reformated the multiple credential issuance flow using a credential endpoint

Author: Ogenbertrand

services/src/main/java/org/keycloak/protocol/oid4vc/issuance/OID4VCIssuerEndpoint.java

@@ -296,20 +296,30 @@ private void checkScope(CredentialRequest credentialRequestVO) {
         if (vcIssuanceFlow == null || !vcIssuanceFlow.equals(PreAuthorizedCodeGrantTypeFactory.GRANT_TYPE)) {
             // Authorization Code Flow
             RealmModel realm = session.getContext().getRealm();
-            String credentialIdentifier = credentialRequestVO.getCredentialIdentifier();
-
-            String scope = realm.getAttribute("vc." + credentialIdentifier + ".scope");
-
             AccessToken accessToken = bearerTokenAuthenticator.authenticate().getToken();
-            if (scope == null || Arrays.stream(accessToken.getScope().split(" "))
-                    .noneMatch(tokenScope -> tokenScope.equals(scope))) {
-                LOGGER.debugf("Scope check failure: credentialIdentifier = %s, required scope = %s, scope in access token = %s.",
-                        credentialIdentifier, scope, accessToken.getScope());
-                throw new CorsErrorResponseException(cors,
-                        ErrorType.UNSUPPORTED_CREDENTIAL_TYPE.toString(),
-                        "Scope check failure",
-                        Response.Status.BAD_REQUEST);
-            } else {
+
+            // Get all credential identifiers from the request
+            List<String> credentialIdentifiers = credentialRequestVO.getCredentialSpecs() != null
+                    ? credentialRequestVO.getCredentialSpecs().stream()
+                    .map(CredentialRequest.CredentialSpec::getCredentialIdentifier)
+                    .filter(Objects::nonNull)
+                    .collect(Collectors.toList())
+                    : List.of(credentialRequestVO.getCredentialIdentifier());
+
+            for (String credentialIdentifier : credentialIdentifiers) {
+                if (credentialIdentifier == null) {
+                    continue; // Skip if no identifier is provided (e.g., format-based request)
+                }
+                String scope = realm.getAttribute("vc." + credentialIdentifier + ".scope");
+                if (scope == null || Arrays.stream(accessToken.getScope().split(" "))
+                        .noneMatch(tokenScope -> tokenScope.equals(scope))) {
+                    LOGGER.debugf("Scope check failure: credentialIdentifier = %s, required scope = %s, scope in access token = %s.",
+                            credentialIdentifier, scope, accessToken.getScope());
+                    throw new CorsErrorResponseException(cors,
+                            ErrorType.UNSUPPORTED_CREDENTIAL_TYPE.toString(),
+                            "Scope check failure for credential: " + credentialIdentifier,
+                            Response.Status.BAD_REQUEST);
+                }
                 LOGGER.debugf("Scope check success: credentialIdentifier = %s, required scope = %s, scope in access token = %s.",
                         credentialIdentifier, scope, accessToken.getScope());
             }
@@ -337,84 +347,94 @@ public Response requestCredential(CredentialRequest credentialRequestVO) {
             checkScope(credentialRequestVO);
         }
 
