auth: forward credential_request_params as overlay on OpenID4VCI Credential Request#4236
Conversation
reinkrul
requested review from
gerardsn,
stevenvegt and
woutslakhorst
as code owners
❌ 1 blocking issue (3 total)
@qltysh one-click actions:
|
|
Coverage Impact ⬇️ Merging this pull request will decrease total coverage on Modified Files with Diff Coverage (2)
🛟 Help
|
|
The LSPxNuts spec called this the {
"credential_configuration_id": "PatientEnrollmentCredential",
"proof": {
"proof_type": "jwt",
"jwt": "eyJ0eXAiOiJvcGVuaWQ0dmNpLXByb29mK2p3dCIsImFsZyI6IkVTMjU2Iiwia2lkIjoiZGlkOndlYjpodWlzYXJ0cy1kZWxpbmRlbi5ubCNhdXRoLWtleS0xIn0.eyJhdWQiOiJodHRwczovL3Nkay1zZXJ2aWNlLmludGVybi56b3JnaW5zdGVsbGluZy5ubCIsImlhdCI6MTc0MDAwMDAwMCwibm9uY2UiOiJhYmMxMjMifQ.kort-handtekening"
},
"credential_subject_data": {
"@context": "http://gis-nl.example/context/v1",
"@type": "HealthcareProvider",
"hasEnrollment": {
"patient": {
"@type": "Patient",
"identifier": {
"@type": "Identifier",
"system": "http://fhir.nl/fhir/NamingSystem/bsn",
"value": "999911234"
}
}
}
}
}I see why this currently works, since the SDK doesn't implement this API yet, but I'm reluctant to merge this into master just because we need it now, knowing it shape is sub optimal and will change any moment. |
stevenvegt
left a comment
stevenvegt
left a comment
There was a problem hiding this comment.
Needs docs for the nuts-node.readthedocs.
You dropped the EXPERIMENTAL from the endpoint description, why?
Do I understand correctly that in order to issue the LSP credentials, I can just put this
"credential_details": {
"credential_subject_data": {
"@context": "http://gis-nl.example/context/v1",
"@type": "HealthcareProvider",
"hasEnrollment": {
"patient": {
"@type": "Patient",
"identifier": {
"@type": "Identifier",
"system": "http://fhir.nl/fhir/NamingSystem/bsn",
"value": "999911234"
}
}
}
}
}in the body, and that this will be added to the credential request?
Since this is overwriting any value in the credential request, shouldn't this be named something like credential_request_overwrites?
reinkrul
changed the title
reinkrul
force-pushed
the
feature/4233-credential-details
branch
from
6bcbf20 to
96d6b75
Compare
…ential Request Allow callers of the internal token-request flow to pass non-spec credential request parameters (credential_request_params) that the node merges on top of its own credential request body. Node-built fields (e.g. proofs) take precedence; everything else from credential_request_params overrides node defaults. The request body is now assembled as a map and marshalled once, which made the overlay merge straightforward. Assisted by AI
reinkrul
force-pushed
the
feature/4233-credential-details
branch
from
96d6b75 to
3c6386e
Compare
2 participants
Closes #4233.
Summary
credential_request_params(JSON object) toPOST /internal/auth/v2/{subjectID}/request-credential.credential_configuration_id/credential_identifier/proofs) overrides the node's default. The caller takes responsibility for the resulting wire shape.OAuthSession.CredentialRequestParamsbetween the redirect and credential-fetch steps.RequestCredentialOptsinauth/openid4vcigains aCredentialRequestParamsfield;RequestCredentialbuilds the body asmap[string]anyand overlays the caller's values last.Lets the wallet talk to issuers that accept additional fields, or override the credential request entirely.
Wire body
Final body sent to the issuer's Credential Endpoint:
Test plan
ok - credential_request_params persisted into sessionasserts the field round-trips through the session storeok - credential_request_params from session forwarded to credential endpointasserts the value reaches the credential clientCredentialRequestParams overrides node-built defaultsasserts the wire body: caller values win over node defaults for spec-defined fieldsgo build ./...,go test ./auth/...Assisted by AI