Keycloak as Wallet-Verifier (OpenID 4 Verifiable Presentations) #47346
Replies: 2 comments
-
|
Hey @dominikschlosser Thank you very much for sharing this, it's excellent work and greatly appreciated. Within the OAuth SIG, we have been focusing on OID4VCI over the past several years. While issuance has been our primary priority, a number of SIG members have also expressed strong interest in OID4VP. We’ve made significant progress in enhancing the security of OID4VCI, and we are aiming to bring this feature to a preview state by version 26.7. In addition, it may be worthwhile to revisit OID4VP alongside OID4VCI. From my perspective, considering both specifications together could help us develop a more comprehensive understanding. Would you be interested in joining one of our OAuth SIG weekly meetings? If that’s not convenient, I would be more than happy to arrange a separate meeting at a time that suits you. If possible, could you also share your presentation slides and or any sequence diagrams you may have for your various use cases? That would be extremely helpful for our discussions. Thank you again, and I look forward to your thoughts. Cc: @francis-pouatcha @mposolda @IngridPuppet @tdiesler @thomasdarimont @Captain-P-Goldfish @wistefan @babisRoutis |
Beta Was this translation helpful? Give feedback.
-
|
Hey @VinodAnandan i can participate next week (8.4.) and will prepare a few diagrams. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Hello!
As some of you may already know, i helped my customer develop an OpenID4VP-extension, which i presented at Keycloak DevDay. After talking to @stianst at this conference, i wanted to open this discussion to talk about if and how some or all of it might be added to Keycloak Core.
The extension can be found here: https://github.com/ba-itsys/keycloak-extension-oid4vp
It obviously is in an early state but is already used successfully in the so called "sandbox" testing environment from german SPRIND (which provides the german version of the EUDI wallet).
One use case for this, outside of wallet authentication in Keycloak itself, is to allow other IdP-implementations and OIDC-aware service providers to use the wallet with minimal changes. This is why we also open sourced a "wallet-connector", which is basically an example config using the OID4VP-extension: https://github.com/ba-itsys/eudi-wallet-connector
(One thing to note here: It relies on
transient-usersexperimental feature to not have to deal with user creation, which is not desirable when just acting as a "connector")The extension uses the SD-JWT support that Keycloak already provides (introduced with the VCI stuff) and also adds mDoc support (which is the second credential format every EUDI wallet verifier must understand).
It provides an
identity_providerSPI implementation and a pair ofidentity-provider-mapperimplementations that map the verified credential claims into the user session or user attributes. The mapper configuration is also used to generate theDCQLquery automatically, which otherwise would be quite cumbersome to keep in sync.It also runs successfully against the current set of OIDF conformance tests (which are still very limited though).
What are your thoughts?
Beta Was this translation helpful? Give feedback.
All reactions