Skip to content

Add support for credential_response_encryption in credential request #53

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 39 commits into
base: main
Choose a base branch
from
Draft

Add support for credential_response_encryption in credential request #53

wants to merge 39 commits into from

Conversation

Ogenbertrand
Copy link
Collaborator

This PR aims at supporting credential_response_encryption during the issuing of credentials request. If the Client requested an encrypted response by including the credential_response_encryption object in the request, the Credential Issuer MUST encode the information in the Credential Response as a JWT using the parameters from the credential_response_encryption object. If the Credential Response is encrypted, the media type of the response MUST be set to application/jwt. If encryption was requested in the Credential Request and the Credential Response is not encrypted, the Client SHOULD reject the Credential Response.

See: https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-credential-request

@Ogenbertrand Ogenbertrand marked this pull request as draft June 12, 2025 15:04
@Ogenbertrand Ogenbertrand marked this pull request as ready for review June 12, 2025 15:05
@Ogenbertrand Ogenbertrand linked an issue Jun 12, 2025 that may be closed by this pull request
Keycloak: Add support for credential_response_encryption at credential endpoint #51
Closed
@Ogenbertrand Ogenbertrand marked this pull request as draft June 12, 2025 15:31
@Ogenbertrand
Copy link
Collaborator Author

Ready to be reviewed.

IngridPuppet
IngridPuppet requested changes Jun 19, 2025
View reviewed changes
Copy link
Collaborator

@IngridPuppet IngridPuppet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added a few comments. Please could you check?

forkimenjeckayang
forkimenjeckayang requested changes Jun 19, 2025
View reviewed changes
Copy link
Collaborator

@forkimenjeckayang forkimenjeckayang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left a few comments for you to check out

stephane-segning
stephane-segning requested changes Jun 19, 2025
View reviewed changes
Copy link
Collaborator

@stephane-segning stephane-segning left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nothing much relevant to add to what the other said. Keep these points in mind:

  • Strict input validation for all encryption parameters – no socks with sandals allowed.
  • Encryption must be clearly configurable and documented, simple enough for everyone to understand and use.
  • Log debugging info responsibly; sensitive data (keys, credentials) results in can be skipped or strip (like se***)

@Ogenbertrand Ogenbertrand mentioned this pull request Jun 24, 2025
Closed
2 tasks
forkimenjeckayang
forkimenjeckayang requested changes Jun 26, 2025
View reviewed changes
Copy link
Collaborator

@forkimenjeckayang forkimenjeckayang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left a few minor comments for you to revisit. Please check

stephane-segning
stephane-segning requested changes Jun 30, 2025
View reviewed changes
Copy link
Collaborator

@stephane-segning stephane-segning left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good work. one last change please:

IngridPuppet
IngridPuppet reviewed Jul 7, 2025
View reviewed changes
Copy link
Collaborator

@IngridPuppet IngridPuppet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I acknowledge a great progress. Just a few more comments. Please, could you check?

@Ogenbertrand Ogenbertrand requested a review from IngridPuppet July 7, 2025 14:51
IngridPuppet
IngridPuppet approved these changes Jul 8, 2025
View reviewed changes
Copy link
Collaborator

@IngridPuppet IngridPuppet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Ogenbertrand Ogenbertrand removed a link to an issue Jul 9, 2025
Keycloak: Add support for credential_response_encryption at credential endpoint #51
Closed
@Ogenbertrand
rabase to latest
6f7ff74 
Signed-off-by: Ogenbertrand <[email protected]>
mabartos and others added 30 commits July 29, 2025 14:48
@mabartos @shawkins
Require setting DB kind for additional datasources (keycloak#41087)
75ade9a 
* Require setting DB kind for additional datasources

Closes keycloak#41161

Signed-off-by: Martin Bartoš <[email protected]>

* refining build time check for db kind to be tolerant of existing usage

Signed-off-by: Steve Hawkins <[email protected]>

---------

Signed-off-by: Martin Bartoš <[email protected]>
Signed-off-by: Steve Hawkins <[email protected]>
Co-authored-by: Steve Hawkins <[email protected]>
@mabartos @Pepo48
Synchronize Maven surefire plugin with Quarkus
3243e95 
Closes keycloak#41488

Co-authored-by: Peter Zaoral <[email protected]>
Signed-off-by: Martin Bartoš <[email protected]>
@mabartos
ExternalLinks are broken in documentation
57cb321 
Closes keycloak#41491

Signed-off-by: Martin Bartoš <[email protected]>
@fvales
Fix: prevent federated users from being listed on initial Users page …
bcc85c2 
…load

Ensure that the Users page waits for userProfileProvidersEnabled to be defined
before fetching users. This prevents federated users from being listed by
default on first load, providing a consistent experience and avoiding confusion
when user federation is enabled.

