-
Notifications
You must be signed in to change notification settings - Fork 6.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
25940 support credentials issuance through oid4vci #27931
25940 support credentials issuance through oid4vci #27931
Conversation
ebf4d68
to
f0f5a3d
Compare
f0f5a3d
to
623a01f
Compare
services/src/main/java/org/keycloak/protocol/oid4vc/model/CredentialIssuer.java
Show resolved
Hide resolved
services/src/main/java/org/keycloak/protocol/oid4vc/model/SupportedCredential.java
Outdated
Show resolved
Hide resolved
services/src/main/java/org/keycloak/protocol/oid4vc/model/PreAuthorizedCode.java
Show resolved
Hide resolved
services/src/main/java/org/keycloak/protocol/oid4vc/model/ErrorResponse.java
Show resolved
Hide resolved
services/src/main/java/org/keycloak/protocol/oid4vc/issuance/OID4VCIssuerEndpoint.java
Outdated
Show resolved
Hide resolved
services/src/main/java/org/keycloak/protocol/oid4vc/issuance/OID4VCIssuerEndpoint.java
Show resolved
Hide resolved
services/src/main/java/org/keycloak/protocol/oid4vc/issuance/mappers/OID4VCMapper.java
Outdated
Show resolved
Hide resolved
services/src/main/java/org/keycloak/protocol/oid4vc/issuance/mappers/OID4VCContextMapper.java
Outdated
Show resolved
Hide resolved
services/src/main/java/org/keycloak/protocol/oid4vc/issuance/mappers/OID4VCContextMapper.java
Outdated
Show resolved
Hide resolved
...ces/src/main/java/org/keycloak/protocol/oid4vc/issuance/mappers/OID4VCStaticClaimMapper.java
Outdated
Show resolved
Hide resolved
services/src/main/java/org/keycloak/protocol/oid4vc/issuance/mappers/OID4VCContextMapper.java
Show resolved
Hide resolved
services/src/main/java/org/keycloak/protocol/oid4vc/model/OID4VCClient.java
Outdated
Show resolved
Hide resolved
services/src/main/java/org/keycloak/protocol/oid4vc/model/Role.java
Outdated
Show resolved
Hide resolved
services/src/main/java/org/keycloak/protocol/oid4vc/model/SupportedCredential.java
Outdated
Show resolved
Hide resolved
services/src/main/java/org/keycloak/protocol/oid4vc/model/SupportedCredential.java
Outdated
Show resolved
Hide resolved
services/src/main/java/org/keycloak/protocol/oid4vc/model/SupportedCredential.java
Outdated
Show resolved
Hide resolved
640ec67
to
f1326dc
Compare
f741176
to
d527b5e
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unreported flaky test detected, please review
Unreported flaky test detectedIf the flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR. org.keycloak.testsuite.x509.X509BrowserCRLTest#loginFailedWithIntermediateRevocationListFromHttpKeycloak CI - FIPS IT (strict)
org.keycloak.testsuite.x509.X509BrowserCRLTest#loginFailedWithInvalidSignatureCRLKeycloak CI - FIPS IT (strict)
org.keycloak.testsuite.x509.X509BrowserCRLTest#loginWithMultipleRevocationListsKeycloak CI - FIPS IT (strict)
|
Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
456ebc0
to
7beca5e
Compare
Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
|
@wistefan - thank, now I understand you situation better. If you run into problems running the test locally, I'm happy to lend a hand for that. Sorry for my comment here which was more harsh than it should have been. To use the GitHub actions to run the tests, you can start a PR as "draft" and then only those people you mention will get notifications. The notifications to all code owners are then sent out only once you mark it "ready for review". If you start it as "read to review", and then later switch it to "draft", maintainers will still get notifications, but they can unsubscribe until you switch it to "read for review again". Best, |
@tnorimat I fixed the tests in 3372d3c. The issue happend, because enabling the OID4VCI feature for the test worked on the default test environment(with undertow) but on quarkus(the auth server used in the CI) requires a restart. |
@wistefan Hello, I am back from my business trip in Europe. I will review the PR in this week. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@wistefan This is great stuff!
