Determine algorithms for credential_response_encryption

Signed-off-by: Ogenbertrand <[email protected]>

Author: Ogenbertrand

services/src/main/java/org/keycloak/protocol/oid4vc/issuance/OID4VCIssuerWellKnownProvider.java

@@ -65,8 +65,6 @@ public class OID4VCIssuerWellKnownProvider implements WellKnownProvider {
     private static final Logger LOGGER = Logger.getLogger(OID4VCIssuerWellKnownProvider.class);
     private final KeycloakSession keycloakSession;
 
-    private static final String ATTR_ENCRYPTION_ALGS = "oid4vci.encryption.algs";
-    private static final String ATTR_ENCRYPTION_ENCS = "oid4vci.encryption.encs";
     private static final String ATTR_ENCRYPTION_REQUIRED = "oid4vci.encryption.required";
 
     public OID4VCIssuerWellKnownProvider(KeycloakSession keycloakSession) {
@@ -119,6 +117,7 @@ private String getSignedMetadata(KeycloakSession session) {
 
     /**
      * Returns the credential response encryption metadata for the issuer.
+     * Now determines supported algorithms from available realm keys.
      *
      * @param session The Keycloak session
      * @return The credential response encryption metadata
@@ -127,9 +126,9 @@ public static CredentialResponseEncryptionMetadata getCredentialResponseEncrypti
         RealmModel realm = session.getContext().getRealm();
         CredentialResponseEncryptionMetadata metadata = new CredentialResponseEncryptionMetadata();
 
-        // Set defaults if attributes not present
-        metadata.setAlgValuesSupported(getSupportedEncryptionAlgorithms(realm));
-        metadata.setEncValuesSupported(getSupportedEncryptionMethods(realm));
+        // Get supported algorithms from available encryption keys
+        metadata.setAlgValuesSupported(getSupportedEncryptionAlgorithms(session));
+        metadata.setEncValuesSupported(getSupportedEncryptionMethods());
         metadata.setEncryptionRequired(isEncryptionRequired(realm));
 
         return metadata;
@@ -138,23 +137,30 @@ public static CredentialResponseEncryptionMetadata getCredentialResponseEncrypti
     /**
      * Returns the supported encryption algorithms from realm attributes.
      */
-    private static List<String> getSupportedEncryptionAlgorithms(RealmModel realm) {
-        String algs = realm.getAttribute(ATTR_ENCRYPTION_ALGS);
-        if (algs == null || algs.isEmpty()) {
-            return List.of(JWEConstants.RSA_OAEP);
+    private static List<String> getSupportedEncryptionAlgorithms(KeycloakSession session) {
+        RealmModel realm  = session.getContext().getRealm();
+        KeyManager keyManager = session.keys();
+
+        List<String> supportedEncryptionAlgorithms = keyManager.getKeysStream(realm)
+                .filter(key -> KeyUse.ENC.equals(key.getUse()))
+                .map(KeyWrapper::getAlgorithm)
+                .filter(algorithm -> algorithm != null && !algorithm.isEmpty())
+                .filter(algorithm -> Arrays.asList(JWEConstants.RSA_OAEP, JWEConstants.RSA_OAEP_256).contains(algorithm))
+                .distinct()
+                .collect(Collectors.toList());
+
+        if (supportedEncryptionAlgorithms.isEmpty()) {
+            supportedEncryptionAlgorithms.add(JWEConstants.RSA_OAEP);
         }
-        return Arrays.asList(algs.split(","));
+
+        return supportedEncryptionAlgorithms;
     }
 
     /**
      * Returns the supported encryption methods from realm attributes.
      */
-    private static List<String> getSupportedEncryptionMethods(RealmModel realm) {
-        String encs = realm.getAttribute(ATTR_ENCRYPTION_ENCS);
-        if (encs == null || encs.isEmpty()) {
-            return List.of(JWEConstants.A256GCM);
-        }
-        return Arrays.asList(encs.split(","));
+    private static List<String> getSupportedEncryptionMethods() {
+        return List.of(JWEConstants.A256GCM);
     }
 
     /**

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oid4vc/issuance/signing/OID4VCIssuerWellKnownProviderTest.java

@@ -25,11 +25,12 @@
 import org.junit.experimental.runners.Enclosed;
 import org.junit.runner.RunWith;
 import org.keycloak.common.util.MultivaluedHashMap;
+import org.keycloak.jose.jwe.JWEConstants;
+import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.RealmModel;
 import org.keycloak.protocol.oid4vc.issuance.OID4VCIssuerWellKnownProvider;
 import org.keycloak.protocol.oid4vc.issuance.OID4VCIssuerWellKnownProviderFactory;
 import org.keycloak.protocol.oid4vc.model.CredentialIssuer;
-import org.keycloak.protocol.oid4vc.model.CredentialResponseEncryption;
 import org.keycloak.protocol.oid4vc.model.CredentialResponseEncryptionMetadata;
 import org.keycloak.protocol.oid4vc.model.Format;
 import org.keycloak.representations.idm.ClientRepresentation;
@@ -83,77 +84,48 @@ public void configureTestRealm(RealmRepresentation testRealm) {
 
