25940 support credentials issuance through oid4vci

[wistefan]

Implements the OID4VCI endpoints and the Pre-Authorized Code Grant to allow issuance of verifiable credentials

closes #25940

[keycloak-github-bot]

Unreported flaky test detected, please review

[keycloak-github-bot]

Unreported flaky test detected

If the flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR.

org.keycloak.testsuite.x509.X509BrowserCRLTest#loginFailedWithIntermediateRevocationListFromHttp

Keycloak CI - FIPS IT (strict)

java.lang.RuntimeException: Could not create statement
	at org.jboss.arquillian.junit.Arquillian.methodBlock(Arquillian.java:307)
	at org.junit.runners.BlockJUnit4ClassRunner$1.evaluate(BlockJUnit4ClassRunner.java:100)
	at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:366)
	at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:103)
...

Report flaky test

org.keycloak.testsuite.x509.X509BrowserCRLTest#loginFailedWithInvalidSignatureCRL

Keycloak CI - FIPS IT (strict)

java.lang.RuntimeException: Could not create statement
	at org.jboss.arquillian.junit.Arquillian.methodBlock(Arquillian.java:307)
	at org.junit.runners.BlockJUnit4ClassRunner$1.evaluate(BlockJUnit4ClassRunner.java:100)
	at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:366)
	at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:103)
...

Report flaky test

org.keycloak.testsuite.x509.X509BrowserCRLTest#loginWithMultipleRevocationLists

Keycloak CI - FIPS IT (strict)

java.lang.RuntimeException: Could not create statement
	at org.jboss.arquillian.junit.Arquillian.methodBlock(Arquillian.java:307)
	at org.junit.runners.BlockJUnit4ClassRunner$1.evaluate(BlockJUnit4ClassRunner.java:100)
	at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:366)
	at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:103)
...

Report flaky test

[wistefan]

Hi,
I have run OID4VCIssuerEndpointTest on “25940-support-credentials-issuance-through-oid4vci” branch. I found out something wrong, so let me share that here.
OID4VCIssuerEndpointTest , as it is committed, goes well actually. But I have tried to dig deeper and added some assert statement(*) in requestOffer method for checking inside vc. Then it looked something going wrong.
Here is what happens: Some claims, which is supposed to be in vc object, is missing like below.

{
"nbf" : 1712172643,
"jti" : "urn:uuid:b9ca7966-5841-4087-b9ee-526e19bad68b",
"iss" : "did:web:test.org",
"vc" : {
"type" : [ "VerifiableCredential" ],
"issuer" : "did:web:test.org",
"issuanceDate" : 1712172643192,
"credentialSubject" : { }
}

Maybe it is because mapper is not called properly, where it should be.
OID4VCIssuerEndpoint with getCredential method tries to fetch OID4VCMapper from session with “session.getAllProviders(OID4VCMapper.class)”. But actually it gets empty object and as a result no mapper gets called there.
(*) FYI, added assert statements are something like below at the very last of the requestOffer method in OID4VCIssuerEndpointTest.

        JsonWebToken jsonWebToken = TokenVerifier.create((String) credentialResponse.getCredential(), JsonWebToken.class).getToken();
        assertEquals("did:web:test.org", jsonWebToken.getIssuer());

        VerifiableCredential credential = new ObjectMapper().convertValue(jsonWebToken.getOtherClaims().get("vc"), VerifiableCredential.class);
        assertEquals(List.of("VerifiableCredential"), credential.getType());
        assertEquals(URI.create("did:web:test.org"), credential.getIssuer());
        assertEquals("john@email.cz", credential.getCredentialSubject().getClaims().get("email"));

Hi, thank you, I will check whats happening.

@bucchi
I fixed it in 7beca5e and added your assertions.

[ahus1]

@wistefan - thank, now I understand you situation better. If you run into problems running the test locally, I'm happy to lend a hand for that. Sorry for my comment here which was more harsh than it should have been.

To use the GitHub actions to run the tests, you can start a PR as "draft" and then only those people you mention will get notifications. The notifications to all code owners are then sent out only once you mark it "ready for review".

If you start it as "read to review", and then later switch it to "draft", maintainers will still get notifications, but they can unsubscribe until you switch it to "read for review again".

Best,
Alexander

[wistefan]

@wistefan Thank you for your work. Some CI tests failed. Before reviewing the PR, could you revise codes to pass these tests?

@tnorimat I fixed the tests in 3372d3c. The issue happend, because enabling the OID4VCI feature for the test worked on the default test environment(with undertow) but on quarkus(the auth server used in the CI) requires a restart.

[tnorimat]

@wistefan Hello, I am back from my business trip in Europe. I will review the PR in this week.

[mposolda]

@wistefan This is great stuff!

The PR is a bit bigger and I did not reviewed extensively all the aspects of the protocol. Relying on the review of @tnorimat, @francis-pouatcha and @babisRoutis for that. Thanks to all of you for the review!

