[Keycloak-OID4VCI]: Add support for parsing and understanding authorization_details at the Token Endpoint #54
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
forkimenjeckayang
force-pushed
the
issue-39278
branch
from
ed438a9 to
57e34ee
Compare
Awambeng
requested changes
Jun 19, 2025
services/src/main/java/org/keycloak/protocol/oid4vc/model/AuthorizationDetail.java
Show resolved
Hide resolved
services/src/main/java/org/keycloak/protocol/oid4vc/model/AuthorizationDetailResponse.java
Show resolved
Hide resolved
services/src/main/java/org/keycloak/protocol/oid4vc/model/AuthorizationDetailResponse.java
Outdated
Show resolved
Hide resolved
services/src/main/java/org/keycloak/protocol/oid4vc/model/AuthorizationDetail.java
Show resolved
Hide resolved
services/src/main/java/org/keycloak/protocol/oidc/grants/OAuth2GrantTypeBase.java
Outdated
Show resolved
Hide resolved
services/src/main/java/org/keycloak/protocol/oidc/grants/PreAuthorizedCodeGrantType.java
Outdated
Show resolved
Hide resolved
services/src/main/java/org/keycloak/protocol/oidc/grants/PreAuthorizedCodeGrantType.java
Show resolved
Hide resolved
This comment was marked as off-topic.
This comment was marked as off-topic.
Sorry, something went wrong.
This comment was marked as off-topic.
This comment was marked as off-topic.
Sorry, something went wrong.
This comment was marked as off-topic.
This comment was marked as off-topic.
Sorry, something went wrong.
This comment was marked as off-topic.
This comment was marked as off-topic.
Sorry, something went wrong.
This comment was marked as off-topic.
This comment was marked as off-topic.
Sorry, something went wrong.
This comment was marked as off-topic.
This comment was marked as off-topic.
Sorry, something went wrong.
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
This comment was marked as off-topic.
This comment was marked as off-topic.
Sorry, something went wrong.
stephane-segning
requested changes
Jun 19, 2025
Collaborator
stephane-segning
left a comment
stephane-segning
left a comment
There was a problem hiding this comment.
Nice work. My remarks are mostly comments and worries.
-
Response Structure and Compatibility
- Downstream clients expecting the previous token response format may break if they can’t handle the new authorization_details field.
- Future changes to the AuthorizationDetailResponse structure could cause incompatibility
- => Include comprehensive API changelogs and documentation updates & ensure strong versioning and feature toggling if needed.
-
Logical/Behavioral Regression
- => Consider additional concurrency testing under load
-
Code Maintainability & Extensibility
-
Error Handling & Feedback
- => Log internal context server-side, but give minimal info in the API response
-
Input Validation & Parsing
- => Use strict Jackson settings (fail on unknown, max depth/size)
- => Consider adding a maximum array/object depth or length to avoid DoS attacks 🤔
services/src/main/java/org/keycloak/protocol/oidc/grants/OAuth2GrantTypeBase.java
Outdated
Show resolved
Hide resolved
services/src/main/java/org/keycloak/protocol/oidc/grants/OAuth2GrantTypeBase.java
Outdated
Show resolved
Hide resolved
services/src/main/java/org/keycloak/protocol/oidc/grants/OAuth2GrantTypeBase.java
Outdated
Show resolved
Hide resolved
services/src/main/java/org/keycloak/protocol/oidc/grants/OAuth2GrantTypeBase.java
Outdated
Show resolved
Hide resolved
services/src/main/java/org/keycloak/protocol/oidc/grants/OAuth2GrantTypeBase.java
Outdated
Show resolved
Hide resolved
services/src/main/java/org/keycloak/protocol/oidc/grants/OAuth2GrantTypeBase.java
Outdated
Show resolved
Hide resolved
services/src/main/java/org/keycloak/protocol/oidc/grants/OAuth2GrantTypeBase.java
Outdated
Show resolved
Hide resolved
services/src/main/java/org/keycloak/protocol/oidc/grants/OAuth2GrantTypeBase.java
Outdated
Show resolved
Hide resolved
Ogenbertrand
requested changes
Jun 20, 2025
services/src/main/java/org/keycloak/protocol/oid4vc/model/AuthorizationDetail.java
Show resolved
Hide resolved
services/src/main/java/org/keycloak/protocol/oid4vc/model/AuthorizationDetailResponse.java
Outdated
Show resolved
Hide resolved
services/src/main/java/org/keycloak/protocol/oidc/grants/OAuth2GrantTypeBase.java
Outdated
Show resolved
Hide resolved
services/src/main/java/org/keycloak/protocol/oidc/grants/OAuth2GrantTypeBase.java
Show resolved
Hide resolved
services/src/main/java/org/keycloak/protocol/oid4vc/model/AuthorizationDetailResponse.java
Show resolved
Hide resolved
services/src/main/java/org/keycloak/protocol/oidc/grants/OAuth2GrantTypeBase.java
Outdated
Show resolved
Hide resolved
Collaborator
|
Permit me to continue with the review on monday, as my health doesn't allow me to continue with the review today. |
forkimenjeckayang
requested review from
Awambeng,
Ogenbertrand and
stephane-segning
stephane-segning
approved these changes
Jun 23, 2025
Awambeng
requested changes
Jun 24, 2025
Collaborator
Awambeng
left a comment
Awambeng
left a comment
There was a problem hiding this comment.
