Open
Conversation
Contributor
weiiv
commented
Mar 6, 2026
weiiv
commented
- Upgraded the mDOC processor (Tim)
- Added demo support for status list and mDOC credentials (Tim)
- Updated README.md
- Standardized processor initialization: all credential processors are now loaded through configure() (Ivan)
- Added OID4VIC v1.0 issuer metadata configuration and aligned credential metadata (Ivan)
- Updated JWT and SD‑JWT processors (Ivan)
Signed-off-by: timbl-ont <tim.bloomfield@ontario.ca>
Add notes on how to use the status list plugin with the oid4vc plugin Signed-off-by: timbl-ont <163455524+timbl-ont@users.noreply.github.com>
…ID4VCI-Readme-update OID4VC Update to README.md
Signed-off-by: timbl-ont <tim.bloomfield@ontario.ca>
Signed-off-by: timbl-ont <tim.bloomfield@ontario.ca>
Signed-off-by: timbl-ont <tim.bloomfield@ontario.ca>
Signed-off-by: timbl-ont <tim.bloomfield@ontario.ca>
Signed-off-by: Tim Bloomfield <tim.bloomfield@iccs-isac.org>
# Conflicts: # oid4vc/poetry.lock
Signed-off-by: Ivan Wei <ivan.wei@ontario.ca>
Signed-off-by: Ivan Wei <ivan.wei@ontario.ca>
Signed-off-by: Ivan Wei <ivan.wei@ontario.ca>
Signed-off-by: Ivan Wei <ivan.wei@ontario.ca>
Signed-off-by: Ivan Wei <ivan.wei@ontario.ca>
Signed-off-by: Ivan Wei <ivan.wei@ontario.ca>
Signed-off-by: Ivan Wei <ivan.wei@ontario.ca>
jamshale
reviewed
Mar 10, 2026
oid4vc/jwt_vc_json/routes.py
Outdated
| reason=f"Record with identifier {body['identifier']} already exists." | ||
| ) | ||
|
|
||
| LOGGER.info(f"body: {body}") |
Contributor
There was a problem hiding this comment.
This looks like a development log. If you do want to log this I think it should be debug level and a bit more descriptive.
jamshale
reviewed
Mar 10, 2026
oid4vc/mso_mdoc/routes.py
Outdated
| reason=f"Record with identifier {body['identifier']} already exists." | ||
| ) | ||
|
|
||
| LOGGER.info(f"body: {body}") |
Contributor
There was a problem hiding this comment.
Same here as previous comment.
jamshale
reviewed
Mar 10, 2026
Contributor
jamshale
left a comment
jamshale
left a comment
There was a problem hiding this comment.
This looks good to me 👍
I'm going to request a review from co-pilot.
There was a problem hiding this comment.
Pull request overview
This PR updates the OID4VCI implementation toward v1.0 compliance, touching credential metadata structures, proof handling, token grant fields, and issuer configuration across multiple credential formats (JWT, SD-JWT, mso_mdoc).
Changes:
- Replaced legacy fields (
user_pin/user_pin_required,cryptographic_suites_supported,format_data,credentials) with v1.0-aligned equivalents (tx_code,credential_signing_alg_values_supported,credential_metadata,credential_configuration_ids,proofs) - Added
IssuerConfigurationmodel and endpoints for managing issuer metadata, and moved credential processor registration into per-pluginsetup()/configure()methods - Updated mDOC processor with proper CBOR tagging, device key handling, and base64url credential output
Reviewed changes
Copilot reviewed 50 out of 51 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| oid4vc/sd_jwt_vc/routes.py | Updated schema fields, added validation, moved vct to vc_additional_data |
| oid4vc/sd_jwt_vc/cred_processor.py | Fallback for vct lookup, added credential_metadata(), log level changes |
| oid4vc/pyproject.toml | Added bitarray/filelock deps, changed pycose version constraint |
| oid4vc/oid4vc/utils.py | Fixed JWK base64url encoding |
| oid4vc/oid4vc/tests/routes/test_public_routes.py | Updated tests for new metadata structure and proof format |
| oid4vc/oid4vc/tests/routes/test_admin.py | Commented out existing admin test |
| oid4vc/oid4vc/tests/models/test_supported_cred.py | Updated tests for metadata() method |
| oid4vc/oid4vc/routes.py | Removed old create/update endpoints, added issuer config endpoints, updated credential offer |
| oid4vc/oid4vc/public_routes.py | Updated metadata endpoint, nonce handling, credential issuance response |
| oid4vc/oid4vc/models/supported_cred.py | Added new fields, metadata() method with legacy fallback |
| oid4vc/oid4vc/models/nonce.py | Removed used from TAG_NAMES, fixed redeem_by_value |
| oid4vc/oid4vc/models/issuer_config.py | New model for issuer configuration |
| oid4vc/oid4vc/init.py | Commented out default jwt_vc_json registration, updated shutdown signature |
| oid4vc/mso_mdoc/* | Updated MSO issuer, mdoc signing, routes, cred_processor |
| oid4vc/jwt_vc_json/* | New routes.py, updated init.py for plugin setup, cred_processor metadata |
| oid4vc/integration/* | Updated client, conftest, docker-compose for v1.0 fields |
| oid4vc/auth_server/* | Replaced user_pin/user_pin_required with tx_code throughout |
| oid4vc/demo/* | Added mDL support, status list config, UI updates |
| oid4vc/docker/* | Added status_list plugin support |
Comments suppressed due to low confidence (13)
oid4vc/oid4vc/models/nonce.py:1
- The
redeem_by_valuemethod now always returnsNone. After successfully marking the nonce as used (lines 75-76), the code falls through toreturn Noneon line 77 instead of returning the record. Thereturn Noneshould be moved into the expiry check branch, and areturn recordshould follow the save. The original logic returned the record after marking it used.
