[Datev-Develop] Update authorization_details for OID4VCI draft-16 compliance#136
Closed
forkimenjeckayang wants to merge 21 commits intodatev/developfrom
Closed
[Datev-Develop] Update authorization_details for OID4VCI draft-16 compliance#136forkimenjeckayang wants to merge 21 commits intodatev/developfrom
forkimenjeckayang wants to merge 21 commits intodatev/developfrom
Conversation
* Make Keycloak an OpenID4VP verifier for user authentication Closes adorsys/eudiw-app#408 Signed-off-by: Ingrid Kamga <Ingrid.Kamga@adorsys.com> * Address changes requested by @Awambeng Signed-off-by: Ingrid Kamga <Ingrid.Kamga@adorsys.com> * Address more changes requested by @Awambeng Signed-off-by: Ingrid Kamga <Ingrid.Kamga@adorsys.com> * Address more changes requested by @forkimenjeckayang Signed-off-by: Ingrid Kamga <Ingrid.Kamga@adorsys.com> --------- Signed-off-by: Ingrid Kamga <Ingrid.Kamga@adorsys.com>
…n_details at the Token Endpoint (#109) * Add support for parsing and understanding authorization_details at the Token Endpoint Closes keycloak#39278 Closes keycloak#39279 Signed-off-by: forkimenjeckayang <forkimenjeckayang@gmail.com> * fix: OID4VCJWTIssuerEndpointTest Signed-off-by: forkimenjeckayang <forkimenjeckayang@gmail.com> * update: add javadoc comments to new test files Signed-off-by: forkimenjeckayang <forkimenjeckayang@gmail.com> * update: addresed reviewer(s) comment(s) Signed-off-by: forkimenjeckayang <forkimenjeckayang@gmail.com> * update: finalized reviewer comments and fixed tests Signed-off-by: forkimenjeckayang <forkimenjeckayang@gmail.com> * update: removed unnecessary logging Signed-off-by: forkimenjeckayang <forkimenjeckayang@gmail.com> * update: address reviewers comments Signed-off-by: forkimenjeckayang <forkimenjeckayang@gmail.com> * update: address reviewer comments Signed-off-by: forkimenjeckayang <forkimenjeckayang@gmail.com> --------- Signed-off-by: forkimenjeckayang <forkimenjeckayang@gmail.com> Co-authored-by: forkimenjeckayang <forkimenjeckayang@gmail.com> Co-authored-by: forkimenjeckayang <104195313+forkimenjeckayang@users.noreply.github.com>
…to jwt proofs or as per new attestation proof type (#110) * Add key attestation requirements to issuer metadata model tree Signed-off-by: Ingrid Kamga <Ingrid.Kamga@adorsys.com> * Rename ProofTypeSupported to ProofTypeMetadata for confusion mitigation Signed-off-by: Ingrid Kamga <Ingrid.Kamga@adorsys.com> * Add key attestation support to JWT proof validation and extend proof types - Introduced a new constant for the 'key_attestation' claim in JwtProofValidator. - Added validation for the 'key_attestation' claim to ensure it is not null. - Updated CredentialRequest to include AttestationProof as a supported proof type. - Registered AttestationProofValidatorFactory in the service configuration. Signed-off-by: Awambeng <awambengrodrick@gmail.com> * Update attestation proof validator Signed-off-by: Awambeng Rodrick <awambengrodrick@gmail.com> * Implement key attestation support with validation and trust store management Signed-off-by: Awambeng Rodrick <awambengrodrick@gmail.com> * Refactor attestation proof validation: enhance error handling, remove unused trust store, and update method signatures for clarity Signed-off-by: Awambeng Rodrick <awambengrodrick@gmail.com> * Refactor attestation proof validation: streamline validation logic, enhance error handling, and introduce AttestationValidatorUtil for JWT validation Signed-off-by: Awambeng Rodrick <awambengrodrick@gmail.com> * Implement attestation key resolution: add AttestationKeyResolver