Integration of AIA to OID4VCI Pre-authorization code flow #44764

mposolda · 2025-12-09T09:10:09Z

mposolda
Dec 9, 2025
Maintainer

I would like to ask about OID4VCI Pre-authorization code flow as implemented in current Keycloak.

Current way

Per my understanding, there is the Keycloak endpoint /realms/test/protocol/oid4vc/credential-offer-uri, which is supposed to create credential-offer and it is very first endpoint, which needs to be triggered during the Keycloak OID4VCI pre-authorization code flow. This is "custom" Keycloak endpoint, which is not described in the OID4VCI specification.

Endpoint is supposed to be invoked with the Authorization: Bearer and requires valid access token. The QR code picture is returned by Keycloak server and that QR code is supposed to be displayed in the OIDC client application, from where then eventually can be scanned by the user to his Wallet. So there might be some client application (referred to as OIDC client in the picture and text below) where this QR code must be currently displayed. Per my understanding, the typical flow may look like this:

sequenceDiagram
   participant US as User
   participant CL as OIDC client
   participant WL as Wallet
   participant KC as Keycloak


   US->>KC: User authenticates
   KC->>CL: OIDC token returned (regular OIDC authorization_code grant)
   CL->>KC: Credential-offer-uri request with access token
   KC->>CL: Returned QR code
   CL->>US: QR code displayed to the user
   US->>WL: User scans QR code to the wallet
   Note over US,KC: Flow continues as per OID4VCI specs step 3 of pre-authorized flow in paragraph 3.5

I see some possible limitations here. Especially:

Per the specification, the QR code is supposed to be sent by the issuer to the wallet. But here we have possibly another actor (OIDC client) rather than QR code being displayed by the issuer
OIDC client himself can obtain the token from pre-authorization grant, which is supposed to be used by the Wallet. There are possible security issues with privilege escalation here like Impersonation possible in OID4VCI credential creation endpoint #44745 .
There is not any consent displayed to the user as requested per the specification . The OIDC client application may possibly display some consent to the user before it sends the initial request for credential-offer creation, however Keycloak as credential issuer doesn't have any control if the user really properly provided the consent for this.
Harder to handle cases where user is missing some mandatory attributes for the OID4VC credential.
Harder to handle more secure variants - especially the variant with tx_code , which might be a requirement for some deployments.

Considering the limitations above, I wonder if this credential-offer-uri endpoint is really proper way to approach the problem of properly starting this flow?

Proposal

Can we use the Keycloak required-actions / application-initiated actions (AIA) to approach the problem instead? In short, I can imagine something like this:

There will be new required action implementation in Keycloak like create-oid4vci-credential-offer .
This can be parameterized AIA. Some Keycloak required actions (EG. DeleteCredentialAction or IdpLinkAction) already supports parameter. Client application can use something like kc_action=create-oid4vci-credential-offer:parameter-value where parameter-value might be some structure (maybe JSON) encapsulating some parameters currently sent to credential-offer-uri endpoint (EG. credential-configuration-id, client_id. Not sure if more are needed. I would rather avoid username - see Impersonation possible in OID4VCI credential creation endpoint #44745 for the details).
Keycloak can display screen to the user with the QR code and some text like You can register credential 'Passport' with Wallet 'Lissy-wallet'
Once user consents this and scans the QR code with his Wallet, browser redirects him back to OIDC client. But note that the OIDC client doesn't see the QR code or any other context of OID4VC credential. It is just used for trigger the flow with kc_action parameter. The wallet can continue proper OID4VC pre-authorization code flow now.

Variants

TX Code support - On the screen with QR code, there could be possibly also option to send the email with tx_code to the user. Or maybe this is done automatically if configured before redirecting to OIDC client? The tx_code support is probably a follow-up? But can be probably nice to support it IMO.
Credential offer endpoint - Instead of displaying QR code, the screen can just ask user for the consent and then the credential-offer could be directly sent to the wallet credential_offer_endpoint if it is preferred way of the wallet to receive credential offer. This is per specs section 12.1
Admin triggered flow: Instead of flow being triggered from OIDC client, it can possibly be triggered by administrator, who would ask user to start credential-offer creation. This might be done by:
- Administrator will send an email to the user with a link for start the flow for specific OID4VC credential. When user clicks on the link from email, the QR code would be displayed to the user and he can start the flow from there. Implementation note: There is already endpoint UserResource.executeActionsEmail, but it doesn't support any parameters. So may require some API updates and admin console updates - in the admin console, it is bit hidden in the Credentials tab of the user (In the tab Users -> Selecting user -> tab Credentials -> button Credential Reset)
- Administrator can assign required-action to the user. Then user will be requested to start credential-offer during his next login. Currently required-actions assigned by the administrator to the user don't support any parameters, so that would also needed some changes in the API if we want to support this...

WDYT?

tdiesler · 2025-12-09T10:13:02Z

tdiesler
Dec 9, 2025

Yes, the above picture is incorrect because there is indeed another actor initiating the credential offer process. It is the Issuer not the Holder/User that starts the process.

Issuer creates offer URI (and associated QR code)
Issuer passes that information to the Holder's wallet (offer push endpoint on wallet, or out-of-band e.g. email)
The Credential Offer is a long lived object and can be used by the Holder repeatedly to retrieve the associated Verifiable Credential
If it is a pre-auth offer, the holder does not need any other form of authorization to fetch the VC

From the UI perspective, it'd be good to have a view that shows the QR code to whoever creates credential offers for registered users. In the context of a University for example, it would be someone from administration who holds the 'credential-offer-create' role. That person would want to see not only the offerUri but also the associated QR code, which can then be passed on to the student.

