Skip to content

[OID4VCI] Revisit invalid authorization requests handling #47850

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
mposolda merged 1 commit into from
Apr 23, 2026
Merged

[OID4VCI] Revisit invalid authorization requests handling #47850

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 20 additions & 2 deletions tests/base/src/test/java/org/keycloak/tests/oid4vc/OID4VCBasicWallet.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -550,12 +550,30 @@ public AuthorizationEndpointRequest scope(String... scopes) {
return this;
}

public void openLoginForm() {
public boolean openLoginForm() {
loginForm.open();
String currUrl = oauth.getDriver().getCurrentUrl();
return currUrl != null && !currUrl.contains("error=") && !currUrl.contains("error_description=");
}

public AuthorizationEndpointRequest fillLoginForm(String username, String password) {
oauth.fillLoginForm(username, password);
return this;
}

public AuthorizationEndpointResponse parseLoginResponse() {
return oauth.parseLoginResponse();
}

public AuthorizationEndpointResponse send(String username, String password) {
return loginForm.doLogin(username, password);
openLoginForm();
fillLoginForm(username, password);
return parseLoginResponse();
}

public AuthorizationEndpointResponse send() {
openLoginForm();
return parseLoginResponse();
}
}
}
10 changes: 8 additions & 2 deletions tests/base/src/test/java/org/keycloak/tests/oid4vc/OID4VCPublicClientTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@
import org.keycloak.protocol.oid4vc.model.VerifiableCredential;
import org.keycloak.representations.JsonWebToken;
import org.keycloak.testframework.annotations.KeycloakIntegrationTest;
import org.keycloak.tests.oid4vc.OID4VCBasicWallet.AuthorizationEndpointRequest;
import org.keycloak.tests.oid4vc.OID4VCIssuerTestBase.VCTestServerConfig;
import org.keycloak.testsuite.util.oauth.AccessTokenResponse;
import org.keycloak.testsuite.util.oauth.AuthorizationEndpointResponse;
Expand All @@ -39,6 +40,7 @@
import static org.keycloak.OID4VCConstants.OPENID_CREDENTIAL;

import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertFalse;
import static org.junit.jupiter.api.Assertions.assertNotNull;
import static org.junit.jupiter.api.Assertions.assertNull;

Expand Down Expand Up @@ -124,8 +126,12 @@ public void testAuthorizationRequestNoPkce() {

// Send AuthorizationRequest without required PKCE
//
oauth.loginForm().scope(ctx.getScope()).open();
AuthorizationEndpointResponse authResponse = oauth.parseLoginResponse();
AuthorizationEndpointRequest authRequest = wallet
.authorizationRequest()
.scope(ctx.getScope());

assertFalse(authRequest.openLoginForm(), "Error expected");
AuthorizationEndpointResponse authResponse = authRequest.parseLoginResponse();

assertNull(authResponse.getCode(), "Expected no auth code");
assertEquals("invalid_request", authResponse.getError());
Expand Down
8 changes: 3 additions & 5 deletions ...va/org/keycloak/tests/oid4vc/issuance/signing/OID4VCAuthorizationDetailsFlowTestBase.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -192,12 +192,10 @@ private void runAuthorizationDetailsTest(

try {
AuthorizationEndpointRequest authRequest = authRequestSupplier.get();
authRequest.openLoginForm();
String currUrl = oauth.getDriver().getCurrentUrl();
if (currUrl != null && !currUrl.contains("error=") && !currUrl.contains("error_description=")) {
oauth.fillLoginForm(ctx.getHolder(), TEST_PASSWORD);
if (authRequest.openLoginForm()) {
authRequest.fillLoginForm(ctx.getHolder(), TEST_PASSWORD);
}
AuthorizationEndpointResponse authResponse = oauth.parseLoginResponse();
AuthorizationEndpointResponse authResponse = authRequest.parseLoginResponse();
if (authResponse.getError() != null)
throw new IllegalStateException(authResponse.getErrorDescription());

Expand Down
23 changes: 23 additions & 0 deletions tests/utils-shared/src/main/java/org/keycloak/testsuite/util/oauth/LoginUrlBuilder.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -130,6 +130,29 @@ protected void initRequest() {
}
}

/**
* Composite login method for the Authorization Code Flow
*
* <ol>
* <li>It builds and opens the authorization request url</li>
* <li>Fills the login form with user credentials (i.e. username, password)</li>
* <li>Parses the authorization response</li>
* </ol>
*
* This method is intended to be used only for the purpose of the basic login flow when the server is expected to open a login form.
*
* For more complex scenarios like:
* <ul>
* <li>SSO login (user being automatically authenticated without the need to provide a username/password</li>
* <li>Automatic redirect to the client with the error as result of an invalid authorization request</li>
* <li>The call not being redirected back to the client either due to an incorrect username/password or some other screen being displayed</li>
* </ul>
*
* calls to level API will be needed.
*
* In short, the caller should always know whether they expect a login-form to be shown or not.
* For details, there is <a href="https://github.com/keycloak/keycloak/discussions/48308">this discussion</a>.
*/
public AuthorizationEndpointResponse doLogin(String username, String password) {
open();
client.fillLoginForm(username, password);
Expand Down
Loading