interface, StaticAttestationKeyResolver implementation, and integrate key resolution into attestation proof validation and JWT validation processes. Signed-off-by: Awambeng Rodrick <awambengrodrick@gmail.com> * test attestation key logic Signed-off-by: Ogenbertrand <ogenbertrand@gmail.com> * Test that the credential configuration properly supports attestation proof type Signed-off-by: Ogenbertrand <ogenbertrand@gmail.com> * remove unused imports Signed-off-by: Ogenbertrand <ogenbertrand@gmail.com> * added new test for the attestation logic and resolve comments Signed-off-by: Ogenbertrand <ogenbertrand@gmail.com> * debugging failing tests Signed-off-by: Ogenbertrand <ogenbertrand@gmail.com> * improve testing Signed-off-by: Ogenbertrand <ogenbertrand@gmail.com> * fix all the failing test Signed-off-by: Ogenbertrand <ogenbertrand@gmail.com> * address comments Signed-off-by: Ogenbertrand <ogenbertrand@gmail.com> * restrict multiple keys for single VC Signed-off-by: Ogenbertrand <ogenbertrand@gmail.com> * update test to fix ci Signed-off-by: Ogenbertrand <ogenbertrand@gmail.com> * fix pipeline Signed-off-by: Ogenbertrand <ogenbertrand@gmail.com> * address failing ci Signed-off-by: Ogenbertrand <ogenbertrand@gmail.com> * update test testInvalidAttestationSignature test Signed-off-by: Ogenbertrand <ogenbertrand@gmail.com> --------- Signed-off-by: Ingrid Kamga <Ingrid.Kamga@adorsys.com> Signed-off-by: Awambeng <awambengrodrick@gmail.com> Signed-off-by: Awambeng Rodrick <awambengrodrick@gmail.com> Signed-off-by: Ogenbertrand <ogenbertrand@gmail.com> Co-authored-by: Ingrid Kamga <Ingrid.Kamga@adorsys.com> Co-authored-by: Ogenbertrand <ogenbertrand@gmail.com>
…r Usages (#111) Closes keycloak#40083 Signed-off-by: forkimenjeckayang <forkimenjeckayang@gmail.com> Co-authored-by: forkimenjeckayang <forkimenjeckayang@gmail.com> Co-authored-by: forkimenjeckayang <104195313+forkimenjeckayang@users.noreply.github.com>
* Centralize OID4VCI Protocol Constants in Oid4VciConstants and Refactor Usages Closes keycloak#40083 Signed-off-by: forkimenjeckayang <forkimenjeckayang@gmail.com> * resolve conflicts * resolve conflicts --------- Signed-off-by: forkimenjeckayang <forkimenjeckayang@gmail.com> Co-authored-by: forkimenjeckayang <forkimenjeckayang@gmail.com> Co-authored-by: forkimenjeckayang <104195313+forkimenjeckayang@users.noreply.github.com>
) * Extend realm UI configuration by OID4VCI attributes Closes keycloak#39533 Signed-off-by: forkimenjeckayang <forkimenjeckayang@gmail.com> * update: adjust tests in oid4vci-attributes.spec.ts based on feature availability Signed-off-by: forkimenjeckayang <forkimenjeckayang@gmail.com> * update: directly check OID4VCI feature from server info in tests before running Signed-off-by: forkimenjeckayang <forkimenjeckayang@gmail.com> * update: address comment(s) by @IngridPuppet Signed-off-by: forkimenjeckayang <forkimenjeckayang@gmail.com> * update: skip tests when oid4vci feature is not enabled Signed-off-by: forkimenjeckayang <forkimenjeckayang@gmail.com> --------- Signed-off-by: forkimenjeckayang <forkimenjeckayang@gmail.com> Co-authored-by: forkimenjeckayang <forkimenjeckayang@gmail.com> Co-authored-by: forkimenjeckayang <104195313+forkimenjeckayang@users.noreply.github.com>
- Replace unsupported_credential_type and unsupported_credential_format with unknown_credential_configuration - Add new unknown_credential_identifier error type as per OID4VCI draft 16 - Update error handling logic to differentiate between credential configuration and identifier errors - Add comprehensive test coverage for new error types Closes keycloak#41591 Refactor error handling in OID4VCIssuerEndpoint Resolve comments on PR fix failing test Signed-off-by: Awambeng Rodrick <awambengrodrick@gmail.com>
