Skip to content

feat(auth): configurable OpenID4VCI request profiles with built-in AET profile#4340

Draft
reinkrul wants to merge 3 commits into
masterfrom
feature/openid4vci-request-profiles
Draft

feat(auth): configurable OpenID4VCI request profiles with built-in AET profile#4340
reinkrul wants to merge 3 commits into
masterfrom
feature/openid4vci-request-profiles

Conversation

@reinkrul

@reinkrul reinkrul commented Jun 9, 2026

Copy link
Copy Markdown
Member

Implements #4338.

What

Adds named request profiles. A profile is a curated bundle of request parameters selected by name, so callers (EHRs) don't have to spell out issuer-specific parameters themselves.

auth:
  experimental:
    profile:
      aet:
        authrequest:
          auth_method: [SmartCard]
          scope: ["openid profile api"]
{
  "issuer": "https://issuer.example.com/oauth",
  "wallet_did": "did:web:example.com",
  "authorization_details": [ { "type": "openid_credential", "credential_configuration_id": "..." } ],
  "redirect_uri": "https://example.com/oauth2/org1/callback",
  "profile": "aet"
}

-> redirect: .../authorize?...&auth_method=SmartCard&scope=openid+profile+api.

Behavior

  • Apply order on the authorization request: parameters the node always sets (state, client_id, etc.) first, then the profile's authrequest (trusted config, may override them, multi-valued).
  • Unknown profile name -> 400.
  • authrequest is map[string][]string -> a single value renders as one query parameter; multiple values render as repeated parameters.
  • Omitted profile -> unchanged behavior. Fully additive.

Changes

  • auth/config.go: ExperimentalConfig.Profiles + ProfileConfig; built-in aet in DefaultConfig.
  • auth/auth.go + auth/interface.go (+ regenerated mocks): AuthorizationRequestProfile lookup.
  • docs/_static/auth/v2.yaml + make gen-api: profile request field; removes authorization_request_params.
  • auth/api/iam/openid4vci.go: resolve + apply the profile (multi-value query) in RequestOpenid4VCICredentialIssuance; drops the authorization_request_params handling.
  • Tests: accessor (auth), handler (auth/api/iam: profile applied, unknown profile rejected; authorization_request_params tests removed).

Notes

  • Also running on project-gf-pilot (where it sits on top of the client-auth work).
  • Commit history on the branch is messy ("wip"); will be squashed at merge.

Assisted by AI

@reinkrul reinkrul marked this pull request as draft June 9, 2026 12:31
@reinkrul

reinkrul commented Jun 9, 2026

Copy link
Copy Markdown
Member Author

We should consider moving the authorization request initiator code to the OAuth2 client, because there's too much coupling between API and module now.

@qltysh

qltysh Bot commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

Qlty


Coverage Impact

⬆️ Merging this pull request will increase total coverage on master by 0.04%.

Modified Files with Diff Coverage (3)

RatingFile% DiffUncovered Line #s
Coverage rating: C Coverage rating: C
auth/auth.go100.0%
Coverage rating: A Coverage rating: A
auth/config.go100.0%
Coverage rating: A Coverage rating: A
auth/api/iam/openid4vci.go100.0%
Total100.0%
🚦 See full report on Qlty Cloud »

🛟 Help
  • Diff Coverage: Coverage for added or modified lines of code (excludes deleted files). Learn more.

  • Total Coverage: Coverage for the whole repository, calculated as the sum of all File Coverage. Learn more.

  • File Coverage: Covered Lines divided by Covered Lines plus Missed Lines. (Excludes non-executable lines including blank lines and comments.)

    • Indirect Changes: Changes to File Coverage for files that were not modified in this PR. Learn more.

@reinkrul reinkrul force-pushed the feature/openid4vci-request-profiles branch from 55cac88 to 078e890 Compare June 10, 2026 05:20
…T profile

Add named request profiles selected via a new 'profile' field on the requestCredential API.
A profile (auth.experimental.profile.<name>.authrequest, map[string][]string) sets
authorization request parameters. The built-in 'aet' profile (AET UZI smartcard issuer)
ships via DefaultConfig with auth_method=SmartCard and scope='openid profile api'; operator
config of the same name is layered over it.

Apply order on the authorization request: node parameters -> profile authrequest (trusted
config, may override node parameters, multi-valued) -> authorization_request_params (may
only add; still cannot override node parameters). Unknown profile is rejected with 400.

Also adds .claude/worktrees/ to .gitignore.

Implements #4338.

Assisted by AI
@reinkrul reinkrul force-pushed the feature/openid4vci-request-profiles branch from 078e890 to 533c6b1 Compare June 10, 2026 05:49
reinkrul added a commit that referenced this pull request Jun 10, 2026
…faultConfig

Revert the temporary hardcoded AET scope on the OpenID4VCI authorization request (issuance now
relies on the request profile). Move the built-in 'aet' profile from a separate builtinProfiles
var into DefaultConfig and simplify AuthorizationRequestProfile to a plain lookup, matching the
master-targeting implementation (#4338 / #4340).

Assisted by AI
reinkrul added 2 commits July 6, 2026 09:29
Profiles (see previous commit) replace the raw authorization_request_params
escape hatch: issuers that need extra authorization parameters get a
named, curated profile instead of callers spelling out parameters
themselves. Removes the field, its handling, and its tests, folding in
the change from #4349.
The OpenID4VCI request flow is already marked EXPERIMENTAL at the API
and config level, so repeating it on individual fields/comments/doc
strings added noise. Also drops the now-stale "node parameters" framing
from the authorization-request comment, which only made sense as a
contrast with the removed authorization_request_params field.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant