OpenID4VCI: select credential by type in request-credential#4398
Open
reinkrul wants to merge 11 commits into
Open
OpenID4VCI: select credential by type in request-credential#4398reinkrul wants to merge 11 commits into
reinkrul wants to merge 11 commits into
Conversation
request-credential took a caller-built authorization_details array with raw OpenID4VCI/RFC 9396 internals. Replace it with a single credential_type field: the node resolves the issuer's credential_configuration_id by matching credential_type against the issuer's Credential Issuer Metadata, and picks the authorization-stage flow (Authorization Details vs. Credential Configuration ID) from the Authorization Server metadata. The issued credential's type is verified against the request before it's stored. Breaking change to this experimental API. Fixes #4372 Assisted by AI
Rewrite the OpenAPI description for request-credential's credential_type in plain language with numbered steps, instead of leading with OpenID4VCI/RFC 9396 jargon. Assisted by AI
…cription Reference credential_definition.type/vct, credential_configurations_supported, authorization_details_types_supported, and credential_configuration_id by name in each step, instead of paraphrasing them away. Assisted by AI
…tial Issuer Metadata
Use the existing core.InvalidInputError("%w", err) convention (already used
elsewhere in this package) instead of "%s", err.Error(). Also name the
Credential Issuer Metadata document explicitly as the source of
credential_configurations_supported in the credential_type description.
Assisted by AI
Replace the manual seen-map + append loop with a set collected via slices.Collect(maps.Keys(...)). Assisted by AI
…Compact Simpler than building a set map: extract formats into a slice, sort, then slices.Compact removes the now-adjacent duplicates in one call. Assisted by AI
…nfigurationsSupported Collect matched formats and supported IDs while iterating the map once, instead of a first pass to build a candidate list and a second pass to split it into supported/unsupported. Drops the now-unneeded candidate struct entirely. Assisted by AI
…, in the resolver Move the "VerifiableCredential" guard out of CredentialConfiguration.MatchesType (called once per candidate) into ResolveCredentialConfigurationID, checked once up front. MatchesType is now a plain membership check. Assisted by AI
…ename IssuerCredentialType - Drop AuthorizationServerMetadata.SupportsAuthorizationDetailsType: it had one call site, so inline it as slices.Contains at that call site instead. - Rename OAuthSession.IssuerCredentialType to RequestedCredentialType: it holds the credential_type the caller requested, not a property of the issuer, so the Issuer* prefix was misleading next to the other Issuer* session fields. Assisted by AI
Contributor
|
Coverage Impact ⬆️ Merging this pull request will increase total coverage on Modified Files with Diff Coverage (2)
🛟 Help
|
…uthorization_details Only error when the Token Response has an openid_credential authorization_details entry that doesn't match the requested credential_configuration_id — a genuine mismatch between what was requested and what the AS granted. When the Token Response carries authorization_details but none of type openid_credential (the Credential Configuration ID flow never asked for one), fall back to credential_configuration_id at the Credential Request instead of erroring. Assisted by AI
…ial_identifier/credential_configuration_id Per §8.2, credential_identifier and credential_configuration_id are mutually exclusive: one MUST be present and the other MUST NOT be. The call site previously always passed both to RequestCredentialOpts, relying on client.RequestCredential's precedence switch to silently drop the redundant one before serialization. Have the call site decide instead, based on whether extractCredentialIdentifier found a credential_identifier. Assisted by AI
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.

Summary
POST /internal/auth/v2/{subjectID}/request-credentialnow takes acredential_typefield instead of a caller-builtauthorization_detailsarray.credential_typeto the issuer'scredential_configuration_idby matching it against the issuer's Credential Issuer Metadata (credential_configurations_supported, deterministic on ties, no format ranking).authorization_details_types_supported), no probing.Closes #4372
Test plan
go build ./...go test ./auth/... ./e2e-tests/...make gen-apiregeneratedgenerated.gocleanly (AuthorizationDetailschema/type removed,credential_typeadded)auth/openid4vciandauth/api/iamAssisted by AI