Skip to content

Feature/iam bridge flow #24

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
philpotisk wants to merge 22 commits into
base: main
Choose a base branch
from
Open

Feature/iam bridge flow #24

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
6f527f7
feat(cli): Add IAM Bridge flow for VC-based OIDC login
philpotisk May 18, 2026
4f07201
Merge branch 'main' into feature/iam-bridge-flow
philpotisk May 18, 2026
8739bc0
fix(cli): Use base URL for superadmin endpoint, not org URL
philpotisk May 18, 2026
47ff73b
fix(cli): Handle 'already used' token message for superadmin creation
philpotisk May 18, 2026
90e1f61
fix(cli): Update to new clientAuthenticationConfig API structure
philpotisk May 18, 2026
d351fbc
fix(cli): Remove 'required' field from ClientAttestationConfig
philpotisk May 18, 2026
4941f10
fix(cli): Fix IAM Bridge request structure
philpotisk May 18, 2026
41b8ab9
fix(cli): Add defaultVerificationSetup to IAM Bridge config
philpotisk May 18, 2026
338a5a2
fix(cli): Use proper VerificationSessionSetup structure with flow_typ…
philpotisk May 18, 2026
c77d526
fix(cli): Improve IAM Bridge HTML parsing to extract session ID from …
philpotisk May 18, 2026
c7ade86
fix(iam-bridge): Use localhost URLs for Docker to reach Enterprise API
philpotisk May 19, 2026
bd8cac3
feat(iam-bridge): Use DC API verification setup with proper signing
philpotisk May 19, 2026
6b25767
fix(iam-bridge): Skip device-auth policy for DC API testing
philpotisk May 19, 2026
7232761
fix(iam-bridge): Use cross_device flow for CLI testing
philpotisk May 19, 2026
79999e0
fix(iam-bridge): Use core_flow instead of core for CrossDeviceFlowSetup
philpotisk May 19, 2026
0ade6af
fix(iam-bridge): Use mso_mdoc PID format matching dcapi-config.json
philpotisk May 19, 2026
abbbe0e
fix(iam-bridge): Use ISO mDL format matching main verification flow
philpotisk May 20, 2026
51850fc
fix(iam-bridge): Handle subdomain URLs without port for Caddy setups
philpotisk May 20, 2026
b14d36a
fix(iam-bridge): Update claim mappings for mDL credentials
philpotisk May 20, 2026
8bf8e60
feat(iam-bridge): Request all mDL fields and map to OIDC claims
philpotisk May 20, 2026
6a8f6f3
feat(iam-bridge): Add all mDL field mappers to Keycloak realm
philpotisk May 20, 2026
565de47
fix(iam-bridge): Remove hardcoded-role-idp-mapper from Keycloak realm
philpotisk May 20, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 14 additions & 8 deletions cli/src/commands/setup/issuer.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -146,14 +146,20 @@ export async function setupCreateIssuer2(ctx: CommandContext): Promise<void> {
},
},
},
clientAttestationConfig: {
required: true,
verificationMethod: {
type: 'static-jwk',
jwk: attesterPublicJwk,
},
clockSkewSeconds: 300,
replayWindowSeconds: 300,
clientAuthenticationConfig: {
supportedMethods: [
{
type: 'client-attestation',
config: {
verificationMethod: {
type: 'static-jwk',
jwk: attesterPublicJwk,
},
clockSkewSeconds: 300,
replayWindowSeconds: 300,
},
},
],
},
};
ctx.saveJson('create-issuer2-request.json', request, step);
Expand Down
8 changes: 4 additions & 4 deletions cli/src/commands/system.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
*/

import { CommandContext } from '../context.js';
import { buildBaseUrl, buildOrgUrl } from '../config.js';
import { buildBaseUrl } from '../config.js';

// ============================================================================
// System Commands
Expand Down Expand Up @@ -56,8 +56,8 @@ export async function createSuperadminAccount(ctx: CommandContext): Promise<bool
console.log(' [INFO] Using credentials from: config/superadmin-registration.conf');

try {
const orgUrl = buildOrgUrl(ctx.config.baseUrl, ctx.config.organization, ctx.config.port);
const response = await fetch(`${orgUrl}/v1/superadmin/create-by-token`, {
const adminUrl = buildBaseUrl(ctx.config.baseUrl, ctx.config.port);
const response = await fetch(`${adminUrl}/v1/superadmin/create-by-token`, {
method: 'POST',
headers: {
'accept': '*/*',
Expand All @@ -69,7 +69,7 @@ export async function createSuperadminAccount(ctx: CommandContext): Promise<bool
const text = await response.text();

