[OID4VCI] Ensure openid_credential is one of authorization_details_types_supported on the Authorization Server metadata
#43599
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
9eaca64 to
48b4e5e
Compare
943a99a to
d1705bb
Compare
…ported` on the Authorization Server metadata Closes keycloak#43398 Signed-off-by: Ingrid Kamga <[email protected]>
d1705bb to
4be13ab
Compare
mposolda
reviewed
Oct 22, 2025
|
|
||
| config.setAuthorizationResponseIssParameterSupported(true); | ||
|
|
||
| if (Profile.isFeatureEnabled(Profile.Feature.OID4VC_VCI) && realm.isVerifiableCredentialsEnabled()) { |
There was a problem hiding this comment.
Can we instead retrieve this from available providers? I mean something similar like we're doing for example for retrieve the available signatures? I suppose that something like this may work:
session.getKeycloakSessionFactory().getProviderFactoriesStream(AuthorizationDetailsProcessor.class)
.map(ProviderFactory::getId)
This automatically handles the case when OID4VC_VCI feature is disabled as in that case the provider factory will be unavailable.
It may also need to instantiate the processor and have new method on the AuthorizationDetailsProcessor like boolean isSupported() with the possible implementation for oid4vci like:
boolean isSupported() {
return session.getContext().getRealm().isVerifiableCredentialsEnabled();
}
This approach means that provider_id of the OID4VCAuthorizationDetailsProcessorFactory will need to be changed to be OID4VCAuthorizationDetailsProcessor.OPENID_CREDENTIAL_TYPE, but that is probably OK?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I'm sending this PR on behalf of @forkimenjeckayang, on vacation.
Closes #43398
Summary
This PR implements the OID4VC specification requirement to include
authorization_details_types_supportedin the OAuth Authorization Server metadata endpoint. This enables credential issuance usingauthorization_detailswhen scope is absent, as required by the OID4VC specification.Test Coverage
authorization_details_types_supportedis present and containsopenid_credentialauthorization_details