-
Notifications
You must be signed in to change notification settings - Fork 6.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issue Verifiable Credentials in the SD-JWT-VC format #25942 #27207
Issue Verifiable Credentials in the SD-JWT-VC format #25942 #27207
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@wistefan Thanks! Added few minor inline comments.
@tnorimat @francis-pouatcha do you please have opportunity to review as well?
|
||
DisclosureSpec.Builder disclosureSpecBuilder = DisclosureSpec.builder(); | ||
CredentialSubject credentialSubject = verifiableCredential.getCredentialSubject(); | ||
JsonNode claimSet = objectMapper.valueToTree(credentialSubject); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Question: Do we need to use JsonNode
directly here or is it possible to use some Java class dedicated for this like we're doing in other places?
If JsonNode
is really needed, is it at least possible to introduce constants for fields like iss
, nbf
, vct
, _sd_alg
and jti
? I suppose things like iss
, nbf
, jti
can be probably added directly to JsonWebToken
class as they are quite generic. For others, probably into some JWT-VC specific class?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The JsonNode needs to be used, because the claims could be anything. However, I will introduce constants for the well-known attributes you mentioned
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@wistefan Will be good. Thanks!
services/src/main/java/org/keycloak/protocol/oid4vc/issuance/signing/SigningProperties.java
Show resolved
Hide resolved
@mposolda Yes, I will review the PR. |
@@ -0,0 +1,312 @@ | |||
package org.keycloak.testsuite.oid4vc.issuance.signing; |
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
throw new SigningServiceException("SD-JWT only supports single type credentials."); | ||
} | ||
rootNode.put(VERIFIABLE_CREDENTIAL_TYPE_CLAIM, verifiableCredential.getType().get(0)); | ||
rootNode.put(SELECTIVE_DISCLOSURE_ALGORITHM_CLAIM, hashAlgorithm); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It might be
rootNode.put("_sd_alg", hashAlgorithm);
or
rootNode.put(IssuerSignedJWT.CLAIM_NAME_SD_HASH_ALGORITHM, hashAlgorithm);
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added review comments. Could you check them?
|
||
String jwt = new StringJoiner(".") | ||
// header | ||
.add(splittedToken[0]) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
According to https://drafts.oauth.net/oauth-sd-jwt-vc/draft-ietf-oauth-sd-jwt-vc.html#name-jose-header, "typ" must be "vc+sd-jwt". How about checking it somewhere?
I will be proceeding with a review this weekend. |
services/src/main/java/org/keycloak/protocol/oid4vc/issuance/signing/SdJwtSigningService.java
Outdated
Show resolved
Hide resolved
services/src/main/java/org/keycloak/protocol/oid4vc/issuance/signing/SdJwtSigningService.java
Outdated
Show resolved
Hide resolved
services/src/main/java/org/keycloak/protocol/oid4vc/issuance/signing/SdJwtSigningService.java
Outdated
Show resolved
Hide resolved
@tnorimat Not sure if we are talking about the same things, but I want to include the well-known endpoints in the PR for #25940. Thus, no endpoints are included in the signing service PRs |
c91eb2c
to
4386ed2
Compare
984cbba
to
db22fcd
Compare
Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
…igning/SdJwtSigningService.java Co-authored-by: Francis Pouatcha <francis.pouatcha@adorsys.com> Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
…igning/SdJwtSigningService.java Co-authored-by: Francis Pouatcha <francis.pouatcha@adorsys.com> Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
…igning/SdJwtSigningService.java Co-authored-by: Francis Pouatcha <francis.pouatcha@adorsys.com> Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
db22fcd
to
c5ca762
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@wistefan @tnorimat @francis-pouatcha Thanks for the updates and review of this PR!
Adds support for the SD-JWT Format
closes #25942