fix(apigw): pre-authorized OID4VCI credential flow#429
Draft
kushaldas wants to merge 1 commit into
Draft
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Fixes the pre-authorized OID4VCI issuance flow in APIGW by ensuring credential_identifiers from the token response are persisted and can be resolved downstream, and by relaxing identifier requirements for assertion-based standalone OIDC-RP offers.
Changes:
- Persist generated
credential_identifiersto the cached authorization context in the token endpoint. - Resolve
credential_identifierback tocredential_configuration_idvia token-responseauthorization_detailsbefore determining credential format. - Mark standalone OIDC-RP offers as assertion-based (
DataSource=assertion) so registry identifier resolution is best-effort.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| pkg/openid4vci/credential.go | Updates credential format resolution to map opaque credential_identifier via authorization_details. |
| internal/apigw/apiv1/handlers_oauth.go | Persists generated credential_identifiers onto the authorization context for later validation. |
| internal/apigw/apiv1/handlers_issuer.go | Passes authorization details into format resolution. |
| internal/apigw/apiv1/handlers_oidcrp.go | Sets standalone OIDC-RP auth context DataSource to assertion for best-effort identifier resolution. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
The credential endpoint rejected every pre-authorized issuance because
the token-response credential_identifiers were never usable downstream,
and the standalone OIDC-RP offer demanded a registry identifier it could
not resolve.
- handlers_oauth.go (Token): persist the generated
credential_identifiers onto the authorization context via
AuthContext.Update. They were only added to the response copy and
never stored, so CredentialRequest.Validate could never find them
("credential_identifier ... not found in Token Response
authorization_details").
- pkg/openid4vci/credential.go (ResolveCredentialFormat): map
credential_identifier back to its credential_configuration_id through
the authorization_details, then resolve the format from issuer
metadata. It previously looked the random UUID up directly as a config
key ("could not resolve credential_identifier ..."). The new
authDetails parameter is variadic so existing single-arg callers still
compile.
- handlers_issuer.go: pass authContext.AuthorizationDetails to
ResolveCredentialFormat.
- handlers_oidcrp.go (standalone offer): set DataSource = assertion so
the registry identifier is best-effort; the flow already stores the
trusted IdP claims as the document, so a subject without an identity
mapping no longer fails with "no identifier in auth context".
- credential_test.go: cover the credential_identifier ->
authorization_details mapping.
kushaldas
force-pushed
the
fix/pre-authorized_oid4vci
branch
from
951fa61 to
dd4d73b
Compare
|
Comment on lines
+258
to
+266
| for _, ad := range authDetails { | ||
| if ad.CredentialConfigurationID != "" && slices.Contains(ad.CredentialIdentifiers, req.CredentialIdentifier) { | ||
| if metadata.CredentialConfigurationsSupported != nil { | ||
| if config, ok := metadata.CredentialConfigurationsSupported[ad.CredentialConfigurationID]; ok { | ||
| return config.Format, nil | ||
| } | ||
| } | ||
| return "", fmt.Errorf("unknown credential_configuration_id %q mapped from credential_identifier %q", ad.CredentialConfigurationID, req.CredentialIdentifier) | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The credential endpoint rejected every pre-authorized issuance because the token-response credential_identifiers were never usable downstream, and the standalone OIDC-RP offer demanded a registry identifier it could not resolve.