Skip to content

[OID4VCI-HAIP] Pass oid4vci-1_0-issuer-metadata_test#47190

Merged
mposolda merged 1 commit intokeycloak:mainfrom
tdiesler:ghi47150
Apr 10, 2026
Merged

[OID4VCI-HAIP] Pass oid4vci-1_0-issuer-metadata_test#47190
mposolda merged 1 commit intokeycloak:mainfrom
tdiesler:ghi47150

Conversation

@tdiesler
Copy link
Copy Markdown
Contributor

@tdiesler tdiesler commented Mar 16, 2026
edited
Loading

closes #47150

The Client Attester is supposed to be an external component that the AS can trust and that the Wallet accesses to get an "Client Attestation JWT". As such, it should really be provided by the OpenID Foundation Conformance Suite, so that their mock Wallet can connect to some mock Client Attester - this however is not the case.

Instead, this PR provides a basic Client Attester to unblock HAIP conformance testing.
The PR also adds an AttestationBasedClientAuthenticator which currently does nothing but inform the OpenID Metadata Provider that attest_jwt_client_auth is (going to be) supported.

This is enough to pass the oid4vci-1_0-issuer-metadata-test and simply the first PR in a long series of HAIP conformance test related changes.

depends on

  1. [OID4VCI] Migrate OID4VCIssuerWellKnownProviderTest #47313

@tdiesler tdiesler requested a review from a team as a code owner March 16, 2026 13:53
@tdiesler tdiesler mentioned this pull request Mar 16, 2026
Closed
1 task
@tdiesler tdiesler changed the title [OID4VCI-HAIP] Fix oid4vci-1_0-issuer-metadata-test [OID4VCI-HAIP] Pass conformance for oid4vci-1_0-issuer-metadata Mar 16, 2026
@tdiesler tdiesler changed the title [OID4VCI-HAIP] Pass conformance for oid4vci-1_0-issuer-metadata [OID4VCI-HAIP] Pass oid4vci-1_0-issuer-metadata_test Mar 16, 2026
@tdiesler tdiesler force-pushed the ghi47150 branch 2 times, most recently from d1266d0 to 5ceeaac Compare March 16, 2026 15:01
@tdiesler tdiesler marked this pull request as draft March 17, 2026 07:00
@tdiesler tdiesler marked this pull request as ready for review March 17, 2026 07:29
@tdiesler tdiesler requested review from a team as code owners March 17, 2026 07:29
@tdiesler tdiesler force-pushed the ghi47150 branch 2 times, most recently from 67da1db to d26a680 Compare March 17, 2026 09:35
@tdiesler tdiesler marked this pull request as draft March 18, 2026 06:58
@tdiesler tdiesler marked this pull request as ready for review March 19, 2026 12:27
keycloak-github-bot[bot]
keycloak-github-bot Bot reviewed Mar 19, 2026
View reviewed changes
Copy link
Copy Markdown

@keycloak-github-bot keycloak-github-bot Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unreported flaky test detected, please review

@keycloak-github-bot
Copy link
Copy Markdown

keycloak-github-bot Bot commented Mar 19, 2026

Unreported flaky test detected

If the flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR.

org.keycloak.testsuite.federation.kerberos.KerberosLdapTest#writableEditModeTest

Keycloak CI - Java Distribution IT (windows-latest - temurin - 21)

java.lang.AssertionError
	at org.junit.Assert.fail(Assert.java:87)
	at org.junit.Assert.assertTrue(Assert.java:42)
	at org.junit.Assert.assertTrue(Assert.java:53)
	at org.keycloak.testsuite.federation.kerberos.KerberosLdapTest.writableEditModeTest(KerberosLdapTest.java:227)
...

Report flaky test

org.keycloak.testsuite.federation.kerberos.KerberosLdapTest#usernamePasswordLoginTest

Keycloak CI - Java Distribution IT (windows-latest - temurin - 21)

java.lang.AssertionError
	at org.junit.Assert.fail(Assert.java:87)
	at org.junit.Assert.assertTrue(Assert.java:42)
	at org.junit.Assert.assertTrue(Assert.java:53)
	at org.keycloak.testsuite.federation.kerberos.AbstractKerberosSingleRealmTest.usernamePasswordLoginTest(AbstractKerberosSingleRealmTest.java:139)
...

