Description
Before reporting an issue
- I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
oid4vc
Describe the bug
When using the Authorization Code Flow to request a credential, scope validation fails due to a mismatch in where the required scope is retrieved from. The implementation currently expects the scope to be a client attribute, but credential definitions have been migrated to the realm level. As a result, the scope is no longer available on the client, leading to an unsupported credential error.
Version
26.2.0
Regression
- The issue is a regression
Expected behavior
The server should resolve the required scope from realm-level and validate that the scope is present in the access token. Credential issuance should succeed if the scope is correctly set in the token.
Actual behavior
The current implementation tries to resolve the scope using:
client.getAttributes().get("vc." + credentialIdentifier + ".scope")This fails because the credential is no longer defined at the client level. As a result, even when the access token contains the expected scopes, issuance fails.
An error like this is logged:
[2025-04-22 17:11:33] Credential successfully issued: {
"error": "UNSUPPORTED_CREDENTIAL_TYPE",
"error_description": "Scope check failure"
}How to Reproduce?
- Define a credential at the realm level, not on a client.
- Issue a credential using the Authorization Code Grant Flow with a token that includes the expected scope.
- Observe failure during scope check.
Example request:
curl --location 'https://localhost:8443/realms/master/protocol/oid4vc/credential' \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <valid-token-with-correct-scope>' \
--data '{
"format": "jwt_vc_json",
"credentialIdentifier": "UniversityDegree"
}'Anything else?
I’ll send a short PR to address this.