUtil for JWT validation Signed-off-by: Awambeng Rodrick <[email protected]> * Implement attestation key resolution: add AttestationKeyResolver interface, StaticAttestationKeyResolver implementation, and integrate key resolution into attestation proof validation and JWT validation processes. Signed-off-by: Awambeng Rodrick <[email protected]> * test attestation key logic Signed-off-by: Ogenbertrand <[email protected]> * Test that the credential configuration properly supports attestation proof type Signed-off-by: Ogenbertrand <[email protected]> * remove unused imports Signed-off-by: Ogenbertrand <[email protected]> * added new test for the attestation logic and resolve comments Signed-off-by: Ogenbertrand <[email protected]> * debugging failing tests Signed-off-by: Ogenbertrand <[email protected]> * improve testing Signed-off-by: Ogenbertrand <[email protected]> * fix all the failing test Signed-off-by: Ogenbertrand <[email protected]> * address comments Signed-off-by: Ogenbertrand <[email protected]> * restrict multiple keys for single VC Signed-off-by: Ogenbertrand <[email protected]> * update test to fix ci Signed-off-by: Ogenbertrand <[email protected]> * fix pipeline Signed-off-by: Ogenbertrand <[email protected]> * address failing ci Signed-off-by: Ogenbertrand <[email protected]> * update test testInvalidAttestationSignature test Signed-off-by: Ogenbertrand <[email protected]> --------- Signed-off-by: Ingrid Kamga <[email protected]> Signed-off-by: Awambeng <[email protected]> Signed-off-by: Awambeng Rodrick <[email protected]> Signed-off-by: Ogenbertrand <[email protected]> Co-authored-by: Ingrid Kamga <[email protected]> Co-authored-by: Ogenbertrand <[email protected]>
…r Usages (#111) Closes keycloak#40083 Signed-off-by: forkimenjeckayang <[email protected]> Co-authored-by: forkimenjeckayang <[email protected]> Co-authored-by: forkimenjeckayang <[email protected]>
* Centralize OID4VCI Protocol Constants in Oid4VciConstants and Refactor Usages Closes keycloak#40083 Signed-off-by: forkimenjeckayang <[email protected]> * resolve conflicts * resolve conflicts --------- Signed-off-by: forkimenjeckayang <[email protected]> Co-authored-by: forkimenjeckayang <[email protected]> Co-authored-by: forkimenjeckayang <[email protected]>
) * Extend realm UI configuration by OID4VCI attributes Closes keycloak#39533 Signed-off-by: forkimenjeckayang <[email protected]> * update: adjust tests in oid4vci-attributes.spec.ts based on feature availability Signed-off-by: forkimenjeckayang <[email protected]> * update: directly check OID4VCI feature from server info in tests before running Signed-off-by: forkimenjeckayang <[email protected]> * update: address comment(s) by @IngridPuppet Signed-off-by: forkimenjeckayang <[email protected]> * update: skip tests when oid4vci feature is not enabled Signed-off-by: forkimenjeckayang <[email protected]> --------- Signed-off-by: forkimenjeckayang <[email protected]> Co-authored-by: forkimenjeckayang <[email protected]> Co-authored-by: forkimenjeckayang <[email protected]>
- Replace unsupported_credential_type and unsupported_credential_format with unknown_credential_configuration - Add new unknown_credential_identifier error type as per OID4VCI draft 16 - Update error handling logic to differentiate between credential configuration and identifier errors - Add comprehensive test coverage for new error types Closes keycloak#41591 Refactor error handling in OID4VCIssuerEndpoint Resolve comments on PR fix failing test Signed-off-by: Awambeng Rodrick <[email protected]>
- Add INVALID_NONCE error type to ErrorType enum as per OID4VCI specification - Enhance JwtProofValidator to catch nonce validation failures and throw specific exceptions - Update OID4VCIssuerEndpoint to handle invalid nonce errors and return proper error responses - Adjust tests to verify invalid_nonce error handling works correctly Closes keycloak#39292 Signed-off-by: Awambeng Rodrick <[email protected]>
… ≥ 2 (#123) * Enforce batch_size ≥ 2 validation for batch_credential_issuance Closses: keycloak#41590 Signed-off-by: forkimenjeckayang <[email protected]> * Resolve conflicts on issue-41590 Signed-off-by: Awambeng Rodrick <[email protected]> --------- Signed-off-by: forkimenjeckayang <[email protected]> Signed-off-by: Awambeng Rodrick <[email protected]> Co-authored-by: forkimenjeckayang <[email protected]>