The PR is a bit bigger and I did not reviewed extensively all the aspects of the protocol. Relying on the review of @tnorimat, @francis-pouatcha and @babisRoutis for that. Thanks to all of you for the review!
But overally, seems to me as great stuff. I've added some comments inline (none of them is probably blocker of this PR and some are more a questions, but if you can address them, it can be nice).
Besides that, I hope to merge once @tnorimat reviews and approves this PR.
...s/testsuite-providers/src/main/java/org/keycloak/testsuite/rest/TestingResourceProvider.java
Outdated
Show resolved
Hide resolved
services/src/main/java/org/keycloak/protocol/oid4vc/OID4VCLoginProtocolFactory.java
Outdated
Show resolved
Hide resolved
services/src/main/java/org/keycloak/protocol/oid4vc/issuance/mappers/OID4VCMapper.java
Outdated
Show resolved
Hide resolved
Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@@ -0,0 +1,19 @@ | |||
# | |||
# Copyright 2016 Red Hat, Inc. and/or its affiliates |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
2016
might be 2024
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed in bbdb87f
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you.
* | ||
* @param session - keycloak session to be used | ||
* @param authenticatedClientSession - client session to be persisted | ||
* @param expirationTime - expiration time of the code, the code should be short-lifed |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
short-lifed
might be short-lived
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed in bbdb87f
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you.
import org.keycloak.events.EventType; | ||
import org.keycloak.models.AuthenticatedClientSessionModel; | ||
import org.keycloak.models.KeycloakSession; | ||
import org.keycloak.protocol.oid4vc.OID4VCClientRegistrationProvider; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OID4VCClientRegistrationProvider
might not be used in the class.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed in bbdb87f
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you.
session.getContext().setClient(result.getClientSession().getClient()); | ||
|
||
|
||
// set the client as retrieved from the pre-authorized session |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
L79-80 mighit be the same as L75-76. Is this duplication needed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed in bbdb87f
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you.
Response.Status.BAD_REQUEST); | ||
} | ||
AuthenticatedClientSessionModel clientSession = result.getClientSession(); | ||
DefaultClientSessionContext sessionContext = DefaultClientSessionContext.fromClientSessionAndScopeParameter(clientSession, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ClientSessionContext
might be better instead of DefaultClientSessionContext
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed in bbdb87f
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you.
import static org.junit.Assert.assertEquals; | ||
|
||
@EnableFeature(value = Profile.Feature.OID4VC_VCI, skipRestart = true) | ||
public class PreAuthorizedGrantTest extends AbstractTestRealmKeycloakTest { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems that tests do not access Credential Endpoint to get a verifiable credential in return for an access token. I think we need to test this point.
Would you intend not to do such the tests in the PR, but do suche tests in the follwoing PR after the PR is mereged?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see the actual credential retrieval rather as part of the OID4VCIssuerEndpointTest(where I do test exactly what you mentioned).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for the clarification.
Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@wistefan I completed the review of the PR. I added some comments. Could you check them?
* | ||
* @author <a href="https://github.com/wistefan">Stefan Wiedemann</a> | ||
*/ | ||
public class OID4VCClientRegistrationProvider extends AbstractClientRegistrationProvider { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you tell me why OID4VCI specific client OID4VCClient is needed? Compared with a normal client
OIDCClientRepresentation,
OID4VCClient' adds the following field:
/** * Comma-separated list of supported credentials types */ private List<SupportedCredentialConfiguration> supportedVCTypes;
If so, adding it onto OIDCClientRepresentation
is also an option.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi, I´m not sure if I fully understand. Beside the supportedVCTypes, it also adds the did of the client. Its used to provide the ability to create credentials focused for clients supporting OID4VC standards, not neccessarily OIDC. Mixing both might be confusing, especially if one only supports one of them.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for the clarification.
|
||
/** | ||
* Implementation of the {@link ClientRegistrationProviderFactory} to integrate the OID4VC protocols with | ||
* Keycloaks client-registration. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Keycloaks
might be Keycloak's
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed in 940c4af
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you.
|
||
@Override | ||
public LoginProtocol create(KeycloakSession session) { | ||
return null; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OIDCLoginProtocolFactory
returns an instance of OIDCLoginProtocol
.
