[OID4VCI] Realm based scope credential approach #39265

Captain-P-Goldfish · 2025-04-28T11:41:32Z

Captain-P-Goldfish
Apr 28, 2025

I would like to discuss the current approach of the OpenID4VCI scope based approach with the realm configuration.

The as is state:

We need to update the realms configuration by adding additional attributes that define a specific credential:

PUT {{url}}/admin/realms/{{realm}}
Authorization: Bearer {{access_token_admin}}
Content-Type: application/json

{
  "realm": "oid4vci",
  "enabled": true,
  "attributes": {
    "vc.pid.expiry_in_s": "31536000",
    "vc.pid.format": "vc+sd-jwt",
    "vc.pid.scope": "{{vct}}",
    "vc.pid.vct": "{{vct}}"
  }
}

next: we need to define the scope that represents the credential:

POST {{url}}/admin/realms/{{realm}}/client-scopes
Authorization: Bearer {{access_token_admin}}
Content-Type: application/json

{
  "name": "{{vct}}",
  "protocol": "openid-connect",
  "attributes": {
    "include.in.token.scope": "false",
    "display.on.consent.screen": "false"
  },
  "protocolMappers": [
    {
      "name": "givenName-mapper",
      "protocol": "openid-connect",
      "protocolMapper": "oid4vc-static-claim-mapper",
      "config": {
        "subjectProperty": "first_name",
        "staticValue": "N/A",
        "supportedCredentialTypes": "{{vct}}"
      }
    },
    ...
  ]
}

only this combination together exposes the credential with its credential_configuration_id at the credential-issuer-endpoint.

I would like to share a few thoughts on this approach, which I will outline below:

Why don't we allow the protocol 'oid4vc' for scopes? Like this we can distinguishe between openid-scopes and openid4vci-credentials. This would also be very obviously displayed within the UI:

Currently, the attempt to define a scope with protocol oid4vc results in a BadRequest.
lf we follow step 1 we should be able to shift the configuration that is currently added to the realm-attributes directly to the scope itself. We can add attributes there like vct, credential-identifier, etc.
How this will eventually look in the UI still needs to be discussed.
Doing this will solve another problem with the Authorization Code Flow-support. When addressing the AuthorizationEndpoint for credential issuance it is necessary to identify the request by either a scope-value or the authorization_details-parameter from Rich Authorization Requests. If we determine specific scopes to be of protocol oid4vc we can easily determine if the request is done to issue a cr 10000 edential even with a Rich Authorization Request because we can more easily determine which sopes we are allowed to use to satisfy the request.
We need a concept for credential_identifiers. I wouldn't like the idea putting this into the realms configuration, instead I would like to allow parent-child relationships between oid4vc-scopes. If we use the example UniversityDegreeCredential we could have PhysicsMasterDegreeCredential or a InformaticsDiplomDegreeCredential for example. Both would probably share some common attributes inherited by the parent-credential UniversityDegreeCredential as well as some extra attributes only defined for the specific credential. Outsourcing this concept in bidirectional logic between realm-configuration and scope-configuration would greatly intensify the complexity and usability of this feature.

IngridPuppet · 2025-04-30T08:41:29Z

IngridPuppet
Apr 30, 2025

My understanding about the discussion is that it pushes for having a client scope as the single source of truth for defining and configuring issuable credentials, which totally makes sense in my opinion as well. I would just want to recall some issues were once raised about enforcing a specific oid4vc protocol. They maybe outweigh the benefits of the constraint.

0 replies

Captain-P-Goldfish · 2025-04-30T10:40:44Z

Captain-P-Goldfish
Apr 30, 2025
Author

My understanding about the discussion is that it pushes for having a client scope as the single source of truth for defining and configuring issuable credentials, which totally makes sense in my opinion as well

Yes, that is exactly what I meant. Would have been a good idea to state this out more clearly :-) So thanks for doing it :-)

I would just want to recall some issues were once raised about enforcing a specific oid4vc protocol. They maybe outweigh the benefits of the constraint.

I actually do not want to enforce a protocol but basically allow a pseudo-protocol. A new protocol must be attached to the client implementation which was the reason for the original design.
What I want is simply that we can distinguishe between openid-connect scopes and credential-scopes. When we look at the screenshot above, Keycloak already creates such a credential automatically with the name oid4vc_natural_person. If you do a GET-request on this scope over the REST-Admin API you will see that its protocol is set to oid4vc. This also makes sure that the UI displays this scope with OpenID for Verifiable Credentials.
So if we would allow this protocol-type for scopes only as simple string-value we could easily distinguishe between the types. Alternatively we could add an integer type to scopes for example similar as it was done on the GroupMemberships for the organization feature.

0 replies

thomasdarimont · 2025-05-07T11:32:47Z

thomasdarimont
May 7, 2025
Collaborator

If you move the realm attributes to the client scope configuration, does that mean that the VCI metadata needs to be fetched from the client scope configuration then? Will all client scope definitions for OpenID4VC then be used as the source for the VCI metadata (credential_configurations_supported)?

See:
https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#section-11.2.3

1 reply

Captain-P-Goldfish May 7, 2025
Author

Yes, that is the intention.

mposolda · 2025-05-07T11:51:47Z

mposolda
May 7, 2025
Maintainer

Indeed, just verified that when you are creating client scope and you select OpenID for Verifiable Credentials protocol and you press Save, Keycloak will refuse to save this client scope. It looks that this is a bug, which should be fixed. We should allow any available protocol to be used for client scopes.

Also regarding UI, it may be needed to have some "dynamicity" in the rendering of client scopes similarly like we have for some other things (EG. clients, identity providers etc), so that some client scope attributes are hidden for certain protocols. For example the existing attribute Include in token scope does not makes sense for SAML and should be shown only for OIDC (and maybe OID4VCI, but not sure). This dynamic rendering will also allow to have some additional attributes on the "OID4VCI client scopes", which will be shown in the UI just if chosen client scope protocol is "OID4VCI"

1 reply

Captain-P-Goldfish May 7, 2025
Author

I will create some tickets now ans ask Ingrid to add them to the draft-15 epic.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[OID4VCI] Realm based scope credential approach #39265

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 4 comments 2 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

[OID4VCI] Realm based scope credential approach #39265

Uh oh!

Uh oh!

Captain-P-Goldfish Apr 28, 2025

Replies: 4 comments · 2 replies

Uh oh!

IngridPuppet Apr 30, 2025

Uh oh!

Uh oh!

Captain-P-Goldfish Apr 30, 2025 Author

Uh oh!

thomasdarimont May 7, 2025 Collaborator

Uh oh!

Captain-P-Goldfish May 7, 2025 Author

Uh oh!

mposolda May 7, 2025 Maintainer

Uh oh!

Captain-P-Goldfish May 7, 2025 Author

Captain-P-Goldfish
Apr 28, 2025

Replies: 4 comments 2 replies

IngridPuppet
Apr 30, 2025

Captain-P-Goldfish
Apr 30, 2025
Author

thomasdarimont
May 7, 2025
Collaborator

Captain-P-Goldfish May 7, 2025
Author

mposolda
May 7, 2025
Maintainer

Captain-P-Goldfish May 7, 2025
Author