-        // Both Format and identifier are optional.
-        // If the credential_identifier is present, Format can't be present. But this implementation will
-        // tolerate the presence of both, waiting for clarity in specifications.
-        // This implementation will privilege the presence of the credential config identifier.
-        String requestedCredentialId = credentialRequestVO.getCredentialIdentifier();
-        String requestedFormat = credentialRequestVO.getFormat();
+        Map<String, SupportedCredentialConfiguration> supportedCredentials = OID4VCIssuerWellKnownProvider.getSupportedCredentials(this.session);
+        CredentialResponse responseVO = new CredentialResponse();
+
+        // Handle single or multiple credential specs
+        List<CredentialRequest.CredentialSpec> specs = credentialRequestVO.getCredentialSpecs() != null
+                ? credentialRequestVO.getCredentialSpecs()
+                : List.of(new CredentialRequest.CredentialSpec()
+                .setFormat(credentialRequestVO.getFormat())
+                .setCredentialIdentifier(credentialRequestVO.getCredentialIdentifier())
+                .setVct(credentialRequestVO.getVct())
+                .setCredentialDefinition(credentialRequestVO.getCredentialDefinition())
+                .setProof(credentialRequestVO.getProof()));
+
+        // Process each credential specification
+        List<CredentialResponse.CredentialEntry> credentials = specs.stream()
+                .map(spec -> {
+                    // Resolve credential configuration
+                    SupportedCredentialConfiguration config = resolveCredentialConfiguration(spec, supportedCredentials);
+
+                    // Single credential request for compatibility with existing getCredential method
+                    CredentialRequest singleRequest = new CredentialRequest()
+                            .setFormat(spec.getFormat())
+                            .setCredentialIdentifier(spec.getCredentialIdentifier())
+                            .setVct(spec.getVct())
+                            .setCredentialDefinition(spec.getCredentialDefinition())
+                            .setProof(spec.getProof());
+
+                    // Generate credential
+                    Object credential = getCredential(authResult, config, singleRequest);
+
+                    // Ensure format is supported
+                    if (!SUPPORTED_FORMATS.contains(spec.getFormat())) {
+                        throw new BadRequestException(getErrorResponse(ErrorType.UNSUPPORTED_CREDENTIAL_TYPE));
+                    }
 
-        // Check if at least one of both is available.
+                    return new CredentialResponse.CredentialEntry()
+                            .setFormat(spec.getFormat())
+                            .setCredential(credential);
+                })
+                .collect(Collectors.toList());
+
+        responseVO.setCredentials(credentials);
+        return Response.ok().entity(responseVO).build();
+    }
+
+    private SupportedCredentialConfiguration resolveCredentialConfiguration(CredentialRequest.CredentialSpec spec, Map<String, SupportedCredentialConfiguration> supportedCredentials) {
+        String requestedCredentialId = spec.getCredentialIdentifier();
+        String requestedFormat = spec.getFormat();
+
+        // Check if at least one of credential_identifier or format is provided
         if (requestedCredentialId == null && requestedFormat == null) {
             LOGGER.debugf("Missing both configuration id and requested format. At least one shall be specified.");
             throw new BadRequestException(getErrorResponse(ErrorType.MISSING_CREDENTIAL_CONFIG_AND_FORMAT));
         }
 
-        Map<String, SupportedCredentialConfiguration> supportedCredentials = OID4VCIssuerWellKnownProvider.getSupportedCredentials(this.session);
-
-        // Resolve from identifier first
-        SupportedCredentialConfiguration supportedCredentialConfiguration = null;
+        SupportedCredentialConfiguration config = null;
         if (requestedCredentialId != null) {
-            supportedCredentialConfiguration = supportedCredentials.get(requestedCredentialId);
-            if (supportedCredentialConfiguration == null) {
+            config = supportedCredentials.get(requestedCredentialId);
+            if (config == null) {
                 LOGGER.debugf("Credential with configuration id %s not found.", requestedCredentialId);
                 throw new BadRequestException(getErrorResponse(ErrorType.UNSUPPORTED_CREDENTIAL_TYPE));
             }
-            // Then for format. We know spec does not allow both parameter. But we are tolerant if you send both
-            // Was found by id, check that the format matches.
-            if (requestedFormat != null && !requestedFormat.equals(supportedCredentialConfiguration.getFormat())) {
-                LOGGER.debugf("Credential with configuration id %s does not support requested format %s, but supports %s.", requestedCredentialId, requestedFormat, supportedCredentialConfiguration.getFormat());
+            // Check format compatibility if provided
+            if (requestedFormat != null && !requestedFormat.equals(config.getFormat())) {
+                LOGGER.debugf("Credential with configuration id %s does not support requested format %s, but supports %s.",
+                        requestedCredentialId, requestedFormat, config.getFormat());
                 throw new BadRequestException(getErrorResponse(ErrorType.UNSUPPORTED_CREDENTIAL_FORMAT));
             }
         }
 