Is it OK to return null here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We currently support to login with oid4vp in keycloak, thus no such protocl is implemented. As far as I understand this means returning null here is ok.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for the clarification.
* @author <a href="https://github.com/wistefan">Stefan Wiedemann</a> | ||
*/ | ||
@JsonInclude(JsonInclude.Include.NON_NULL) | ||
public class CredentialOfferURI { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
According to https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#section-4.1.3 ,
The format of credential_offer_uri
is String.
Could you tell me why the PR defines credential_offer_uri
as the class (issuer, nonce). ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I decided to build it that way, since the retrieval endpoint for that credential_offer_uri is not defined in the spec, just the way how it should be shown to a wallet(from my understanding). We use it to generate the string in the frontend for the qr from it. However, we could add a plain/text endpoint, too, if you think its valuable
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for the clarification.
* | ||
* @author <a href="https://github.com/wistefan">Stefan Wiedemann</a> | ||
*/ | ||
public enum ErrorType { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
According to https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#section-7.3.1.2 , error types are as follows:
invalid_credential_request
unsupported_credential_type
unsupported_credential_format
invalid_proof
invalid_encryption_parameters
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probably something changed to an older draft again, I'll updated 940c4af
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you.
@@ -58,6 +58,8 @@ | |||
import org.keycloak.models.utils.KeycloakModelUtils; | |||
import org.keycloak.protocol.oidc.OIDCLoginProtocol; | |||
import org.keycloak.protocol.oidc.OIDCLoginProtocolService; | |||
import org.keycloak.protocol.oidc.grants.PreAuthorizedCodeGrantType; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems that it is not used.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed in 42f5903
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you.
@@ -790,6 +793,27 @@ public AccessTokenResponse doClientCredentialsGrantAccessTokenRequest(String cli | |||
} | |||
} | |||
|
|||
public AccessTokenResponse doPreauthorizedTokenRequest(String preAuthorizedCode) throws Exception { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why it is not used in PreAuthorizedGrantTest
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Because I wanted to make the usage of the api and its parameters more explicit in the test. E.g. for testing the PreAuthorizedToken Feature, I build the requests in the test, for using the feature in other tests(e.g. the OID4VCI tests), I use the helper method here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for the clarification.
@@ -53,7 +52,7 @@ | |||
import static org.junit.Assert.fail; | |||
|
|||
|
|||
public class JwtSigningServiceTest extends SigningServiceTest { | |||
public class JwtSigningServiceTest extends OID4VCTest { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
L76 and L78 are opposite.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Amazing, how are you able to spot such thing!?:) Fixed in 42f5903
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you.
import org.keycloak.common.util.CertificateUtils; | ||
import org.keycloak.common.util.KeyUtils; | ||
import org.keycloak.common.util.MultivaluedHashMap; | ||
import org.keycloak.common.util.PemUtils; | ||
import org.keycloak.crypto.KeyUse; | ||
import org.keycloak.crypto.KeyWrapper; | ||
import org.keycloak.models.KeycloakSession; | ||
import org.keycloak.models.utils.KeycloakModelUtils; | ||
import org.keycloak.protocol.oid4vc.OID4VCClientRegistrationProviderFactory; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems that it is not used.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed in 42f5903
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you.
import org.keycloak.testsuite.AbstractTestRealmKeycloakTest; | ||
import org.keycloak.testsuite.arquillian.annotation.EnableFeature; | ||
import org.keycloak.testsuite.util.RoleBuilder; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems that it is not used.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed in 42f5903
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you.
Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@wistefan @tnorimat @francis-pouatcha @babisRoutis Thanks everyone for the update and review of this PR!
Implements the OID4VCI endpoints and the Pre-Authorized Code Grant to allow issuance of verifiable credentials
closes #25940