…g to handle credential_metadata with display and claims && Update Credential Issuer Metadata structure (#125) * Restructure credential_configurations_supported parsing to handle credential_metadata with display and claims && Update Credential Issuer Metadata structure Closes: keycloak#41587 Closses: keycloak#41597 Signed-off-by: forkimenjeckayang <[email protected]> * Resolve conflicts on issue-41587 Signed-off-by: Awambeng Rodrick <[email protected]> * fix compilation errors after resolving conflicts Signed-off-by: Awambeng Rodrick <[email protected]> --------- Signed-off-by: forkimenjeckayang <[email protected]> Signed-off-by: Awambeng Rodrick <[email protected]> Co-authored-by: forkimenjeckayang <[email protected]>
…129) * Rename ldp_vp to di_vp and restructure proofs object for Draft 16 compliance Closes: keycloak#41576 Closses: keycloak#41577 CLosses: keycloak#41581 Signed-off-by: forkimenjeckayang <[email protected]> * refactor: support multiple proofs with Proofs aggregate - Replace single proof fields with a aggregate structure in: - AttestationProofValidator - JwtProofValidator - CredentialRequest - Update related tests to reflect the new structure Signed-off-by: Awambeng Rodrick <[email protected]> * refactor: update error messages in OID4VCSdJwtIssuingEndpointTest for clarity Signed-off-by: Awambeng Rodrick <[email protected]> * refactor: clean up legacy code Signed-off-by: Awambeng Rodrick <[email protected]> * Remove obsolete LD_PROOF Signed-off-by: Awambeng Rodrick <[email protected]> --------- Signed-off-by: forkimenjeckayang <[email protected]> Signed-off-by: Awambeng Rodrick <[email protected]> Co-authored-by: forkimenjeckayang <[email protected]>
forkimenjeckayang
changed the title
) * Updating credential_response_encryption logic as per draft 16 Signed-off-by: Ogenbertrand <[email protected]> * define the metadata for credential_request_encryption Signed-off-by: Ogenbertrand <[email protected]> * configure the credential_request_encryption in the provider class Signed-off-by: Ogenbertrand <[email protected]> * Update the endport to support credential_request_encryption Signed-off-by: Ogenbertrand <[email protected]> * testing the request encryption logic Signed-off-by: Ogenbertrand <[email protected]> * updating the encryption logic Signed-off-by: Ogenbertrand <[email protected]> * testing request encryption in metadata Signed-off-by: Ogenbertrand <[email protected]> * reset endpoint test Signed-off-by: Ogenbertrand <[email protected]> * added helper methods to test request encryption logic Signed-off-by: Ogenbertrand <[email protected]> * testing credenital_request_encryption logic Signed-off-by: Ogenbertrand <[email protected]> * Working in tests Signed-off-by: Ogenbertrand <[email protected]> * updating the test structure Signed-off-by: Ogenbertrand <[email protected]> * fix all failing tests and clean up codebase Signed-off-by: Ogenbertrand <[email protected]> * resolve comments and update tests Signed-off-by: Ogenbertrand <[email protected]> * resolve latest comments Signed-off-by: Ogenbertrand <[email protected]> * Encrypt all responses if encryption parameters are provided, except for error credential responses Signed-off-by: Ogenbertrand <[email protected]> * address current comments Signed-off-by: Ogenbertrand <[email protected]> * add a check to ensure requestPayload isn't empty Signed-off-by: Ogenbertrand <[email protected]> * enhance the testRequestCredentialWithWrongKeyTypeJWK test for clarity Signed-off-by: Ogenbertrand <[email protected]> * udpdated test classes Signed-off-by: Ogenbertrand <[email protected]> * Enhance ProofTypeDiVp documentation, add display and claims fields to SupportedCredentialConfiguration, and update related tests for requestCredential method Signed-off-by: Awambeng Rodrick <[email protected]> * Enhance SupportedCredentialConfiguration to include display and claims fields, and update related tests for credential issuance Signed-off-by: Awambeng Rodrick <[email protected]> * Address @IngridPuppet review comments Signed-off-by: Awambeng Rodrick <[email protected]> --------- Signed-off-by: Ogenbertrand <[email protected]> Signed-off-by: Awambeng Rodrick <[email protected]> Co-authored-by: Ogenbertrand <[email protected]>
IngridPuppet
requested changes
Sep 2, 2025
Collaborator
IngridPuppet
left a comment
IngridPuppet
left a comment
There was a problem hiding this comment.