oid4vc/oid4vc/public_routes.py:1 - The format validation check has been commented out rather than removed or replaced with an equivalent check for the new
credential_configuration_idfield. This leaves an important validation gap where a client could potentially request issuance with a mismatched format. Either remove the commented code or implement the appropriate v1.0 validation.
oid4vc/oid4vc/public_routes.py:1 - The
try/exceptblock forCredProcessorErrorhas been commented out. This means anyCredProcessorErrorraised during credential issuance will bubble up as an unhandled 500 error instead of returning a descriptive 400 response. This error handling should be restored.
oid4vc/oid4vc/tests/routes/test_admin.py:1 - The entire test file for the admin
supported_credential_createendpoint has been commented out rather than updated to match the new schema. Since the old endpoint was removed and new format-specific endpoints were added (injwt_vc_json/routes.py,sd_jwt_vc/routes.py,mso_mdoc/routes.py), these new create/update endpoints lack test coverage.
oid4vc/sd_jwt_vc/cred_processor.py:1 - If both
supported.credential_metadataandsupported.format_dataareNone,credential_metadatais set to{}(an empty dict). An empty dict is falsy in Python, so theif not credential_metadatacheck on line 172 will raise the ValueError. However, if either is set to an empty dict{}, theorchain will still result in{}which also triggers the error. This is likely correct for the empty case, but theor {}fallback on line 171 is misleading — it suggests an empty dict is acceptable when it immediately causes an error.
oid4vc/sd_jwt_vc/cred_processor.py:1 - Using
pop()onvc_additional_dataandcred_metadatamutates the dicts that are part of thesupported_credinput dict. Sincesupported_credis passed in from the caller (which gets it fromsupported.metadata()), this mutation could cause unexpected side effects if the caller or other code references these nested dicts afterward. Consider using.get()instead of.pop()or working on copies.
oid4vc/oid4vc/public_routes.py:1 - There are multiple "TEMP" commented-out blocks in this function. These should either be properly removed or replaced with the correct v1.0 validation logic before merging, as they indicate incomplete implementation.
oid4vc/mso_mdoc/mso/issuer.py:1 - The comment references a
share.google/aimodeURL which appears to be an AI-generated session link. This is not useful documentation for other developers and should be removed or replaced with a meaningful comment.
oid4vc/mso_mdoc/mdoc/issuer.py:1 - The function is named
extract_key_from_jwtbut it simply parses a JSON string — it doesn't extract anything from a JWT token. The commented-out code and misleading docstring suggest this is leftover from experimentation. Consider renaming to something likeparse_jwk_from_jsonand removing the dead comments.
oid4vc/oid4vc/models/supported_cred.py:1 - Missing space between concatenated string literals — results in "valuethat" when joined.
oid4vc/oid4vc/models/supported_cred.py:1 - Missing space between concatenated string literals — results in "materialthat" when joined.
oid4vc/oid4vc/models/supported_cred.py:1 - Missing space between concatenated string literals — results in "displayof" when joined.
oid4vc/oid4vc/models/supported_cred.py:1 - Missing space between concatenated string literals — results in "datato" when joined.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
oid4vc/jwt_vc_json/cred_processor.py
Outdated
| return await self.verify(profile, presentation) | ||
|
|
||
| def credential_metadata(self, supported_cred: dict) -> dict: | ||
| """Transform and return metadata for a supported SD-JWT credential.""" |
There was a problem hiding this comment.
The docstring says "SD-JWT credential" but this is the JwtVcJsonCredProcessor. The same incorrect docstring also appears in mso_mdoc/cred_processor.py line 74-75. These should say "JWT VC" and "mso_mdoc" respectively.
Suggested change
| """Transform and return metadata for a supported SD-JWT credential.""" | |
| """Transform and return metadata for a supported JWT VC credential.""" |
oid4vc/demo/frontend/index.js
Outdated
| }; | ||
|
|
||
| // 1. Create supported credential for mso_mdoc | ||
| const createCredentialSupportedUrl = `${API_BASE_URL}/oid4vci/credential-supported/create`; |
There was a problem hiding this comment.
The mDL demo code posts to the generic /oid4vci/credential-supported/create endpoint, but this endpoint was removed in this PR. The mDL-specific endpoint is /oid4vci/credential-supported/create/mso-mdoc. This will result in a 404 at runtime.
Suggested change
| const createCredentialSupportedUrl = `${API_BASE_URL}/oid4vci/credential-supported/create`; | |
| const createCredentialSupportedUrl = `${API_BASE_URL}/oid4vci/credential-supported/create/mso-mdoc`; |
oid4vc/jwt_vc_json/routes.py
Outdated
| @@ -0,0 +1,247 @@ | |||
| """SD-JWT VC extra routes.""" | |||
There was a problem hiding this comment.
The module docstring says "SD-JWT VC extra routes" but this file is for JWT VC JSON routes.
Suggested change
| """SD-JWT VC extra routes.""" | |
| """JWT VC JSON extra routes.""" |
Signed-off-by: Ivan Wei <ivan.wei@ontario.ca>
Contributor
Author
|
Thanks @jamshale for the review. I’ve addressed your feedback and pushed the fixes. Please take another look when you have a chance. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.