-        if (supportedCredentialConfiguration == null && requestedFormat != null) {
+        if (config == null && requestedFormat != null) {
             // Search by format
-            supportedCredentialConfiguration = getSupportedCredentialConfiguration(credentialRequestVO, supportedCredentials, requestedFormat);
-            if (supportedCredentialConfiguration == null) {
-                LOGGER.debugf("Credential with requested format %s, not supported.", requestedFormat);
+            config = getSupportedCredentialConfiguration(spec, supportedCredentials, requestedFormat);
+            if (config == null) {
+                LOGGER.debugf("Credential with requested format %s not supported.", requestedFormat);
                 throw new BadRequestException(getErrorResponse(ErrorType.UNSUPPORTED_CREDENTIAL_FORMAT));
             }
         }
 
-        CredentialResponse responseVO = new CredentialResponse();
-
-        // Handle multiple credentials if proofs are provided
-        List<Proof> proofs = credentialRequestVO.getProofs() != null ? credentialRequestVO.getProofs() : List.of();
-        if (proofs.isEmpty()) {
-            // Single credential request without proof
-            Object theCredential = getCredential(authResult, supportedCredentialConfiguration, credentialRequestVO);
-            if (SUPPORTED_FORMATS.contains(requestedFormat)) {
-                responseVO.setCredential(List.of(theCredential));
-            } else {
-                throw new BadRequestException(getErrorResponse(ErrorType.UNSUPPORTED_CREDENTIAL_TYPE));
-            }
-        } else {
-            // Multiple credential request with proofs
-            SupportedCredentialConfiguration finalSupportedCredentialConfiguration = supportedCredentialConfiguration;
-            List<Object> credentials = proofs.stream()
-                    .map(proof -> {
-                        CredentialRequest singleProofRequest = new CredentialRequest()
-                                .setFormat(credentialRequestVO.getFormat())
-                                .setCredentialIdentifier(credentialRequestVO.getCredentialIdentifier())
-                                .setVct(credentialRequestVO.getVct())
-                                .setCredentialDefinition(credentialRequestVO.getCredentialDefinition())
-                                .setProof(proof);
-                        return getCredential(authResult, finalSupportedCredentialConfiguration, singleProofRequest);
-                    })
-                    .collect(Collectors.toList());
-            if (SUPPORTED_FORMATS.contains(requestedFormat)) {
-                responseVO.setCredential(credentials);
-            } else {
-                throw new BadRequestException(getErrorResponse(ErrorType.UNSUPPORTED_CREDENTIAL_TYPE));
-            }
+        if (config == null) {
+            throw new BadRequestException(getErrorResponse(ErrorType.UNSUPPORTED_CREDENTIAL_TYPE));
         }
 
-        return Response.ok().entity(responseVO).build();
+        return config;
     }
 
-    private SupportedCredentialConfiguration getSupportedCredentialConfiguration(CredentialRequest credentialRequestVO, Map<String, SupportedCredentialConfiguration> supportedCredentials, String requestedFormat) {
-        // 1. Format resolver
+    private SupportedCredentialConfiguration getSupportedCredentialConfiguration(CredentialRequest.CredentialSpec spec, Map<String, SupportedCredentialConfiguration> supportedCredentials, String requestedFormat) {
+        // Filter by format
         List<SupportedCredentialConfiguration> configs = supportedCredentials.values().stream()
                 .filter(supportedCredential -> Objects.equals(supportedCredential.getFormat(), requestedFormat))
                 .collect(Collectors.toList());
@@ -425,14 +445,14 @@ private SupportedCredentialConfiguration getSupportedCredentialConfiguration(Cre
             case SD_JWT_VC:
                 // Resolve from vct for sd-jwt
                 matchingConfigs = configs.stream()
-                        .filter(supportedCredential -> Objects.equals(supportedCredential.getVct(), credentialRequestVO.getVct()))
+                        .filter(supportedCredential -> Objects.equals(supportedCredential.getVct(), spec.getVct()))
                         .collect(Collectors.toList());
                 break;
             case JWT_VC:
             case LDP_VC:
-                // Will detach this when each format provides logic on how to resolve from definition.
+                // Resolve from credential_definition
                 matchingConfigs = configs.stream()
-                        .filter(supportedCredential -> Objects.equals(supportedCredential.getCredentialDefinition(), credentialRequestVO.getCredentialDefinition()))
+                        .filter(supportedCredential -> Objects.equals(supportedCredential.getCredentialDefinition(), spec.getCredentialDefinition()))
                         .collect(Collectors.toList());
                 break;
             default:
@@ -587,6 +607,17 @@ private Response getErrorResponse(ErrorType errorType) {
                 .build();
     }
 