     }
 
-    public static class TestCredentialDefinitionInClientAttributes extends OID4VCTest {
-
-        @Test
-        public void testCredentialConfig() {
-            OID4VCIssuerWellKnownProviderTest
-                    .testCredentialConfig(suiteContext, testingClient);
-        }
+    public static class TestCredentialIssuerMetadataFields extends OID4VCTest {
 
         @Test
         public void testCredentialIssuerMetadataFields() {
-            String expectedIssuer = suiteContext.getAuthServerInfo().getContextRoot().toString() + "/auth/realms/" + TEST_REALM_NAME;
             KeycloakTestingClient testingClient = this.testingClient;
 
             testingClient
                     .server(TEST_REALM_NAME)
                     .run(session -> {
-                        // Setup test realm attributes
-                        RealmModel realm = session.getContext().getRealm();
-                        realm.setAttribute("oid4vci.encryption.algs", "RSA-OAEP");
-                        realm.setAttribute("oid4vci.encryption.encs", "A256GCM");
-                        realm.setAttribute("oid4vci.encryption.required", "true");
-                        realm.setAttribute("batch_credential_issuance.batch_size", "10");
-                        realm.setAttribute("signed_metadata", "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmb28iOiJiYXIifQ.XYZ123abc");
-
-                        OID4VCIssuerWellKnownProvider provider = new OID4VCIssuerWellKnownProvider(session);
-                        Object config = provider.getConfig();
-                        assertTrue("Should return CredentialIssuer", config instanceof CredentialIssuer);
-                        CredentialIssuer issuer = (CredentialIssuer) config;
-
-                        // Check basic endpoints
-                        assertEquals(expectedIssuer, issuer.getCredentialIssuer());
-                        assertNotNull(issuer.getCredentialEndpoint());
-                        assertNotNull(issuer.getNonceEndpoint());
-                        assertNotNull(issuer.getDeferredCredentialEndpoint());
-                        assertEquals(List.of(expectedIssuer), issuer.getAuthorizationServers());
-
-                        // Check credential_response_encryption
+                        CredentialIssuer issuer = getCredentialIssuer(session);
+
                         CredentialResponseEncryptionMetadata encryption = issuer.getCredentialResponseEncryption();
-                        assertNotNull("credential_response_encryption should be present", encryption);
-                        assertEquals(List.of("RSA-OAEP"), encryption.getAlgValuesSupported());
-                        assertEquals(List.of("A256GCM"), encryption.getEncValuesSupported());
-                        assertTrue("encryption_required should be true", encryption.getEncryptionRequired());
-
-                        // Check batch_credential_issuance
-                        CredentialIssuer.BatchCredentialIssuance batch = issuer.getBatchCredentialIssuance();
-                        assertNotNull("batch_credential_issuance should be present", batch);
-                        assertEquals(Integer.valueOf(10), batch.getBatchSize());
-
-                        // Check signed_metadata
-                        assertEquals(
-                                "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmb28iOiJiYXIifQ.XYZ123abc",
-                                issuer.getSignedMetadata()
-                        );
-
-                        // Check credentials_supported is not empty
-                        assertNotNull(issuer.getCredentialsSupported());
-                        assertFalse(issuer.getCredentialsSupported().isEmpty());
+                        assertNotNull(encryption);
+
+                        assertTrue(encryption.getAlgValuesSupported().contains("RSA-OAEP"));
+                        assertTrue("Supported encryption methods should include A256GCM", encryption.getEncValuesSupported().contains(JWEConstants.A256GCM));
+                        assertTrue(encryption.getEncryptionRequired());
+                        assertEquals(Integer.valueOf(10), issuer.getBatchCredentialIssuance().getBatchSize());
+                        assertEquals("eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmb28iOiJiYXIifQ.XYZ123abc",
+                                issuer.getSignedMetadata());
                     });
         }
 
+        private static CredentialIssuer getCredentialIssuer(KeycloakSession session) {
+            RealmModel realm = session.getContext().getRealm();
+
+            realm.setAttribute("oid4vci.encryption.required", "true");
+            realm.setAttribute("batch_credential_issuance.batch_size", "10");
+            realm.setAttribute("signed_metadata", "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmb28iOiJiYXIifQ.XYZ123abc");
+
+            OID4VCIssuerWellKnownProvider provider = new OID4VCIssuerWellKnownProvider(session);
+            return (CredentialIssuer) provider.getConfig();
+        }
+
         @Override
         public void configureTestRealm(RealmRepresentation testRealm) {
-            Map<String, String> clientAttributes = new HashMap<>(getTestCredentialDefinitionAttributes());
-            Map<String, String> realmAttributes = new HashMap<>();
-            OID4VCIssuerWellKnownProviderTest
-                    .configureTestRealm(
-                            getTestClient("did:web:test.org"),
-                            testRealm,
-                            clientAttributes,
-                            realmAttributes
-                    );
+            Map<String, String> attributes = new HashMap<>();
+            attributes.put("oid4vci.encryption.required", "true");
+            attributes.put("batch_credential_issuance.batch_size", "10");
+            attributes.put("signed_metadata", "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmb28iOiJiYXIifQ.XYZ123abc");
+            testRealm.setAttributes(attributes);
+
         }
     }
 