Thanks for addressing the changes. I have two minor comments for you to take a look at
services/src/main/java/org/keycloak/protocol/oid4vc/model/AuthorizationDetail.java
Outdated
Show resolved
Hide resolved
services/src/main/java/org/keycloak/protocol/oid4vc/model/AuthorizationDetailResponse.java
Outdated
Show resolved
Hide resolved
Ogenbertrand
requested changes
Jun 24, 2025
services/src/main/java/org/keycloak/protocol/oid4vc/model/AuthorizationDetailResponse.java
Outdated
Show resolved
Hide resolved
services/src/main/java/org/keycloak/protocol/oid4vc/model/AuthorizationDetailResponse.java
Outdated
Show resolved
Hide resolved
...test/java/org/keycloak/testsuite/oid4vc/issuance/signing/OID4VCSdJwtIssuingEndpointTest.java
Outdated
Show resolved
Hide resolved
...test/java/org/keycloak/testsuite/oid4vc/issuance/signing/OID4VCSdJwtIssuingEndpointTest.java
Show resolved
Hide resolved
Ogenbertrand
requested changes
Jun 24, 2025
services/src/main/java/org/keycloak/protocol/oidc/grants/OAuth2GrantTypeBase.java
Outdated
Show resolved
Hide resolved
Awambeng
approved these changes
Jun 26, 2025
Ogenbertrand
requested changes
Jun 26, 2025
...rc/test/java/org/keycloak/testsuite/oid4vc/issuance/signing/OID4VCJWTIssuerEndpointTest.java
Outdated
Show resolved
Hide resolved
...rc/test/java/org/keycloak/testsuite/oid4vc/issuance/signing/OID4VCJWTIssuerEndpointTest.java
Outdated
Show resolved
Hide resolved
Collaborator
|
I confirm that my changes has been resolve correctly, and i'll proceed by approving. |
Ogenbertrand
approved these changes
Jun 26, 2025
forkimenjeckayang
force-pushed
the
issue-39278
branch
from
d0c3644 to
336bd90
Compare
forkimenjeckayang
force-pushed
the
issue-39278
branch
4 times, most recently
from
c5ebe36 to
8419995
Compare
forkimenjeckayang
force-pushed
the
issue-39278
branch
from
3c85a54 to
d815854
Compare
…e Token Endpoint Closes: keycloak#39278 Closses: keycloak#39279 Signed-off-by: forkimenjeckayang <[email protected]>
forkimenjeckayang
force-pushed
the
issue-39278
branch
from
d815854 to
40159e7
Compare
…ss in server-spi-private Signed-off-by: forkimenjeckayang <[email protected]>
Signed-off-by: forkimenjeckayang <[email protected]>
Signed-off-by: forkimenjeckayang <[email protected]>
…s tests Signed-off-by: mposolda <[email protected]>
Signed-off-by: forkimenjeckayang <[email protected]>
Fix failing tests - UserSessionLimitsTest, FineGrainedAdminPermission…
IngridPuppet
force-pushed
the
main
branch
2 times, most recently
from
bda0e2a to
f99c912
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR implements support for parsing and understanding
authorization_detailsparameter at the Token Endpoint for OpenID4VCI (OpenID for Verifiable Credential Issuance).Implementation Includes:
1. Authorization Details Processing
authorization_detailsparameter in token requestscredential_configuration_idandformat-based authorization details2. Credential Identifier Generation
{UUID}3. Session-based Identifier Persistence
credential_configuration_idwithin the same sessionPreAuthorizedCodeandAuthorizationCodegrant types4. Response Enhancement
authorization_detailsin token responses with generated credential identifiers