This brings me to why the current getCredentialOfferURI(...) response is inadequate because it requires two calls: one for the uri and one for the qr code. Instead, it should work such that the uri is always returned and the qr code can be optionally returned in the same payload as well - it should just be another representation for the uri.

Currently, two calls to that endpoint create two distinct credential offers.

3 replies

mposolda Dec 9, 2025
Maintainer Author

Yes, the fact that getCredentialOfferURI(...) requires 2 calls (one for QR code and one for URL) and creates 2 credential offers looks like another issue, which I did not mention in the "limitations" above. I assume that ideal experience is, that the QR code shown to the user together with the URL. This is what for example walt.id is doing (See screenshot):

It would be possible to easily show both of those to the user if we switch to "required-actions" approach instead. The required-action can be ideally created by the administrator (might be the user with the credential-offer-create role, but also should possibly have a role for administering users).

In the discussion above, I've also suggested that credential offer might be created by user himself if we use the kc_action parameter, which would be added to the OIDC flow triggered by some client (See AIA docs for the details). Note that in that case, the QR code (and URL) will be still shown by Keycloak. The OIDC client, which triggered the OIDC flow, will not have any knowledge of this QR code and credential-offer and will not display it or otherwise interact with it.
Could it be the desired use-case for pre-authorization code flow for some OID4VC credentials that user himself triggers creation of OID4VC credential by himself?

tdiesler Dec 9, 2025

No, I don't think so. The .well-known/openid-credential-issuer configuration lists vc config ids, which can be used by a user (without vc offer) to obtain a vc. This, in a way by-passes the whole credential offer mechanism (and I wonder whether it should even be supported). However, as long as it is supported, there is no need for a user to create a cred offer - because she can get the wanted vc anyway ;-) Unless of course, the Holder does not have her own oidc credentials.

Perhaps, there should be something in the vc config like "offer-required" - but that's not standard as of now. I'll check with the folks from EBSI and and also with the spec group how/whether offers should be enforced.

mposolda Dec 10, 2025
Maintainer Author

@tdiesler Yes, I also wonder if it should be supported to obtain VC without credential-offer.

However specifically for the pre-authorized flow, AFAIK the credential-offer is always required to be created beforehand (I might be wrong and need to doublecheck...). If that is the case, and the credential-offer creation cannot be never triggered by user himself for any specific credentials, it means that pre-authorization code flow would always require admin user involvement (user with create-credential-offer role) to create the credential for the user . So for the wallets supporting only pre-authorized flow, there would be a requirement of admin user being involved. Do I understand correctly what you mean?

Captain-P-Goldfish · 2025-12-10T14:48:30Z

Captain-P-Goldfish
Dec 10, 2025

Here are my thoughts to this topic:

@mposolda you are absolutely right. This endpoint is basically for testing purposes to have a fast initialization endpoint so we can test this feature. This is also related to a ticket I once created: #39260. The topic of this ticket might be misunderstood but I meant to move these custom-endpoints into their own class to make sure that such confusion will not arise :-)

Regarding the credential_offer:
From my point of view there are several use-cases to consider:

cross-device flow
user self-initiated flow
admin-initiated flow

These use-cases are relevant for the PreAuthorized Code Flow.

cross-device flow

The user is using his desktop computer and is already authenticated at Keycloak
The user starts the process for initiating the issuance at some credential-provider that is able to delegate to Keycloak
The credential-provider initiates an AuthorizationRequest to Keycloak
Keycloak notices that the user is already authenticated and offers the user a QR code (cross-device) and a DeepLink (same-device) which will both open the wallet.
The user picks up her mobile device and scans the QR code which opens the wallet with the credential_offer_uri and Keycloak and then the credential_offer will be issued directly into the wallet
- @francis-pouatcha this is the point where I disagree with you. If I understood you correctly in todays meeting you said that the credential-offer might be issued by the client. But I do not know how this should work and I think that the explained use-case is the intended one for the credential-offer. If the client should be able to issue the credential_offer it must have a strong trust-binding to Keycloak. Maybe this would be an idea when using the PushedAuthorizationRequest. The credential-provider could send the credential to Keycloak creating a transient user and then returning a preAuthorizedCode. But the better way would still be to just follow the standard AuthorizationCodeFlow and show the QR code at Keycloak instead of the clients website.

user-self-initiated flow

Keycloak has user-data to issue specific credentials or knows some credential-providers that are able to share the credential relevant data with Keycloak (transient user and this is nowhere defined in the spec, just a use-case from my mind)
So The user enters her account details and wants a specific supported credential in her wallet. She selects a credential and Keycloak starts the process either by doing some magic with the remote credential-provider or by providing again a depp-link (same-device) and a QR code (cross-device) to initiate the issuing as also described above.

admin-initiated flow

As suggested by @tdiesler an admin might initiate the process by preparing the credential-issuance for a group of users that require a specific credential.
In that case the users will be either notified by email or the next time they do a login into their account.

That is my understanding of how it should work.

1 reply

mposolda Dec 12, 2025
Maintainer Author

Thanks @Captain-P-Goldfish for the reply. It seems to me that the use-cases you mentioned can be addressed with the "actions" approach proposed in this discussion, which would mean that we will not need credential-offer-uri endpoint entirely? Some additional points:

cross-device flow

If I understand your use-case correctly, this is exactly what could be addressed with the "actions" approach and specifically with the Application-initiated action used by Keycloak kc_action parameter.