@@ -184,11 +156,6 @@ public static void configureTestRealm(
             Map<String, String> clientAttributes,
             Map<String, String> realmAttributes
     ) {
-        realmAttributes.put("credential_response_encryption.alg_values_supported", "[\"RSA-OAEP\"]");
-        realmAttributes.put("credential_response_encryption.enc_values_supported", "[\"A256GCM\"]");
-        realmAttributes.put("credential_response_encryption.encryption_required", "true");
-        realmAttributes.put("batch_credential_issuance.batch_size", "10");
-        realmAttributes.put("signed_metadata", "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmb28iOiJiYXIifQ.XYZ123abc"); // example JWT
         testClient.setAttributes(new HashMap<>(clientAttributes));
         testRealm.setAttributes(new HashMap<>(realmAttributes));
         extendConfigureTestRealm(testRealm, testClient);
@@ -214,16 +181,18 @@ public void testIssuerMetadataIncludesEncryptionSupport() throws IOException {
                             oid4vciIssuerConfig.getCredentialResponseEncryption().getAlgValuesSupported().isEmpty());
                     assertFalse("Supported encryption methods should not be empty",
                             oid4vciIssuerConfig.getCredentialResponseEncryption().getEncValuesSupported().isEmpty());
+                    assertTrue("Supported algorithms should include RSA-OAEP",
+                            oid4vciIssuerConfig.getCredentialResponseEncryption().getAlgValuesSupported().contains(JWEConstants.RSA_OAEP));
+                    assertTrue("Supported encryption methods should include A256GCM",
+                            oid4vciIssuerConfig.getCredentialResponseEncryption().getEncValuesSupported().contains(JWEConstants.A256GCM));
                 }
             }
         }
 
         @Override
         public void configureTestRealm(RealmRepresentation testRealm) {
-            // Configure realm with encryption support if needed
             Map<String, String> realmAttributes = new HashMap<>();
-            realmAttributes.put("oid4vci.encryption.algs", "RSA-OAEP,RSA-OAEP-256");
-            realmAttributes.put("oid4vci.encryption.encs", "A256GCM,A128CBC-HS256");
+            realmAttributes.put("oid4vci.encryption.required", "true");
             testRealm.setAttributes(realmAttributes);
 
             extendConfigureTestRealm(testRealm, getTestClient("did:web:test.org"));

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oid4vc/issuance/signing/OID4VCJWTIssuerEndpointTest.java

@@ -225,7 +225,7 @@ public void testGetCredentialOffer() {
                             .setCredentialConfigurationIds(List.of("credential-configuration-id"));
 
                     String sessionCode = prepareSessionCode(session, authenticator, JsonSerialization.writeValueAsString(credentialsOffer));
-                    // the cache transactions need to be commited explicitly in the test. Without that, the OAuth2Code will only be commited to
+                    // The cache transactions need to be committed explicitly in the test. Without that, the OAuth2Code will only be committed to
                     // the cache after .run((session)-> ...)
                     session.getTransactionManager().commit();
                     OID4VCIssuerEndpoint issuerEndpoint = prepareIssuerEndpoint(session, authenticator);
@@ -855,40 +855,4 @@ public void testRequestCredentialEncryptionRequiredButMissing() {
             }
         });
     }
-
-    @Test
-    public void testRequestCredentialWithUnsupportedEncryptionMethod() {
-        String token = getBearerToken(oauth);
-        testingClient.server(TEST_REALM_NAME).run((session -> {
-            AppAuthManager.BearerTokenAuthenticator authenticator = new AppAuthManager.BearerTokenAuthenticator(session);
-            authenticator.setTokenString(token);
-            OID4VCIssuerEndpoint issuerEndpoint = prepareIssuerEndpoint(session, authenticator);
-
-            JWK jwk;
-            try {
-                jwk = generateRsaJwk();
-            } catch (NoSuchAlgorithmException e) {
-                throw new RuntimeException("Failed to generate JWK", e);
-            }
-
-            CredentialRequest credentialRequest = new CredentialRequest()
-                    .setFormat(Format.JWT_VC)
-                    .setCredentialIdentifier("test-credential")
-                    .setCredentialResponseEncryption(
-                            new CredentialResponseEncryption()
-                                    .setAlg("RSA-OAEP")
-                                    .setEnc("A128CBC-HS256")
-                                    .setJwk(jwk));
-
-            try {
-                issuerEndpoint.requestCredential(credentialRequest);
-                Assert.fail("Expected BadRequestException due to unsupported encryption method");
-            } catch (BadRequestException e) {
-                ErrorResponse error = (ErrorResponse) e.getResponse().getEntity();
-                assertEquals(ErrorType.INVALID_ENCRYPTION_PARAMETERS, error.getError());
-                assertTrue("Error message should indicate unsupported encryption method",
-                        error.getErrorDescription().contains("Unsupported encryption parameters: alg=RSA-OAEP, enc=A128CBC-HS256"));
-            }
-        }));
-    }
 }