Skip to content

OpenID4VCI: select credential by type in request-credential#4398

Open
reinkrul wants to merge 11 commits into
masterfrom
feat/4372-oid4vci-credential-type
Open

OpenID4VCI: select credential by type in request-credential#4398
reinkrul wants to merge 11 commits into
masterfrom
feat/4372-oid4vci-credential-type

Conversation

@reinkrul

@reinkrul reinkrul commented Jul 9, 2026

Copy link
Copy Markdown
Member

Summary

  • POST /internal/auth/v2/{subjectID}/request-credential now takes a credential_type field instead of a caller-built authorization_details array.
  • The node resolves credential_type to the issuer's credential_configuration_id by matching it against the issuer's Credential Issuer Metadata (credential_configurations_supported, deterministic on ties, no format ranking).
  • The authorization-stage flow (Authorization Details vs. Credential Configuration ID at the Credential Request) is picked from Authorization Server metadata (authorization_details_types_supported), no probing.
  • The issued credential's type is verified against the request before it's stored in the wallet.
  • Breaking change to this experimental API (acceptable per the issue).

Closes #4372

Test plan

  • go build ./...
  • go test ./auth/... ./e2e-tests/...
  • make gen-api regenerated generated.go cleanly (AuthorizationDetail schema/type removed, credential_type added)
  • Unit tests for type resolution (single/multiple/zero matches, unsupported-format-only) and flow selection in auth/openid4vci and auth/api/iam

Assisted by AI

reinkrul added 9 commits July 9, 2026 08:48
request-credential took a caller-built authorization_details array with
raw OpenID4VCI/RFC 9396 internals. Replace it with a single credential_type
field: the node resolves the issuer's credential_configuration_id by
matching credential_type against the issuer's Credential Issuer Metadata,
and picks the authorization-stage flow (Authorization Details vs.
Credential Configuration ID) from the Authorization Server metadata. The
issued credential's type is verified against the request before it's
stored. Breaking change to this experimental API.

Fixes #4372

Assisted by AI
Rewrite the OpenAPI description for request-credential's credential_type
in plain language with numbered steps, instead of leading with
OpenID4VCI/RFC 9396 jargon.

Assisted by AI
…cription

Reference credential_definition.type/vct, credential_configurations_supported,
authorization_details_types_supported, and credential_configuration_id by name
in each step, instead of paraphrasing them away.

Assisted by AI
…tial Issuer Metadata

Use the existing core.InvalidInputError("%w", err) convention (already used
elsewhere in this package) instead of "%s", err.Error(). Also name the
Credential Issuer Metadata document explicitly as the source of
credential_configurations_supported in the credential_type description.

Assisted by AI
Replace the manual seen-map + append loop with a set collected via
slices.Collect(maps.Keys(...)).

Assisted by AI
…Compact

Simpler than building a set map: extract formats into a slice, sort, then
slices.Compact removes the now-adjacent duplicates in one call.

Assisted by AI
…nfigurationsSupported

Collect matched formats and supported IDs while iterating the map once,
instead of a first pass to build a candidate list and a second pass to
split it into supported/unsupported. Drops the now-unneeded candidate
struct entirely.

Assisted by AI
…, in the resolver

Move the "VerifiableCredential" guard out of CredentialConfiguration.MatchesType
(called once per candidate) into ResolveCredentialConfigurationID, checked once
up front. MatchesType is now a plain membership check.

Assisted by AI
…ename IssuerCredentialType

- Drop AuthorizationServerMetadata.SupportsAuthorizationDetailsType: it had one
  call site, so inline it as slices.Contains at that call site instead.
- Rename OAuthSession.IssuerCredentialType to RequestedCredentialType: it holds
  the credential_type the caller requested, not a property of the issuer, so
  the Issuer* prefix was misleading next to the other Issuer* session fields.

Assisted by AI
@qltysh

qltysh Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Qlty


Coverage Impact

⬆️ Merging this pull request will increase total coverage on master by 0.03%.

Modified Files with Diff Coverage (2)

RatingFile% DiffUncovered Line #s
Coverage rating: A Coverage rating: A
auth/openid4vci/types.go100.0%
Coverage rating: A Coverage rating: A
auth/api/iam/openid4vci.go100.0%
Total100.0%
🚦 See full report on Qlty Cloud »

🛟 Help
  • Diff Coverage: Coverage for added or modified lines of code (excludes deleted files). Learn more.

  • Total Coverage: Coverage for the whole repository, calculated as the sum of all File Coverage. Learn more.

  • File Coverage: Covered Lines divided by Covered Lines plus Missed Lines. (Excludes non-executable lines including blank lines and comments.)

    • Indirect Changes: Changes to File Coverage for files that were not modified in this PR. Learn more.

reinkrul added 2 commits July 9, 2026 15:14
…uthorization_details

Only error when the Token Response has an openid_credential authorization_details
entry that doesn't match the requested credential_configuration_id — a genuine
mismatch between what was requested and what the AS granted. When the Token
Response carries authorization_details but none of type openid_credential (the
Credential Configuration ID flow never asked for one), fall back to
credential_configuration_id at the Credential Request instead of erroring.

Assisted by AI
…ial_identifier/credential_configuration_id

Per §8.2, credential_identifier and credential_configuration_id are mutually
exclusive: one MUST be present and the other MUST NOT be. The call site
previously always passed both to RequestCredentialOpts, relying on
client.RequestCredential's precedence switch to silently drop the redundant
one before serialization. Have the call site decide instead, based on
whether extractCredentialIdentifier found a credential_identifier.

Assisted by AI
@reinkrul reinkrul marked this pull request as ready for review July 9, 2026 13:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

OpenID4VCI: select credential by type in request-credential; node resolves config + authorization flow from metadata

1 participant