I can see there might be still some kind of "OIDC client portal application", which is the regular browser application secured by Keycloak where user can select the verifiable credential. Once user selects the credential, the app can send the OIDC auth request to Kycloak with kc_action=create-credential-offer:eyJjcmVkZW50aWFsX2NvbmZpZ19pZCI6InBhc3Nwb3J0IiwgImNsaWVudF9pZCI6Imxpc3N5LXdhbGxldC1jbGllbnQifQ== (The parameter is Base64encoded value of { "credential_config_id":"passport", "client_id":"lissy-wallet"}) . So obtaining offer still triggered from that portal app, but actual QR code with the credential-offer shown by the Keycloak. Not by the "OIDC client portal application" itself.

This is the similar approach used for other Keycloak use-cases. For example for "update password" of the user, the built-in Keycloak account console previously used REST API where new password could be send. However this was changed to instead use "Application initiated actions" . Now account-console just redirects user to Keycloak with the kc_action=UPDATE_PASSWORD and it is Keycloak, which shows to user the form for providing new password. This has lots of benefits (EG. better security as there is no need to share the password with the client application, ability to re-authenticate user etc).

Going through the Keycloak OIDC flow also gives opportunity for other requirements - like for example if scope=passport is used, then user would be also asked to fill some additional attributes before the page with credential-offer (QR code and etc) is shown to him. As Keycloak user-profile feature allows to ask user to fill specific attributes if the specific scope=passport is used in OIDC login request. I am not 100% sure I entirely understand your use-case "user-self-initiated flow", but seems this might address it?

admin-initiated flow

I can see the proposal would work for this flow. Keycloak already has ability that administrator can assign "required action" to the user or send the email to the user like Please reset your password . The current API for this is not parameterized (which is small disadvantage in comparison to AIA, which already supports parameters). As it seems we need something like admin asking user for Please obtain VC offer of credential 'passport' with your wallet 'lissy-wallet' . However the parameterized required-actions are probably doable though by some updates to Keycloak REST API and admin console...

sberyozkin · 2025-12-16T23:08:10Z

sberyozkin
Dec 16, 2025

Hi @mposolda

Thanks for initiating this discussion,

I'm not sure Keycloak itself should be showing a QR code since IMHO it belongs in the application domain, and specifically in the custom issuer application space. As a wallet user, I'd expect my university website offer me this QR code, at some point after me logging to the university website with Keycloak, with the university OIDC client acquiring a preauthorized code alongside the transaction code, and sending me this transaction code out of band, such that, when I scan the QR code with the wallet, wallet could request the transaction code.

I'm not sure Keycloak should be doing this work itself, sending the transaction code out of band - Keycloak does not see the user details during the preauthorized code acquisition and hence it will not know where to send the transaction code to.

Furthermore, for example, if I login to MyUniversity, the implicit knowledge that I need some credentials related to this university is already established, so I'd not expect to provide information such as my university at the Keycloak login time...

Apologies if I'm missing a few points.

I think your point about the user profile is good, I saw there was a UserInfo VC draft underway, which can be relevant.

Thanks

2 replies

sberyozkin Dec 16, 2025

Marek, please take my comments as comments from someone who does not fully understand patterns Keycloak users are used to when it comes to acquring additional information.

I guess I'd like to have a QR code option be optional if it gets added directly to Keycloak.

I can imagine situations where a Quarkus based issuer application will use a credential provider that is not collocated with Keycloak the authorisation server

Cheers

sberyozkin Dec 17, 2025

I'm not sure Keycloak should be doing this work itself, sending the transaction code out of band - Keycloak does not see the user details during the preauthorized code acquisition and hence it will not know where to send the transaction code to.

I was wrong here as the access token that was acquired as part of the user login into the University website is used to access to fetch an offer from Keycloak.

However, at the time the user selects a credential to be offered, the user has already gone through the Keycloak login process and is at the University website which now will offer a QR code.

I suppose, if I go to the University website and that website shows a list of credentials before I login, then Keycloak will know at the login time the required credential... I guess the problem here is that as a user I'm in the process of the logging in into my university so I'd likely expect to be landed back at the university website first, where I'll be offered a QR code.

Though I can definitely imagine various options now. I suppose as long as the QR code is offered optionally at the KC end, all types of scenarios can be handled.

tdiesler · 2025-12-18T07:06:47Z

tdiesler
Dec 18, 2025

In the University use case, administration already has a trust relationship with the student - part of that would be the student's email. The student will also likely have credentials that allow her to do stuff on the Universities online portal. These credentials would not necessarily have to be the same that we are talking about in the context of oid4vci authorization. In theory, it would be possible that the Issuer (Keycloak) has a User entries with associated Credentials that students know nothing about.

The Issuer initiates the credential offer e.g. sends an CredentialOfferURI to the student. The pre-authorized code grants the student the right to fetch a credential with a specific credential_id (and nothing else) - no Keycloak login would ever be required.

12 replies

sberyozkin Dec 18, 2025

Issuer Proxy is what it is, sounds like a good term for it.

The Holder never initiates the CredentialOffer flow - like in the real world, I do not make an offer for myself, some other entity makes an offer to me.

+1, sure, I did not imply it. I mean indirectly, the holder tells the issuer (proxy) that it wants a diploma or other credential and that initiates an offer flow

mposolda Dec 18, 2025
Maintainer Author

The Holder never initiates the CredentialOffer flow - like in the real world, I do not make an offer for myself, some other entity makes an offer to me.

