Hi Keycloak Community,

for my customer, i am currently exploring the EUDI-Wallet Ecosystem and how to use Verifiable Credentials to authenticate users using Keycloak. As part of this, i have created a prototype OID4VC/VP identity provider implementation. It uses the OpenID for Verifiable Presentations 1.0 specification to talk to a wallet (same device via link, cross device via qr code or W3C Digital Credentials API), request a credential presentation via a DCQL query and verifies the credential using a configurable certificate trust list (right now just a attribute of the IdP).

What are your (especially the maintainer's) thoughts about this? What would your minimum requirements be to add this to Keycloak?

Summary of my approach:

• Implements the Keycloak identity_provider SPI
• Allows to configure a certificate for x509_hash or x509_san_dns authentication with the wallet (new client_id schemes for OID4VC - VP)
• Supports direct_post response_mode as well as direct_post.jwt for encrypted responses (with ephemeral encryption keys stored in auth session, but could use keys from keycloak realm as well)
• Supports dcql_query in the authorization request or using request objects (stored as single use objects)
• Allows to configure a verifier_info to send to the wallet for authentication (used in EUDI-Wallet for registration_cert for example)
• Allows to configure a certificate trust list for credential verification
• DCQL is built from all mappers configured for the IdP as well as IdP properties (subject claim, credential type, credential format i.e. sd-jwt/mdoc, verifier_info, ...)

What do you think?