Fixes keycloak#41044

Signed-off-by: Freeda Vales <[email protected]>
@mabartos
Missing comment generated by Liquibase executor in the custom script (k…
7cdb994 
…eycloak#41490)

Closes keycloak#41299

Signed-off-by: Martin Bartoš <[email protected]>
@shawkins
fix: adjusting the startup of the local api server for ci (keycloak#4…
a770204 
…1364)

closes: keycloak#39766

Signed-off-by: Steve Hawkins <[email protected]>
@ahus1 @pruivo
Reduce likelihood of multiple coordinators on concurrent startup
c9943af 
Closes keycloak#41290

Signed-off-by: Alexander Schwartz <[email protected]>
Signed-off-by: Alexander Schwartz <[email protected]>
Co-authored-by: Pedro Ruivo <[email protected]>
@shawkins @mabartos
task: better document property mapping (keycloak#40873)
e4882f8 
* task: better document property mapping

closes: keycloak#40872

Signed-off-by: Steve Hawkins <[email protected]>

* Update quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/mappers/PropertyMapper.java

Co-authored-by: Martin Bartoš <[email protected]>
Signed-off-by: Steven Hawkins <[email protected]>

* further refinements to the property mapping docs

Signed-off-by: Steve Hawkins <[email protected]>

* Apply suggestions from code review

Co-authored-by: Martin Bartoš <[email protected]>
Signed-off-by: Steven Hawkins <[email protected]>

---------

Signed-off-by: Steve Hawkins <[email protected]>
Signed-off-by: Steven Hawkins <[email protected]>
Co-authored-by: Martin Bartoš <[email protected]>
@jonkoops
Use single worker to run tests on CI (keycloak#41541)
1ac1f37 
Signed-off-by: Jon Koops <[email protected]>
@ssilvert
Make fileChooser platform independent. (keycloak#41500)
e82f76a 
* Make fileChooser platform independent.

Fixes keycloak#41474

Signed-off-by: Stan Silvert <[email protected]>

* Added node: prefix to imports.

Signed-off-by: Stan Silvert <[email protected]>

---------

Signed-off-by: Stan Silvert <[email protected]>
@weblate @NorwayFun
@allen0099 @benwater12
Translations update from Hosted Weblate (keycloak#41506)
2b019d7 
* Updated translation for Georgian

Language: ka

Co-authored-by: Temuri Doghonadze <[email protected]>
Signed-off-by: Hosted Weblate <[email protected]>
Signed-off-by: Temuri Doghonadze <[email protected]>

* Updated translation for Chinese (Traditional Han script)

Language: zh_Hant

Updated translation for Chinese (Traditional Han script)

Language: zh_Hant

Updated translation for Chinese (Traditional Han script)

Language: zh_Hant

Translated using Weblate (Chinese (Traditional Han script))

Translation: Keycloak/Theme base/admin
Translate-URL: https://hosted.weblate.org/projects/keycloak/theme-baseadmin/zh_Hant/

Updated translation for Chinese (Traditional Han script)

Language: zh_Hant

Updated translation for Chinese (Traditional Han script)

Language: zh_Hant

Updated translation for Chinese (Traditional Han script)

Language: zh_Hant

Co-authored-by: Hosted Weblate <[email protected]>
Co-authored-by: 秉虎 <[email protected]>
Co-authored-by: 翁震軒 <[email protected]>
Signed-off-by: Hosted Weblate <[email protected]>
Signed-off-by: 秉虎 <[email protected]>
Signed-off-by: 翁震軒 <[email protected]>