Report flaky test

@tdiesler tdiesler force-pushed the ghi47150 branch 2 times, most recently from 3c69f29 to 7337612 Compare March 19, 2026 14:24
@tdiesler tdiesler requested a review from a team as a code owner March 19, 2026 14:24
@tdiesler tdiesler force-pushed the ghi47150 branch 2 times, most recently from e123647 to d250a29 Compare March 20, 2026 10:35
@tdiesler tdiesler force-pushed the ghi47150 branch 5 times, most recently from 1dea909 to e7cf351 Compare March 25, 2026 11:57
@tdiesler tdiesler mentioned this pull request Mar 25, 2026
Closed
@tdiesler tdiesler force-pushed the ghi47150 branch 3 times, most recently from d976f86 to 521e517 Compare March 25, 2026 14:54
@tdiesler tdiesler force-pushed the ghi47150 branch 3 times, most recently from d963717 to 6dca051 Compare March 25, 2026 19:22
@keycloak-github-bot
Copy link
Copy Markdown

keycloak-github-bot Bot commented Mar 25, 2026

Unreported flaky test detected

If the flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR.

org.keycloak.testsuite.broker.KcOidcBrokerTest#loginWithExistingUserWithBruteForceEnabled

Keycloak CI - Java Distribution IT (windows-latest - temurin - 21)

org.openqa.selenium.TimeoutException: 
Expected condition failed: waiting for value to contain (ignoring case) "sign in to". Current value: "AUTH_RESPONSE" (tried for 5 second(s) with 500 milliseconds interval)
Build info: version: '4.28.1', revision: '73f5ad48a2'
System info: os.name: 'Windows Server 2025', os.arch: 'amd64', os.version: '10.0', java.version: '21.0.10'
Driver info: org.jboss.arquillian.drone.webdriver.htmlunit.DroneHtmlUnitDriver_ByGraphene
...

Report flaky test

keycloak-github-bot[bot]
keycloak-github-bot Bot reviewed Mar 25, 2026
View reviewed changes
Copy link
Copy Markdown

@keycloak-github-bot keycloak-github-bot Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unreported flaky test detected, please review

@tdiesler tdiesler force-pushed the ghi47150 branch 9 times, most recently from ee71d52 to 9c9f8e6 Compare March 27, 2026 11:50
forkimenjeckayang
forkimenjeckayang approved these changes Apr 1, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@forkimenjeckayang forkimenjeckayang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for considering my comments. I have no further concerns

@tdiesler
Copy link
Copy Markdown
Contributor Author

tdiesler commented Apr 7, 2026

Is this waiting on anything?

mposolda
mposolda reviewed Apr 9, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@mposolda mposolda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tdiesler Thanks for the PR and sorry for the late review :-/

LGTM, just added one minor comment regarding the feature name. Is it ok with you to rename the feature?

It is not ideal to add the "non working" client authenticator just because of the metadata, but understand the reason to unblock the other tests etc... So should be OK considering that it is experimental feature and the proper implementation would be added later.

Comment thread common/src/main/java/org/keycloak/common/Profile.java Outdated
PERSISTENT_USER_SESSIONS("Persistent online user sessions across restarts and upgrades", Type.DEFAULT, FeatureUpdatePolicy.SHUTDOWN),

OID4VC_VCI("Support for the OID4VCI protocol as part of OID4VC.", Type.EXPERIMENTAL),
OID4VC_VCI_ABCA("Support for Attestation-Based Client Authentication", Type.EXPERIMENTAL, OID4VC_VCI),
Copy link
Copy Markdown
Contributor

@mposolda mposolda Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor: This feature is not specific to OID4VCI as attestation based client authentication does not have direct dependency on OID4VCI . Is it perhaps possible to rename to something like CLIENT_AUTH_ABCA ? (As we already have feature CLIENT_AUTH_FEDERATED, which adds client authenticator and this feature is a bit similar to that).

Copy link
Copy Markdown
Contributor Author

@tdiesler tdiesler Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sure - done

@mposolda
Copy link
Copy Markdown
Contributor

mposolda commented Apr 9, 2026

@tdiesler @forkimenjeckayang FYI. commented on the discussion here regarding ABCA #40413 (comment) (This is not related to this PR, but not sure where is the best place to discuss this, so just commenting here for your info :-) ).

mposolda
mposolda approved these changes Apr 10, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@mposolda mposolda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tdiesler Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mposolda mposolda mposolda approved these changes

+2 more reviewers

@keycloak-github-bot keycloak-github-bot[bot] keycloak-github-bot[bot] left review comments

@forkimenjeckayang forkimenjeckayang forkimenjeckayang approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@mposolda mposolda

Labels

flaky-test team/cloud-native team/core-clients team/core-iam team/ui

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[OID4VCI-HAIP] Pass oid4vci-1_0-issuer-metadata-test

3 participants

@tdiesler @mposolda @forkimenjeckayang