From the use-cases above made by @Captain-P-Goldfish , it looks to me that in some use-cases, user himself starts initiation of the flow (user self-initiating flow).

Right now, my understanding is, from the wallet's user's UI experience, this user scans the QR code at the University website, not at the Keycloak side.

I can imagine this QR code will be offered at the Keycloak end as well, but at the moment I'm not sure how that will work in the UI flow. IMHO that should be an optional feature.

This is where I rather see it the other way around and it would be rather Keycloak showing the QR code. I can imagine that University (which acts as Issuer Proxy in this example) provides a way for administrator to start issuing credential-offer.

Once that is done, there will be email sent to the user (or user notified by some other way) , that credential-offer was created for him. And once user clicks on the link from the email, user would be redirected to Keycloak where the page with QR code is shown to him.

The page with that QR code can be also shown to the user during regular user login (not necessarily needs to be initiated by clicking on the link from the email). And also that Keycloak page can have another button like Create transaction code . Where user clicks on that button, another email might be sent to him with the transaction code (Note there is not need for any possibly insecure hacks like sending transaction_code alongside pre-authorized code as those are not supposed to be sent together for security reasons per my understanding.)

So I am rather seeing that QR code is shown on the Keycloak page rather than on the University page. This has multiple advantages like I've mentioned in the initial post of this discussion. Also other advantage is that Keycloak page can show both QR code and the link (That would be helpful to avoid the limitation mentioned by @tdiesler : Note, there is currently a glitch in Keycloak which currently create either a credential offer uri OR credential offer QR code i.e. if you create a QR code, you effectively create another offer ).

From the @tdiesler above, I can see that picture 1 might be the "University" page (The page where admin selects which credential type to issue to which user). However the picture 2 with the actual QR code is something, which IMO should be rather shown by Keycloak.

My biggest concern here is security. As in the other scenario with QR code directly created by admin and displayed on the university page, the administrator (and university as an "Issuer proxy" client application itself) has direct access to the QR code, which in case of pre-authorized flow allows administrator to rather obtain the VC credential himself on behalf of the user.

That is why in Keycloak, there are those "Required actions" used whenever possible. For example administrator can ask user to "Hey, please setup your OTP" . And administrator asks user to setup OTP either by email or by setting "Required action" to his account . Then it's user himself, who needs to setup OTP and he can do that either during his next browser login, or by clicking on the link from the email. The page for "Setup OTP" is displayed by Keycloak to the user and administrator has never access to it. So realm administrator himself don't have a way to know the OTP secret and hence cannot login as user himself in any way. And this case actually looks similar.

I will also try to prepare a demo with the "required action" approach. Probably will not manage this year, but hopefully to share on January.

sberyozkin Dec 18, 2025

This is where I rather see it the other way around and it would be rather Keycloak showing the QR code. I can imagine that University (which acts as Issuer Proxy in this example) provides a way for administrator to start issuing credential-offer.
Once that is done, there will be email sent to the user (or user notified by some other way) , that credential-offer was created for him. And once user clicks on the link from the email, user would be redirected to Keycloak where the page with QR code is shown to him.

I think you are referring to a delayed credential issuance flow ?

And also that Keycloak page can have another button like Create transaction code . Where user clicks on that button, another email might be sent to him with the transaction code

IMHO it should definitely be done without asking a user, it should not be a choice of a user whether a wallet should request a user to enter a transaction code or not. I believe, the tx code must be generated at a time a pre-authorized code is returned and it is exactly at this time when a user is also notified out of band the tx code is available

sberyozkin Dec 18, 2025

I.e it should done by default, out of the box, whenever a credential offer is returned, with an option to turn it off for demos in the Keycloak dashboard. It is impossible to prove without a tx_code that the pre-authorized code did not get into the wrong hands

mposolda Dec 19, 2025
Maintainer Author

I think you are referring to a delayed credential issuance flow ?

Not sure what you exactly mean by "Delated credential issuance flow" ? In case you refer to the "Deferred credentials" described in the specification, then the answer is: No, I am not referring to that (even though supporting this might be useful as well, but that is probably rather a follow-up of initial OID4VCI support and is likely for different discussion...)

But if "Delayed" you meant that when admin creates the credential-offer for some user, then it may take some time for user (EG. few hours or days) until user can react to this, then yes. As it is natural that user may not be "online" at the same time when administrator wants to offer him some credential. I believe this is something, which both approaches (Action-based approach or current approach with custom credential-offer-uri endpoint) needs to deal with and should make sure to support it.

I've added dedicated comment with some more explanations of the flows. I hope to prototype this early next year.

IMHO it should definitely be done without asking a user, it should not be a choice of a user whether a wallet should request a user to enter a transaction code or not. I believe, the tx code must be generated at a time a pre-authorized code is returned and it is exactly at this time when a user is also notified out of band the tx code is available

Possibly yes. I am not yet 100% sure. I can imagine that it is done without asking user and transaction_code would be send automatically to the user's email. Perhaps the email can be done in the "Credential offer" endpoint (Endpoint OID4VCIssuer.getCredentialOffer in the current Keycloak codebase) where the tx_code would be sent to the user's email address.

I.e it should done by default, out of the box, whenever a credential offer is returned, with an option to turn it off for demos in the Keycloak dashboard. It is impossible to prove without a tx_code that the pre-authorized code did not get into the wrong hands

Yes, it would be great if tx_code could be sent by default. This will improve the whole security as since the tx_code would be sent to user's email, it is 100% confirmed that it is just user himself, who can do credential-request creation. It may probably help at least to mitigate at least some limitations (especially security) of the current approach with "credential-offer-uri" endpoint.