---------

Signed-off-by: Hosted Weblate <[email protected]>
Signed-off-by: Temuri Doghonadze <[email protected]>
Signed-off-by: 秉虎 <[email protected]>
Signed-off-by: 翁震軒 <[email protected]>
Co-authored-by: Temuri Doghonadze <[email protected]>
Co-authored-by: 秉虎 <[email protected]>
Co-authored-by: 翁震軒 <[email protected]>
@thomasdarimont
Add details about client assertion to event
97dfbd2 
Fixes keycloak#41405

Signed-off-by: Thomas Darimont <[email protected]>
@antikalk @ahus1
add index for user_id and type on event_entity
27cd19e 
Closes keycloak#26995

Signed-off-by: Oliver Cremerius <[email protected]>
Signed-off-by: Alexander Schwartz <[email protected]>
Co-authored-by: Alexander Schwartz <[email protected]>
@rmartinc @mposolda
Create a new condition for credential type and add it to default flows
1f608fa 
Closes keycloak#41354

Signed-off-by: rmartinc <[email protected]>
@keshavprashantdeshpande
Change error to 400 for unknown user (keycloak#40939)
bee7e4b 
Closes keycloak#39079

Signed-off-by: Keshav Deshpande <[email protected]>
@ahus1
Refresh token for an OAuth2 based IDP when retrieving the IDP token
e1b3afb 
Closes keycloak#14644

Signed-off-by: Alexander Schwartz <[email protected]>
@eicki
Support for RSA Key Size of 3072
c7cc162 
Closes keycloak#41551

Signed-off-by: Bjoern Eickvonder <[email protected]>
@mposolda
Getting error 405 'Method Not Allowed' when calling the 'certs' endpo…
2dab730 
…int with HEAD method

closes keycloak#41537

Signed-off-by: mposolda <[email protected]>
@mabartos
Upgrade to Quarkus 3.25.0
37f799e 
Closes keycloak#41186

Signed-off-by: Martin Bartoš <[email protected]>
@martin-kanis
LDAP Import: KERBEROS_PRINCIPAL not updated when UserPrincipal change…
235691b 
…s and KERBEROS_PRINCIPAL was null on creation

Closes keycloak#41520

Signed-off-by: Martin Kanis <[email protected]>
@ssilvert
Log retry count for all Playwright runs. (keycloak#41472)
72bc02c 
Closes keycloak#41471

Signed-off-by: Stan Silvert <[email protected]>
@forkimenjeckayang
[OID4VCI] Update SD-JWT VCs Format Identifier to dc+sd-jwt (keycloak#…
43610cf 
…41233)

Closes keycloak#39293

Signed-off-by: forkimenjeckayang <[email protected]>
@tnorimat @mposolda
FAPI 2.0 Security Profile Final - Documentation
cb4e06b 
closes keycloak#41121

Signed-off-by: Takashi Norimatsu <[email protected]>
@ssilvert
Move flaky test to top so it will run first. (keycloak#41599)
eb814bb 
Fixes keycloak#41598

Signed-off-by: Stan Silvert <[email protected]>
@rmartinc @ahus1
Add a securing-apps guide with the specifications implemented by keyc…
f45280a 
…loak

Closes keycloak#41176

Signed-off-by: rmartinc <[email protected]>
Signed-off-by: Alexander Schwartz <[email protected]>
Co-authored-by: Alexander Schwartz <[email protected]>
@Ogenbertrand
Relax JWK 'use' validation for credential response encryption
9b9dd1c 
Signed-off-by: Ogenbertrand <[email protected]>
@ahus1
Adjust the test to dynamically remove all sessions
31495ec 
This will handle even those sessions created by other tests.

Closes keycloak#41545

Signed-off-by: Alexander Schwartz <[email protected]>
@Ogenbertrand
return false when both alg and enc are null or empty
2bcefca 
Signed-off-by: Ogenbertrand <[email protected]>
@mposolda
Wrap deprecated passkeys authenticator behind the feature
3cc8808 
closes keycloak#40696

Signed-off-by: mposolda <[email protected]>
@Ogenbertrand
Merge branch 'main' into issue-keycloak#39310
6561a7d
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@IngridPuppet IngridPuppet IngridPuppet approved these changes

@forkimenjeckayang forkimenjeckayang forkimenjeckayang approved these changes

@francis-pouatcha francis-pouatcha Awaiting requested review from francis-pouatcha

@stephane-segning stephane-segning Awaiting requested review from stephane-segning

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.