- Add INVALID_NONCE error type to ErrorType enum as per OID4VCI specification - Enhance JwtProofValidator to catch nonce validation failures and throw specific exceptions - Update OID4VCIssuerEndpoint to handle invalid nonce errors and return proper error responses - Adjust tests to verify invalid_nonce error handling works correctly Closes keycloak#39292 Signed-off-by: Awambeng Rodrick <awambengrodrick@gmail.com>
… ≥ 2 (#123) * Enforce batch_size ≥ 2 validation for batch_credential_issuance Closses: keycloak#41590 Signed-off-by: forkimenjeckayang <forkimenjeckayang@gmail.com> * Resolve conflicts on issue-41590 Signed-off-by: Awambeng Rodrick <awambengrodrick@gmail.com> --------- Signed-off-by: forkimenjeckayang <forkimenjeckayang@gmail.com> Signed-off-by: Awambeng Rodrick <awambengrodrick@gmail.com> Co-authored-by: forkimenjeckayang <forkimenjeckayang@gmail.com>
…g to handle credential_metadata with display and claims && Update Credential Issuer Metadata structure (#125) * Restructure credential_configurations_supported parsing to handle credential_metadata with display and claims && Update Credential Issuer Metadata structure Closes: keycloak#41587 Closses: keycloak#41597 Signed-off-by: forkimenjeckayang <forkimenjeckayang@gmail.com> * Resolve conflicts on issue-41587 Signed-off-by: Awambeng Rodrick <awambengrodrick@gmail.com> * fix compilation errors after resolving conflicts Signed-off-by: Awambeng Rodrick <awambengrodrick@gmail.com> --------- Signed-off-by: forkimenjeckayang <forkimenjeckayang@gmail.com> Signed-off-by: Awambeng Rodrick <awambengrodrick@gmail.com> Co-authored-by: forkimenjeckayang <forkimenjeckayang@gmail.com>
…129) * Rename ldp_vp to di_vp and restructure proofs object for Draft 16 compliance Closes: keycloak#41576 Closses: keycloak#41577 CLosses: keycloak#41581 Signed-off-by: forkimenjeckayang <forkimenjeckayang@gmail.com> * refactor: support multiple proofs with Proofs aggregate - Replace single proof fields with a aggregate structure in: - AttestationProofValidator - JwtProofValidator - CredentialRequest - Update related tests to reflect the new structure Signed-off-by: Awambeng Rodrick <awambengrodrick@gmail.com> * refactor: update error messages in OID4VCSdJwtIssuingEndpointTest for clarity Signed-off-by: Awambeng Rodrick <awambengrodrick@gmail.com> * refactor: clean up legacy code Signed-off-by: Awambeng Rodrick <awambengrodrick@gmail.com> * Remove obsolete LD_PROOF Signed-off-by: Awambeng Rodrick <awambengrodrick@gmail.com> --------- Signed-off-by: forkimenjeckayang <forkimenjeckayang@gmail.com> Signed-off-by: Awambeng Rodrick <awambengrodrick@gmail.com> Co-authored-by: forkimenjeckayang <forkimenjeckayang@gmail.com>
forkimenjeckayang
changed the title
) * Updating credential_response_encryption logic as per draft 16 Signed-off-by: Ogenbertrand <ogenbertrand@gmail.com> * define the metadata for credential_request_encryption Signed-off-by: Ogenbertrand <ogenbertrand@gmail.com> * configure the credential_request_encryption in the provider class Signed-off-by: Ogenbertrand <ogenbertrand@gmail.com> * Update the endport to support credential_request_encryption Signed-off-by: Ogenbertrand <ogenbertrand@gmail.com> * testing the request encryption logic Signed-off-by: Ogenbertrand <ogenbertrand@gmail.com> * updating the encryption logic