I added a few comments. Please could you check?
...src/main/java/org/keycloak/protocol/oid4vc/issuance/OID4VCAuthorizationDetailsProcessor.java
Outdated
Show resolved
Hide resolved
services/src/main/java/org/keycloak/protocol/oid4vc/utils/ClaimsPathPointer.java
Outdated
Show resolved
Hide resolved
services/src/main/java/org/keycloak/protocol/oid4vc/utils/ClaimsPathPointer.java
Outdated
Show resolved
Hide resolved
...src/main/java/org/keycloak/protocol/oid4vc/issuance/OID4VCAuthorizationDetailsProcessor.java
Outdated
Show resolved
Hide resolved
services/src/main/java/org/keycloak/protocol/oid4vc/utils/ClaimsPathPointer.java
Show resolved
Hide resolved
...va/org/keycloak/testsuite/oid4vc/issuance/signing/OID4VCJwtAuthorizationDetailsFlowTest.java
Outdated
Show resolved
Hide resolved
...va/org/keycloak/testsuite/oid4vc/issuance/signing/OID4VCJwtAuthorizationDetailsFlowTest.java
Outdated
Show resolved
Hide resolved
.../org/keycloak/testsuite/oid4vc/issuance/signing/OID4VCSdJwtAuthorizationDetailsFlowTest.java
Outdated
Show resolved
Hide resolved
…st validation (#133) * update: Implement ReferencedTokenValidator for Token Status List validation * update: resolve reviewer comments
IngridPuppet
reviewed
Sep 3, 2025
...src/main/java/org/keycloak/protocol/oid4vc/issuance/OID4VCAuthorizationDetailsProcessor.java
Outdated
Show resolved
Hide resolved
...src/main/java/org/keycloak/protocol/oid4vc/issuance/OID4VCAuthorizationDetailsProcessor.java
Outdated
Show resolved
Hide resolved
services/src/main/java/org/keycloak/protocol/oid4vc/issuance/OID4VCIssuerEndpoint.java
Show resolved
Hide resolved
...a/org/keycloak/testsuite/oid4vc/issuance/signing/OID4VCAuthorizationDetailsFlowTestBase.java
Outdated
Show resolved
Hide resolved
IngridPuppet
reviewed
Sep 7, 2025
services/src/main/java/org/keycloak/protocol/oid4vc/issuance/OID4VCIssuerEndpoint.java
Show resolved
Hide resolved
IngridPuppet
reviewed
Sep 8, 2025
services/src/main/java/org/keycloak/protocol/oid4vc/issuance/OID4VCIssuerEndpoint.java
Show resolved
Hide resolved
IngridPuppet
approved these changes
Sep 8, 2025
* Implement multiple credential issuance Signed-off-by: Ingrid Kamga <[email protected]> * Apply changes suggested by @tnorimat Signed-off-by: Ingrid Kamga <[email protected]> * Fix `looksLikeCompactJwe` implementation Signed-off-by: Ingrid Kamga <[email protected]> --------- Signed-off-by: Ingrid Kamga <[email protected]> Co-authored-by: Ingrid Kamga <[email protected]>
Awambeng
force-pushed
the
datev/develop
branch
2 times, most recently
from
af39973 to
bb36498
Compare
Awambeng
force-pushed
the
datev/develop
branch
from
07a6ffb to
11b010e
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Updates
authorization_detailsprocessing to comply with OID4VCI draft-16 specification by removing the deprecatedformatparameter and implementing the newclaimsparameter for claims description objects.Key Changes
Removed
formatparameter fromauthorization_detailsprocessingAdded
claimsparameter support for claims description objectsClaimsDescriptionmodel andClaimsPathPointerutilityEnhanced
authorization_detailsarraysClosses