However, I am not 100% sure if Keycloak can automatically assume that tx_code is used? It is optional part of the specification and it is possible that some 3rd-party wallets don't support it.

tdiesler · 2025-12-18T13:51:24Z

tdiesler
Dec 18, 2025

ok, the holder may nudge/remind the issuer as long as there is a common understanding that the holder does not somehow create the offer. With Keycloak you need to have the credential-offer-create role in order to that - I expect only an administrator working for the entity that issues a given credential type will have that role.

8 replies

sberyozkin Dec 18, 2025

Here is an issuer-proxy flow in my demo.

Alice did a few courses in the Software Credentials Academy and later visits the website to request some VCs, Software Credentials Academy looks like this:

Alice knows she definitely did the PQC PhD course, clicks on it, and Software Credentials Academy logs her in:

Software Credentials Academy talks to Keycloak's credential offer endpoint, on behalf of Alice, to create an offer for the PQC PhD and once the offer is available, itself prepares a QR code on its website:

Alice scans the QR code, and accepts the offer in her wallet, after entering a transaction code:

So this is how I imagine it should work, please keep in mind, at the Quarkus level there will be no guarantee Keycloak will be used as a credential issuer, Quarkus based issuer-proxy applications will have a standard credential_offer response, that is all.

So, I believe your preference is to offer a QR code at the Keycloak side. But I'm not sure how it can work, at what point in the demo above will I offer a user a QR code in Keycloak such that a user can for example cancel and just get back to Software Credentials Academy website...

sberyozkin Dec 18, 2025

In any case, @tdiesler, @mposolda, all, thanks for your work, clarifications, happy holidays, cheers

tdiesler Dec 18, 2025

IMHO, it should work such that if you can create a credential offer, you can also see the KC generated QR code. CredentialOffer, the URI that points to it and the QR code that encodes both/either should all be part of the same KC Response.

sberyozkin Dec 18, 2025

Sure, I'd be interested to see a demo from Marek next year, see it from a Keycloak centric QR code presentation angle, perhaps different approaches can work.

There are different things that I'm trying to figure out now, how the issuer proxy knows where to redirect a wallet user to, as opposed to me hardcoding it in a demo, how a wallet can tell user that this is a credential offer from Software Credential Academy ( an entity the user just logged into a min ago), without hardcoding it, etc.

Look forward to keeping experimenting with Keycloak OID4VCI next year

Thanks again.

mposolda Dec 19, 2025
Maintainer Author

@sberyozkin It seems your demo is the case when "Alice" initiates creation of the credential for herself from the credential portal application (Software Credentials Academy) ? Probably similar to what I've mentioned in this comment as "user initiated flow". The difference is, that in case of the "Actions based approach", the QR code (your step 3) will be the page displayed by KC itself instead of by the "Credential portal" application.

mposolda · 2025-12-19T09:33:05Z

mposolda
Dec 19, 2025
Maintainer Author

Perhaps, I am adding the diagrams with the flows as how I can imagine it may work.

Admin initiated-flow with "Required action" .

Admin uses "Required actions" in Keycloak for various things already. For example admin adds required action "Update profile" or "Setup TOTP" to the user. Then user is requested during his next login to KC to update his user profile or setup his TOTP. This is done by KC page shown to him. So I can imagine the page (possibly with QR code for the wallet) is shown to him during his next login.

The "Credential portal" is some OIDC application secured by Keycloak. It is the party like "University portal" (or Issuer proxy) from the example above by @sberyozkin . However it can be also Keycloak admin console itself (No need for dedicated "Credential portal" application in that case).

sequenceDiagram
   participant AD as Admin
   participant PT as Credential Portal 
   participant US as User   
   participant WL as Wallet
   participant KC as Keycloak

   AD->>KC: 1) Admin authenticates
   KC->>PT: 2) Admin authenticated in credential-portal app
   AD->>PT: 3) Admin triggers creation of credential-offer for the user
   PT->>KC: 4) Admin API request to create required-action "creation of credential offer" for user 
   US->>KC: 5) User doing login to KC to some browser application
   KC->>US: 6) QR code page displayed to user (at the end of the login, after authentication is finished)
   US->>WL: 7) User scans QR code to the wallet
   Note over US,KC: 8) Flow continues as per OID4VCI specs step 3 of pre-authorized flow in paragraph 3.5

Admin-API initiated flow with the email

Similar to previous, but the email is sent to the user. After user clicks on the link from email, the KC page is displayed to him. Keycloak already has support for this functionality of sending email to users. For example admin can send email to the user asking user to update his TOTP. Once user clicks on the link from email, the page with "Setup TOP" is displayed to him. So just leveraging existing Keycloak functionality, which is pretty much already there.

sequenceDiagram
   participant AD as Admin
   participant PT as Credential Portal 
   participant US as User   
   participant WL as Wallet
   participant KC as Keycloak

   AD->>KC: 1) Admin authenticates
   KC->>PT: 2) Admin authenticated in credential-portal app
   AD->>PT: 3) Admin triggers creation of credential-offer for the user
   PT->>KC: 4.a) Admin API request to send email to the user 
   KC->>US: 4.b) Email sent to user like "Credential offer available to you. Please click this link to see it"
   US->>KC: 5) User clicks link from email
   KC->>US: 6) Link from email displays KC page with QR code displayed to user
   US->>WL: 7) User scans QR code to the wallet
   Note over US,KC: Flow continues as per OID4VCI specs step 3 of pre-authorized flow in paragraph 3.5

