Feature/iam bridge flow#24
Open
philpotisk wants to merge 22 commits into
Open
Conversation
Adds --flow-iam-bridge command that demonstrates how the IAM Bridge service enables Verifiable Credential-based authentication through standard OIDC. The flow: 1. Creates IAM Bridge service with Keycloak client configuration 2. Starts Keycloak container with custom realm 3. Issues a credential to the test wallet 4. Simulates OIDC authorization flow 5. Wallet presents credential 6. Polls for session completion 7. Exchanges auth code for tokens 8. Verifies user info endpoint Also adds --stop-keycloak command for cleanup.
The /v1/superadmin/create-by-token endpoint doesn't require organization subdomain. Changed from buildOrgUrl to buildBaseUrl.
The issuer2 API changed from clientAttestationConfig to clientAuthenticationConfig with a supportedMethods array containing typed method configurations.
The 'required' field was removed from the API. The new structure only has: - verificationMethod - clockSkewSeconds - replayWindowSeconds
- Change URL from resource-api/create to resource-api/services/create - Remove 'name' and 'config' wrapper, flatten fields directly into request - Use _id field instead of name for resource identification
Also: - Fix resource API URL path - Fix Keycloak health check endpoint - Fix pkceMethod for Keycloak realm
Keycloak runs in Docker with --network host, but cannot resolve subdomain-based URLs like waltid.enterprise.localhost:3000. Changes: - IAM Bridge issuerUrl now uses localhost:PORT - Keycloak realm config replaces subdomain URLs with localhost:PORT for tokenUrl, jwksUrl, and issuer (backend calls) - authorizationUrl kept as subdomain (browser redirect works fine) This ensures Keycloak can make HTTP calls to the token and JWKS endpoints while browsers still use the proper subdomain URLs.
- Changed from cross_device to dc_api flow type - Added proper x509 certificate chain and signing key - Added EUDI PID credential format (eu.europa.ec.eudi.pid.1) - Added expected origins for browser verification This enables Chrome's Digital Credentials API to work correctly.
The device authentication verification fails because the session transcript computation may differ between implementations (our verifier vs Google's wallet). For testing purposes, we skip the mso_mdoc/device-auth policy while keeping the other important mDOC verification policies: - mso_mdoc/issuer_auth (verify issuer signature) - mso_mdoc/issuer_signed_integrity (verify digest matching) - mso_mdoc/mso (verify MSO validity) - mso_mdoc/device_key_auth (verify device key exists) This allows testing the DC API flow while the session transcript issue is investigated separately.
The DC API flow type with x509_hash clientId causes JSON parsing errors in the internal wallet. Changed to standard cross_device flow with SD-JWT VerifiableId format for CLI testing. DC API flow is handled separately in the browser when dc_api=true query parameter is set.
Changed from invalid 'vc+sd-jwt' format to 'mso_mdoc' with eu.europa.ec.eudi.pid.1 doctype, matching the DC API config.
Changed from eu.europa.ec.eudi.pid.1 to org.iso.18013.5.1.mDL to match the working Enterprise Wallet and Verifier flow configuration.
Updated the subdomain URL regex pattern to match both: - waltid.enterprise.localhost:3000 (with port) - waltid.enterprise.localhost (without port, for Caddy on port 80) This fixes Keycloak's 'Connection refused' error when using Caddy as reverse proxy without an explicit port in the URL.
Changed from W3C VC credentialSubject paths to mDL namespace paths: - sub: document_number from org.iso.18013.5.1 - given_name: given_name from org.iso.18013.5.1 - family_name: family_name from org.iso.18013.5.1 - birthdate: birth_date from org.iso.18013.5.1
Extended DCQL query to request: - document_number, issue_date, expiry_date - issuing_country, issuing_authority, un_distinguishing_sign Added claim mappings for all fields to OIDC claims.
Added identity provider mappers for: - birthdate - document_number - issue_date - expiry_date - issuing_country - issuing_authority - un_distinguishing_sign
The mapper causes NPE during oauth callback in Keycloak.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.