keycloak · Ogenbertrand · May 27, 2025 · Jun 2, 2025 · Jun 4, 2025 · Jun 4, 2025
@@ -203,6 +203,15 @@ private Map<String, CredentialBuilder> loadCredentialBuilders(KeycloakSession ke
                 .collect(Collectors.toMap(CredentialBuilder::getSupportedFormat, component -> component));
     }
 
+    /**
+     * Generates a unique notification ID for use in CredentialResponse.
+     *
+     * @return a unique string identifier
+     */
+    private String generateNotificationId() {
+        return SecretGenerator.getInstance().randomString();
+    }
+
     /**
      * the OpenId4VCI nonce-endpoint
      *
@@ -408,7 +417,9 @@ public Response requestCredential(
 
         Object theCredential = getCredential(authResult, supportedCredentialConfiguration, credentialRequestVO);
         if (SUPPORTED_FORMATS.contains(requestedFormat)) {
-            responseVO.addCredential(theCredential);
+            responseVO
+                    .addCredential(theCredential)
+                    .setNotificationId(generateNotificationId());
         } else {
             throw new BadRequestException(getErrorResponse(ErrorType.UNSUPPORTED_CREDENTIAL_TYPE));
         }

@@ -50,11 +50,12 @@ public CredentialResponse setCredentials(List<Credential> credentials) {
         return this;
     }
 
-    public void addCredential(Object credential) {
+    public CredentialResponse addCredential(Object credential) {
         if (this.credentials == null) {
             this.credentials = new ArrayList<>();
         }
         this.credentials.add(new Credential().setCredential(credential));
+        return this;
     }
 
     public String getTransactionId() {

@@ -64,6 +64,7 @@
 
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotEquals;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
@@ -539,4 +540,33 @@ public void testCredentialIssuanceWithRealmScopeMissing() throws Exception {
                     }
                 });
     }
+
+    @Test
+    public void testRequestCredentialWithNotificationId() {
+        String token = getBearerToken(oauth);
+        testingClient.server(TEST_REALM_NAME).run((session) -> {
+            AppAuthManager.BearerTokenAuthenticator authenticator = new AppAuthManager.BearerTokenAuthenticator(session);
+            authenticator.setTokenString(token);
+            OID4VCIssuerEndpoint issuerEndpoint = prepareIssuerEndpoint(session, authenticator);
+
+            CredentialRequest credentialRequest = new CredentialRequest()
+                    .setFormat(Format.JWT_VC)
+                    .setCredentialIdentifier("test-credential");
+
+            // First credential request
+            Response response1 = issuerEndpoint.requestCredential(credentialRequest);
+            assertEquals("The credential request should be successful.", 200, response1.getStatus());
+            CredentialResponse credentialResponse1 = JsonSerialization.mapper.convertValue(response1.getEntity(), CredentialResponse.class);
+            assertNotNull("Credential response should not be null", credentialResponse1);
+            assertNotNull("Credential should be present", credentialResponse1.getCredentials());
+            assertNotNull("Notification ID should be present", credentialResponse1.getNotificationId());
+            assertFalse("Notification ID should not be empty", credentialResponse1.getNotificationId().isEmpty());
+
+            // Second credential request
+            Response response2 = issuerEndpoint.requestCredential(credentialRequest);
+            assertEquals("The second credential request should be successful.", 200, response2.getStatus());
+            CredentialResponse credentialResponse2 = JsonSerialization.mapper.convertValue(response2.getEntity(), CredentialResponse.class);
+            assertNotEquals("Notification IDs should be unique", credentialResponse1.getNotificationId(), credentialResponse2.getNotificationId());
+        });
+    }
 }