User initiated flow

User initiates creation of credential-offer for himself from some "Credential portal" application . Probably similar to the @sberyozkin example above. It seems the only main difference between this flow and @sberyozkin flow is, that QR code is displayed by KC page instead of by "Credential portal" application itself:

sequenceDiagram
   participant US as User
   participant PT as Credential Portal
   participant US as User
   participant WL as Wallet
   participant KC as Keycloak

   US->>KC: 1) User authentication
   KC->>PT: 2) User authenticated in credential-portal app
   US->>PT: 3) User triggers creation of credential-offer
   PT->>KC: 4) OIDC authentication flow with "kc_action=create-credential-offer:xy" parameter
   KC->>US: 5) KC display page with QR code to the user after SSO flow finish
   US->>WL: 6) User scans QR code to the wallet
   Note over US,KC: Flow continues as per OID4VCI specs step 3 of pre-authorized flow in paragraph 3.5

Additional points

I can see some more variants to those flows. For example QR code does not need to be directly displayed to the user, but instead it can be directly sent to the wallet in case that wallet supports credential_offer_endpoint parameter described in the specification . In this case, user would still see some page where he should agree before the offer is sent to the wallet - which is aligned with the specs, which explicitly mentions "user consent" in section 3.5 point 1 .

I hope to do prototype of this flow early next year to better present how I can imagine this to work. Created issue for this: #45026 .

1 reply

sberyozkin Dec 19, 2025

Thanks @mposolda, one thing that might be worth accommodating for, in the user initiated flow, is for the user be able to opt out from accepting the offer and continue working with the portal after cancelling. I suppose the step 2/4 might be combined.
Look forward to discussing it further with various demos

tdiesler · 2025-12-19T10:15:44Z

tdiesler
Dec 19, 2025

How would this work in the case where the user does not have KC login credentials? With a pre-authorized CredentialOffer the user receives a code that when exchanged for an AccessToken allows her to fetch the credential associated with the offer. No other trust relationship with KC would be required.

5 replies

sberyozkin Dec 19, 2025

Interesting, I thought Keycloak Credential Issuer was designed with an implicit assumption that the wallet users were Keycloak-registered users.

tdiesler Dec 19, 2025

I might be alone with this view ;-) However, the pre-auth case suggests that KC can (and perhaps should be) placed behind some proxy that governs how and when offers are made and how they are delivered. Two other points make we wonder ...

how would wallets even now the client_id of all the issuers they deal with?
Is the issuer KC really expected to know the credential offer endpoints of all the user wallets?

AFAICS, working with pre-auth offers fixes many security and config issues

sberyozkin Dec 19, 2025

how would wallets even now the client_id of all the issuers they deal with?

Yes, good question, I guess a long term plan is that mobile phone wallets will act somehow similar to how public MCP OAuth2 clients act, they will get credential issuer metadata, check the authorization server content, pull authorization server metadata, register themselves dynamically with Keycloak, or via client initiated metadata...

Is the issuer KC really expected to know the credential offer endpoints of all the user wallets?

Right, I don't even know how to handle it with a single wallet :-) in a custom portal demo... I guess for the same device cases the openid-credential-offer:// scheme is designed for that ?

mposolda Dec 19, 2025
Maintainer Author

Yes, I also suppose that user has account in Keycloak and is able (should) authenticate to Keycloak.

From what I propose, the only possible exception to this is the flow "Admin-API initiated flow with the email". That one does not require user to have any login credentials in Keycloak (no password, passkey, OTP needed). Instead it requires him to have valid email address where Keycloak is able to send emails. In that case, user is verified by clicking the link in the email. Possession of the email address is considered as a proof that offer was used by correct user in that case.

tdiesler Dec 19, 2025

Ok, let's assume the user has KC login credentials. Still, I maintain that the response to credential-offer-create should contain ...

credential_offer or credential_offer_uri
optional QR code that encodes the above

It should then be at the discretion of whoever created the offer to distribute that information to the user (somehow).
Would this simple model not work?

Let's not forget that we can limit the use of a pre-auth AccessToken to fetching the specific credential that was offered.

sberyozkin · 2025-12-19T10:57:44Z

sberyozkin
Dec 19, 2025

Good morning, the question I've been planning to ask today, is a credential offer that requires the use of the authorization code flow grant is supported in Keycloak ? It should be relevant to this discussion to some extent. Such an offer can also be scanned via a QR code.