Signed-off-by: Ogenbertrand <ogenbertrand@gmail.com> * testing request encryption in metadata Signed-off-by: Ogenbertrand <ogenbertrand@gmail.com> * reset endpoint test Signed-off-by: Ogenbertrand <ogenbertrand@gmail.com> * added helper methods to test request encryption logic Signed-off-by: Ogenbertrand <ogenbertrand@gmail.com> * testing credenital_request_encryption logic Signed-off-by: Ogenbertrand <ogenbertrand@gmail.com> * Working in tests Signed-off-by: Ogenbertrand <ogenbertrand@gmail.com> * updating the test structure Signed-off-by: Ogenbertrand <ogenbertrand@gmail.com> * fix all failing tests and clean up codebase Signed-off-by: Ogenbertrand <ogenbertrand@gmail.com> * resolve comments and update tests Signed-off-by: Ogenbertrand <ogenbertrand@gmail.com> * resolve latest comments Signed-off-by: Ogenbertrand <ogenbertrand@gmail.com> * Encrypt all responses if encryption parameters are provided, except for error credential responses Signed-off-by: Ogenbertrand <ogenbertrand@gmail.com> * address current comments Signed-off-by: Ogenbertrand <ogenbertrand@gmail.com> * add a check to ensure requestPayload isn't empty Signed-off-by: Ogenbertrand <ogenbertrand@gmail.com> * enhance the testRequestCredentialWithWrongKeyTypeJWK test for clarity Signed-off-by: Ogenbertrand <ogenbertrand@gmail.com> * udpdated test classes Signed-off-by: Ogenbertrand <ogenbertrand@gmail.com> * Enhance ProofTypeDiVp documentation, add display and claims fields to SupportedCredentialConfiguration, and update related tests for requestCredential method Signed-off-by: Awambeng Rodrick <awambengrodrick@gmail.com> * Enhance SupportedCredentialConfiguration to include display and claims fields, and update related tests for credential issuance Signed-off-by: Awambeng Rodrick <awambengrodrick@gmail.com> * Address @IngridPuppet review comments Signed-off-by: Awambeng Rodrick <awambengrodrick@gmail.com> --------- Signed-off-by: Ogenbertrand <ogenbertrand@gmail.com> Signed-off-by: Awambeng Rodrick <awambengrodrick@gmail.com> Co-authored-by: Ogenbertrand <ogenbertrand@gmail.com>
IngridPuppet
requested changes
Sep 2, 2025
Collaborator
IngridPuppet
left a comment
IngridPuppet
left a comment
There was a problem hiding this comment.
I added a few comments. Please could you check?
…st validation (#133) * update: Implement ReferencedTokenValidator for Token Status List validation * update: resolve reviewer comments
IngridPuppet
reviewed
Sep 3, 2025
IngridPuppet
approved these changes
Sep 8, 2025
* Implement multiple credential issuance Signed-off-by: Ingrid Kamga <Ingrid.Kamga@adorsys.com> * Apply changes suggested by @tnorimat Signed-off-by: Ingrid Kamga <Ingrid.Kamga@adorsys.com> * Fix `looksLikeCompactJwe` implementation Signed-off-by: Ingrid Kamga <Ingrid.Kamga@adorsys.com> --------- Signed-off-by: Ingrid Kamga <Ingrid.Kamga@adorsys.com> Co-authored-by: Ingrid Kamga <Ingrid.Kamga@adorsys.com>
Awambeng
force-pushed
the
datev/develop
branch
2 times, most recently
from
af39973 to
bb36498
Compare
Awambeng
force-pushed
the
datev/develop
branch
from
07a6ffb to
11b010e
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Updates
authorization_detailsprocessing to comply with OID4VCI draft-16 specification by removing the deprecatedformatparameter and implementing the newclaimsparameter for claims description objects.Key Changes
Removed
formatparameter fromauthorization_detailsprocessingAdded
claimsparameter support for claims description objectsClaimsDescriptionmodel andClaimsPathPointerutilityEnhanced
authorization_detailsarraysClosses