feat(auth): configurable OpenID4VCI request profiles with built-in AET profile#4340
Draft
reinkrul wants to merge 3 commits into
Draft
feat(auth): configurable OpenID4VCI request profiles with built-in AET profile#4340reinkrul wants to merge 3 commits into
reinkrul wants to merge 3 commits into
Conversation
Member
Author
|
We should consider moving the authorization request initiator code to the OAuth2 client, because there's too much coupling between API and module now. |
Contributor
|
Coverage Impact ⬆️ Merging this pull request will increase total coverage on Modified Files with Diff Coverage (3)
🛟 Help
|
55cac88 to
078e890
Compare
…T profile Add named request profiles selected via a new 'profile' field on the requestCredential API. A profile (auth.experimental.profile.<name>.authrequest, map[string][]string) sets authorization request parameters. The built-in 'aet' profile (AET UZI smartcard issuer) ships via DefaultConfig with auth_method=SmartCard and scope='openid profile api'; operator config of the same name is layered over it. Apply order on the authorization request: node parameters -> profile authrequest (trusted config, may override node parameters, multi-valued) -> authorization_request_params (may only add; still cannot override node parameters). Unknown profile is rejected with 400. Also adds .claude/worktrees/ to .gitignore. Implements #4338. Assisted by AI
078e890 to
533c6b1
Compare
reinkrul
added a commit
that referenced
this pull request
Jun 10, 2026
…faultConfig Revert the temporary hardcoded AET scope on the OpenID4VCI authorization request (issuance now relies on the request profile). Move the built-in 'aet' profile from a separate builtinProfiles var into DefaultConfig and simplify AuthorizationRequestProfile to a plain lookup, matching the master-targeting implementation (#4338 / #4340). Assisted by AI
This was referenced Jun 10, 2026
Profiles (see previous commit) replace the raw authorization_request_params escape hatch: issuers that need extra authorization parameters get a named, curated profile instead of callers spelling out parameters themselves. Removes the field, its handling, and its tests, folding in the change from #4349.
The OpenID4VCI request flow is already marked EXPERIMENTAL at the API and config level, so repeating it on individual fields/comments/doc strings added noise. Also drops the now-stale "node parameters" framing from the authorization-request comment, which only made sense as a contrast with the removed authorization_request_params field.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.

Implements #4338.
What
Adds named request profiles. A profile is a curated bundle of request parameters selected by name, so callers (EHRs) don't have to spell out issuer-specific parameters themselves.
profilefield on therequestCredentialbody.auth.experimental.profile.<name>.authrequest(map[string][]string) sets authorization request parameters.aetprofile (AET UZI smartcard issuer) is provided viaDefaultConfig():auth_method=SmartCard,scope="openid profile api". Operator config under the same name is layered over the default by normal config loading.authorization_request_paramsfield added in feat(auth): add authorization_request_params to OpenID4VCI requestCredential API #4333: profiles replace it as the way issuers get extra authorization parameters, so the raw escape hatch is no longer needed. Supersedes Revert "feat(auth): add authorization_request_params to OpenID4VCI requestCredential API (#4333)" #4349, which reverted feat(auth): add authorization_request_params to OpenID4VCI requestCredential API #4333 separately.{ "issuer": "https://issuer.example.com/oauth", "wallet_did": "did:web:example.com", "authorization_details": [ { "type": "openid_credential", "credential_configuration_id": "..." } ], "redirect_uri": "https://example.com/oauth2/org1/callback", "profile": "aet" }-> redirect:
.../authorize?...&auth_method=SmartCard&scope=openid+profile+api.Behavior
authrequest(trusted config, may override them, multi-valued).authrequestismap[string][]string-> a single value renders as one query parameter; multiple values render as repeated parameters.profile-> unchanged behavior. Fully additive.Changes
auth/config.go:ExperimentalConfig.Profiles+ProfileConfig; built-inaetinDefaultConfig.auth/auth.go+auth/interface.go(+ regenerated mocks):AuthorizationRequestProfilelookup.docs/_static/auth/v2.yaml+make gen-api:profilerequest field; removesauthorization_request_params.auth/api/iam/openid4vci.go: resolve + apply the profile (multi-value query) inRequestOpenid4VCICredentialIssuance; drops theauthorization_request_paramshandling.auth), handler (auth/api/iam: profile applied, unknown profile rejected; authorization_request_params tests removed).Notes
project-gf-pilot(where it sits on top of the client-auth work).Assisted by AI