2 replies

tdiesler Dec 19, 2025

A non pre-auth offer made by EBSI looks like this

{
    "credential_issuer": "https://api-conformance.ebsi.eu/conformance/v3/issuer-mock",
    "credentials": [
        {
            "format": "jwt_vc",
            "types": [
                "VerifiableCredential",
                "VerifiableAttestation",
                "CTWalletSameAuthorisedInTime"
            ],
            "trust_framework": {
                "name": "ebsi",
                "type": "Accreditation",
                "uri": "TIR link towards accreditation"
            }
        }
    ],
    "grants": {
        "authorization_code": {
            "issuer_state": "eyJhbGciOiJFUzI1NiIsImtpZCI6ImRpZDplYnNpOnpqSFpqSjRTeTdyOTJCeFh6RkdzN3FEI1Q2aVBNVy1rOE80dXdaaWQyOUd3TGUtTmpnNDBFNmpOVDdoZExwSjNaU2ciLCJ0eXAiOiJKV1QifQ.eyJpYXQiOjE3NjYxNDIyODUsImV4cCI6MTc2NjE0MjU4NSwiYXVkIjoiaHR0cHM6Ly9hcGktY29uZm9ybWFuY2UuZWJzaS5ldS9jb25mb3JtYW5jZS92My9hdXRoLW1vY2siLCJjbGllbnRfaWQiOiJkaWQ6a2V5OnoyZG16RDgxY2dQeDhWa2k3SmJ1dU1tRllyV1BnWW95dHlrVVozZXlxaHQxajlLYnBGZGp6aXVFZ005a0NCNXdvSnI2a29ldmo0UkZNVE5SWXcyNHYyNUh3SnNvaGZwTlpLR0xjM1Npc2ZRS3lCOG5odHNZcWFoNDg1eDVuRUtRcDVNdHRLZnVjZnBOblRmZGJGTWpTMnVIbzlrUHpRblBwUDhDWmZ3ZG9LemFua1lOQVEiLCJjcmVkZW50aWFsX3R5cGVzIjpbIlZlcmlmaWFibGVDcmVkZW50aWFsIiwiVmVyaWZpYWJsZUF0dGVzdGF0aW9uIiwiQ1RXYWxsZXRTYW1lQXV0aG9yaXNlZEluVGltZSJdLCJpc3MiOiJodHRwczovL2FwaS1jb25mb3JtYW5jZS5lYnNpLmV1L2NvbmZvcm1hbmNlL3YzL2lzc3Vlci1tb2NrIiwic3ViIjoiZGlkOmtleTp6MmRtekQ4MWNnUHg4VmtpN0pidXVNbUZZcldQZ1lveXR5a1VaM2V5cWh0MWo5S2JwRmRqeml1RWdNOWtDQjV3b0pyNmtvZXZqNFJGTVROUll3MjR2MjVId0pzb2hmcE5aS0dMYzNTaXNmUUt5QjhuaHRzWXFhaDQ4NXg1bkVLUXA1TXR0S2Z1Y2ZwTm5UZmRiRk1qUzJ1SG85a1B6UW5QcFA4Q1pmd2RvS3phbmtZTkFRIn0.bhqWXbHBHNJ33DPehrt7yh8SK0yJmOQIpjJ7j9NJ40mj8b1IA4Sw-S5864KRGpM3RbcTk7UnOgoUBNvpvPsEDQ"
        }
    }
}

one made by KC like this ...

{
    "credential_issuer": "http://localhost:8080/realms/oid4vci",
    "credential_configuration_ids": [
        "CTWalletSameAuthorisedInTime"
    ]
}

Ignoring trust framework and issuer state, they essentially offer a credential of given configuration that can be found in the Issuer's metadata. Note, EBSI still uses Draft11 - an older version of the spec

I also wonder what to make of this, even without the offer anyone can access the issuer's metadata and then ...

send and AuthorizationRequest to get an auth code
exchange the auth code for an AccessToken
send a CredentialRequest using the scope references by the credential_config_id

No offer would ever be needed, which makes me wonder what it is good for in the first place?

One possible solution to this bypass, would be to somehow mark a credential_configuration as "offer required". In such case, the Issuer could reject the CredentialRequest when there is no CredentialOfferState for it - but that is not in the spec.

Here is the cred offer matrix that was considered

sberyozkin Dec 19, 2025

Thanks, indeed I see in the spec that in this case the wallet is supposed to figure it out itself which grant to use

No offer would ever be needed, which makes me wonder what it is good for in the first place?

This is probably related to another flow, where the Wallet user does not start with the Issuer (proxy) portal but with the verifier portal that requests a user to submit a credential, in my demo it goes like this:

Alice looking for a new software job and finds Best Software Company that accepts digital credentials:

Alice knows she became a Java Coder Champion recently so she selects a Java Coder Champion, and Best Software Company prepares a credential request screen with a QR code, this now goes the OpenID4VP route:

Alice is still at the Best Software Company website, and scans the QR code with her Wallet that gives control to her Wallet, Wallet logs Alice in:

(Wallet might login Alice in some other way, just a demo wallet is directly protected by Keycloak)

Next, Wallet tells Alice that the request credential is not available in her wallet and asks if she'd like to download it:

Now, Wallet redirects Alice to Keycloak requesting a required credential scope, using the authorization code flow - as per your description, and accesses the Keycloak to pull the credential:

and now Alice can choose what to submit/disclose to the verifier

tdiesler · 2025-12-20T07:30:33Z

tdiesler
Dec 20, 2025

I looked at this again and thought it might help to break it down into

Issuer creates a Credential Offer
Issuer sends the Credential Offer to the Holder
Holder consumes the Credential Offer

Issuer creates a Credential Offer

From the spec perspective, we have great liberty how to create the Credential Offer, specifically about the state the server maintains associated with the Credential Offer (CredentialOfferState).

The Credential Issuer makes a Credential Offer by allowing the End-User to invoke the Wallet using the Wallet's Credential Offer Endpoint defined in Section 12.1. For example, by clicking a link and/or rendering a QR code containing the Credential Offer that the End-User can scan in a wallet or an arbitrary camera application.