if (text.includes('exception') || !response.ok) {
if (text.includes('already') || text.includes('exists')) {
if (text.includes('already') || text.includes('exists') || text.includes('already used')) {
console.log(` [SKIP] Superadmin account already exists`);
return true;
}
Expand Down
122 changes: 122 additions & 0 deletions cli/src/flows/dcapi-config.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,122 @@
{
"flow_type": "dc_api",
"core": {
"dcql_query": {
"credentials": [
{
"id": "my_pid",
"format": "mso_mdoc",
"meta": {
"doctype_value": "eu.europa.ec.eudi.pid.1"
},
"claims": [
{
"path": [
"eu.europa.ec.eudi.pid.1",
"family_name"
]
},
{
"path": [
"eu.europa.ec.eudi.pid.1",
"given_name"
]
},
{
"path": [
"eu.europa.ec.eudi.pid.1",
"birth_date"
]
},
{
"path": [
"eu.europa.ec.eudi.pid.1",
"age_birth_year"
]
},
{
"path": [
"eu.europa.ec.eudi.pid.1",
"age_over_18"
]
},
{
"path": [
"eu.europa.ec.eudi.pid.1",
"age_over_21"
]
},
{
"path": [
"eu.europa.ec.eudi.pid.1",
"family_name_birth"
]
},
{
"path": [
"eu.europa.ec.eudi.pid.1",
"given_name_birth"
]
},
{
"path": [
"eu.europa.ec.eudi.pid.1",
"birth_place"
]
},
{
"path": [
"eu.europa.ec.eudi.pid.1",
"birth_country"
]
},
{
"path": [
"eu.europa.ec.eudi.pid.1",
"issuance_date"
]
},
{
"path": [
"eu.europa.ec.eudi.pid.1",
"expiry_date"
]
},
{
"path": [
"eu.europa.ec.eudi.pid.1",
"issuing_authority"
]
},
{
"path": [
"eu.europa.ec.eudi.pid.1",
"issuing_country"
]
}
]
}
]
},
"signed_request": true,
"encrypted_response": true,
"clientId": "x509_hash:kZ5SI3MAFaLDPRxza8xguw-o6b8LYfmP2ZvrqVSRWng",
"key": {
"type": "jwk",
"jwk": {
"kty": "EC",
"crv": "P-521",
"x": "APWg4T3FQIeJD_xQN0kap5Mzp7lJ17Ctg_T8Gy24lwOp_EIhDzBK9MoCufSIITRolWlcjFTj3Ty91C9rctTuSf0F",
"y": "AEnFDKiecuqnZ8XMKgt7dFZWRfmzPFrgQmauwlbXDC0kHCZhV76VOgCoWdzfSLegLKGn-nINAIRqPR9n2KPpQwKn",
"d": "AZT9f0qOOSMQl25qXwvFs23rq0PIUOV1R8YcG1iqRNKEYYs5k8gXNNuud4W6amuItCGWCrKSXRoHmgj6C5NUDzhA"
}
},
"x5c": [
"MIIB7TCCAZOgAwIBAgIUXrHFKoaAx6+CFOOHp6fZ7Rs2EzgwCgYIKoZIzj0EAwIwHTEbMBkGA1UEAwwSQ3VzdG9tSW50ZXJtZWRpYXRlMB4XDTI2MDEyMjE1NTY0OFoXDTI3MDEyMjE1NTY0OFowEzERMA8GA1UEAwwIVmVyaWZpZXIwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABAD1oOE9xUCHiQ/8UDdJGqeTM6e5SdewrYP0/BstuJcDqfxCIQ8wSvTKArn0iCE0aJVpXIxU4908vdQva3LU7kn9BQBJxQyonnLqp2fFzCoLe3RWVkX5szxa4EJmrsJW1wwtJBwmYVe+lToAqFnc30i3oCyhp/pyDQCEaj0fZ9ij6UMCp6N4MHYwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFFAdasyU1haLdvQdEizJEaAO+cmWMB8GA1UdIwQYMBaAFGVh3m3K6y5gABHGIuD7ibTR+AG6MAoGCCqGSM49BAMCA0gAMEUCIQDT9GYMvTTyEOmKDvilHmgejcbLWQ6ACUzlmbZDk67ztAIge2kWDxRetz6xIDtnfg4vlCW6pLbdBWasMrfm1eppDww=",
"MIIBlzCCAT2gAwIBAgIUZFEF4iwIsLuJO7pJ9bU7vo9Dg3kwCgYIKoZIzj0EAwIwFTETMBEGA1UEAwwKQ3VzdG9tUm9vdDAeFw0yNjAxMjIxNTU1NDJaFw0zNjAxMjAxNTU1NDJaMB0xGzAZBgNVBAMMEkN1c3RvbUludGVybWVkaWF0ZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAvlBFSSRWetJJSj5rvGoXtPnfw97YRHbJj4/kspQbSwxVN3RtofsSu0DevrISGx2MCPqqxHXdfSeu9SKgen6IOjYzBhMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBRlYd5tyusuYAARxiLg+4m00fgBujAfBgNVHSMEGDAWgBQ+D1YkeDpF+qaxAhlnb3XSkGZWCTAKBggqhkjOPQQDAgNIADBFAiEA789kIQsGTa/GJEgYaOID9VVoO0PyeeYEwub7P0a1+ZICIHI9bYi72XTca9e8rqGJuYmKz8qEQodLvaXdgwCfQ4KZ"
]
},
"expectedOrigins": [
"http://waltid.enterprise.localhost"
]
}
Loading