But overally, seems to me as great stuff. I've added some comments inline (none of them is probably blocker of this PR and some are more a questions, but if you can address them, it can be nice).

Besides that, I hope to merge once @tnorimat reviews and approves this PR.

[tnorimat]

@wistefan Hello,
I partially reviewed the PR and add some comments Could you check them?

Also, I need more time to complete the PR because the size of codes of the PR is big as @mposolda said. I will do my best for it in the week.

[tnorimat]

2016 might be 2024

[wistefan]

Fixed in bbdb87f

[tnorimat]

Thank you.

[tnorimat]

short-lifed might be short-lived

[wistefan]

Fixed in bbdb87f

[tnorimat]

Thank you.

[tnorimat]

OID4VCClientRegistrationProvider might not be used in the class.

[wistefan]

Fixed in bbdb87f

[tnorimat]

Thank you.

[tnorimat]

L79-80 mighit be the same as L75-76. Is this duplication needed?

[wistefan]

Fixed in bbdb87f

[tnorimat]

Thank you.

[tnorimat]

ClientSessionContext might be better instead of DefaultClientSessionContext

[wistefan]

Fixed in bbdb87f

[tnorimat]

Thank you.

[tnorimat]

It seems that tests do not access Credential Endpoint to get a verifiable credential in return for an access token. I think we need to test this point.

Would you intend not to do such the tests in the PR, but do suche tests in the follwoing PR after the PR is mereged?

[wistefan]

I see the actual credential retrieval rather as part of the OID4VCIssuerEndpointTest(where I do test exactly what you mentioned).

[tnorimat]

Thank you for the clarification.

[tnorimat]

@wistefan I completed the review of the PR. I added some comments. Could you check them?

[tnorimat]

Could you tell me why OID4VCI specific client OID4VCClient is needed? Compared with a normal client OIDCClientRepresentation, OID4VCClient' adds the following field:

/** * Comma-separated list of supported credentials types */ private List<SupportedCredentialConfiguration> supportedVCTypes;
If so, adding it onto OIDCClientRepresentation is also an option.

[wistefan]

Hi, I´m not sure if I fully understand. Beside the supportedVCTypes, it also adds the did of the client. Its used to provide the ability to create credentials focused for clients supporting OID4VC standards, not neccessarily OIDC. Mixing both might be confusing, especially if one only supports one of them.

[tnorimat]

Thank you for the clarification.

[tnorimat]

Keycloaks might be Keycloak's

[wistefan]

Fixed in 940c4af

[tnorimat]

Thank you.

[tnorimat]

OIDCLoginProtocolFactory returns an instance of OIDCLoginProtocol.
Is it OK to return null here?

[wistefan]

We currently support to login with oid4vp in keycloak, thus no such protocl is implemented. As far as I understand this means returning null here is ok.

[tnorimat]

Thank you for the clarification.

[tnorimat]

According to https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#section-4.1.3 ,
The format of credential_offer_uri is String.
Could you tell me why the PR defines credential_offer_uri as the class (issuer, nonce). ?

[wistefan]

I decided to build it that way, since the retrieval endpoint for that credential_offer_uri is not defined in the spec, just the way how it should be shown to a wallet(from my understanding). We use it to generate the string in the frontend for the qr from it. However, we could add a plain/text endpoint, too, if you think its valuable

[tnorimat]

Thank you for the clarification.

[tnorimat]

According to https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#section-7.3.1.2 , error types are as follows:

invalid_credential_request
unsupported_credential_type
unsupported_credential_format
invalid_proof
invalid_encryption_parameters

[wistefan]

Probably something changed to an older draft again, I'll updated 940c4af

[tnorimat]

Thank you.

[tnorimat]

It seems that it is not used.

[wistefan]

Fixed in 42f5903

[tnorimat]

Thank you.

[tnorimat]

Why it is not used in PreAuthorizedGrantTest ?

[wistefan]

Because I wanted to make the usage of the api and its parameters more explicit in the test. E.g. for testing the PreAuthorizedToken Feature, I build the requests in the test, for using the feature in other tests(e.g. the OID4VCI tests), I use the helper method here.

[tnorimat]

Thank you for the clarification.

[tnorimat]

L76 and L78 are opposite.

[wistefan]

Amazing, how are you able to spot such thing!?:) Fixed in 42f5903

[tnorimat]

Thank you.

[tnorimat]

It seems that it is not used.

[wistefan]

Fixed in 42f5903

[tnorimat]

Thank you.

[tnorimat]

It seems that it is not used.

[wistefan]

Fixed in 42f5903

[tnorimat]

Thank you.

[tnorimat]

LGTM.

[tnorimat]

@wistefan Thank you very much for your work.
@mposolda Could you re-check the PR and merge it if it is OK?

[mposolda]

@wistefan @tnorimat @francis-pouatcha @babisRoutis Thanks everyone for the update and review of this PR!