The EBSI Conformance Issuer for example has an endpoint like this ....

https://api-conformance.ebsi.eu/conformance/v3/issuer-mock/initiate-credential-offer?credential_type=CTWalletSamePreAuthorisedInTime&client_id=did%3Akey%3Az2dmzD81cgPx8Vki7JbuuMmFYrWPgYoytykUZ3eyqht1j9KbnrjkJAASWPMxwUCqRLcuBnBisYBb5UMEpkxMRcY7DGzhbv3wueFoqCkZJQ7UvbnFFSNRc3AQtecQ7Lvb4FXe7dpso4Yqxz6aTAqfHbq5a8JmFp8AFHv1ofKt4QEPypJMqv&credential_offer_endpoint=https%3A%2F%2Fproxy.nessus-tech.io%3A8443%2Fwallet%2Ff17b2c3e9c26

Lets break it down ....

https://api-conformance.ebsi.eu/conformance/v3/issuer-mock - The credentialIssuer as found in the metadata
/initiate-credential-offer - A proprietary API path that does what it says (not defined by spec)
credential_type=CTWalletSamePreAuthorisedInTime - The credential configuration id
client_id=did:key:z2dmzD81... - The Holder's DID that the offer is targeted to (more about this below)
credential_offer_endpoint=https://example.com/wallet... - Deep link into the Holder's Wallet to receive a Credential Offer

So yes, with this particular issuer (and for the purpose of conformance testing) there is a way for the Holder to initiate the Credential Offer process. The somewhat awkward client_id parameter comes from SIOP IDToken exchange, which we currently don't support and is covered in greater detail in #44657. Worth mentioning perhaps: No Holder authorization is triggered by this request.

The EBSI Issuer then creates the Credential Offer and sends it to the credential_offer_endpoint. EBSI supports both ...

The Credential Offer contains a single URI query parameter, either credential_offer or credential_offer_uri

Here we would have the liberty to authorize the Holder. For example, we could require proof of possession of the key material that the did is derived from and that we can resolve that did to an actual OAUTH client_id for the given credential_type.

Since we are creating a CredentialOfferState it might be useful to do some authorization to protect ourselves from DOS attacks to this endpoint. Also, in the case of a pre-auth offer, it would be required to do so.

We currently have an endpoint that is similar to the above and we protect it by the create-credential-offer role, which allows an Issuer Proxy or the KC UI to initiate the offer process.

Issuer sends the Credential Offer to the Holder

The spec mentions four ways of doing so ...

display a link that the wallet can invoke
show a QR code that the wallet can scan
deliver the Credential Offer directly to the wallet's backend (see above)
some other out-of-band mechanism

Perhaps worth noting, that a Holder is not necessarily a natural person - it may be an institution or thing. The Issuer can therefore not assume that some interactive protocol has to happen to get the Credential Offer. The credential_offer_uri is the most portable means of delivering a Credential Offer - it must work as a simple HTTP GET.

Holder consumes the Credential Offer

Here we are bound by spec. When Holder has already received the Credential Offer we have two possible flows

pre-authorized
non pre-authorized

Get Credential Pre-Authorized

The Holder can get the Credential without any other form of authorization. i.e. the pre-auth code grants the right to fetch a specific Credential instance, which would have been created when the Issuer made the Credential Offer.

Because of that, it is feasible that the Issuer Proxy does not expose the OIDC credentials to Holder. All the necessary authorization already happened when the Issuer created the Credential Offer. The Holder would have a KC account with attributes that become Credential claim values, but not necessarily a login to that account.

Get Credential non Pre-Authorized

The image shows the IDToken handshake, which is required by EBSI. For this discussion however, we can replace that authorization flow by OAUTH Code Flow just the same

The TokenResponse may contain authorization_details that reference a specific credential id, which (as mentioned above) would have been created when the Issuer made the Credential Offer.

An authorization flow is necessary for the Holder to get the Credential associated with the Credential Offer.

With IDToken authorization (as required by EBSI) there would be no interactive authorization step with the Holder. Same as above - the Holder would have a KC account with attributes that become Credential claim values, but not necessarily a login to that account.

From the Issuer's perspective, it is sufficient to be able to map the Holder's DID to an existing account and to verify proof of possession for that DID.

I guess that's it from me - look forward to talking to you next year

cheers

0 replies

Integration of AIA to OID4VCI Pre-authorization code flow #44764

Uh oh!

mposolda Dec 9, 2025 Maintainer

Current way

Proposal

Variants

Replies: 9 comments · 34 replies

Uh oh!

Uh oh!

Uh oh!

mposolda Dec 9, 2025 Maintainer Author

Uh oh!

Uh oh!

Uh oh!

mposolda Dec 10, 2025 Maintainer Author

Uh oh!

Uh oh!

mposolda Dec 12, 2025 Maintainer Author

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

mposolda Dec 18, 2025 Maintainer Author

Uh oh!

Uh oh!

Uh oh!

mposolda Dec 19, 2025 Maintainer Author

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

mposolda Dec 19, 2025 Maintainer Author

Uh oh!

Uh oh!

mposolda Dec 19, 2025 Maintainer Author

Admin initiated-flow with "Required action" .

Admin-API initiated flow with the email

User initiated flow

mposolda
Dec 9, 2025
Maintainer

Replies: 9 comments 34 replies

mposolda Dec 9, 2025
Maintainer Author

mposolda Dec 10, 2025
Maintainer Author

mposolda Dec 12, 2025
Maintainer Author

mposolda Dec 18, 2025
Maintainer Author

mposolda Dec 19, 2025
Maintainer Author

mposolda Dec 19, 2025
Maintainer Author

mposolda
Dec 19, 2025
Maintainer Author