+    private Response getErrorResponse(ErrorType errorType, String errorDescription) {
+        var errorResponse = new ErrorResponse();
+        errorResponse.setError(errorType);
+        errorResponse.setErrorDescription(errorDescription);
+        return Response
+                .status(Response.Status.BAD_REQUEST)
+                .entity(errorResponse)
+                .type(MediaType.APPLICATION_JSON)
+                .build();
+    }
+
     private ClientModel getClient(String clientId) {
         return session.clients().getClientByClientId(session.getContext().getRealm(), clientId);
     }

services/src/main/java/org/keycloak/protocol/oid4vc/model/CredentialRequest.java

@@ -33,6 +33,10 @@
 @JsonInclude(JsonInclude.Include.NON_NULL)
 public class CredentialRequest {
 
+    @JsonProperty("credential_specs")
+    private List<CredentialSpec> credentialSpecs;
+
+    // Backward compatibility fields for single credential requests
     private String format;
 
     @JsonProperty("credential_identifier")
@@ -54,6 +58,81 @@ public class CredentialRequest {
     @JsonProperty("credential_definition")
     private CredentialDefinition credentialDefinition;
 
+    // New class to represent a single credential specification
+    public static class CredentialSpec {
+        private String format;
+
+        @JsonProperty("credential_identifier")
+        private String credentialIdentifier;
+
+        private String vct;
+
+        @JsonProperty("credential_definition")
+        private CredentialDefinition credentialDefinition;
+
+        @JsonProperty("proof")
+        @JsonTypeInfo(use = JsonTypeInfo.Id.NAME, include = JsonTypeInfo.As.PROPERTY, property = "proof_type")
+        @JsonSubTypes({
+                @JsonSubTypes.Type(value = JwtProof.class, name = ProofType.JWT),
+                @JsonSubTypes.Type(value = LdpVpProof.class, name = ProofType.LD_PROOF)
+        })
+        private Proof proof;
+
+        public String getFormat() {
+            return format;
+        }
+
+        public CredentialSpec setFormat(String format) {
+            this.format = format;
+            return this;
+        }
+
+        public String getCredentialIdentifier() {
+            return credentialIdentifier;
+        }
+
+        public CredentialSpec setCredentialIdentifier(String credentialIdentifier) {
+            this.credentialIdentifier = credentialIdentifier;
+            return this;
+        }
+
+        public String getVct() {
+            return vct;
+        }
+
+        public CredentialSpec setVct(String vct) {
+            this.vct = vct;
+            return this;
+        }
+
+        public CredentialDefinition getCredentialDefinition() {
+            return credentialDefinition;
+        }
+
+        public CredentialSpec setCredentialDefinition(CredentialDefinition credentialDefinition) {
+            this.credentialDefinition = credentialDefinition;
+            return this;
+        }
+
+        public Proof getProof() {
+            return proof;
+        }
+
+        public CredentialSpec setProof(Proof proof) {
+            this.proof = proof;
+            return this;
+        }
+    }
+
+    public List<CredentialSpec> getCredentialSpecs() {
+        return credentialSpecs;
+    }
+
+    public CredentialRequest setCredentialSpecs(List<CredentialSpec> credentialSpecs) {
+        this.credentialSpecs = credentialSpecs;
+        return this;
+    }
+
     public String getFormat() {
         return format;
     }
@@ -72,21 +151,18 @@ public CredentialRequest setCredentialIdentifier(String credentialIdentifier) {
         return this;
     }
 
-    public List<Proof> getProofs() {
-        return proofs;
-    }
-
-    public CredentialRequest setProofs(List<Proof> proofs) {
-        this.proofs = proofs;
-        return this;
-    }
-
-    // Backward compatibility for single proof
+    // Backward compatibility for single proof, ensuring only one proof is used for single credential requests
     public Proof getProof() {
+        if (proofs != null && proofs.size() > 1) {
+            throw new IllegalStateException("Multiple proofs are not supported for single credential requests in backward compatibility mode");
+        }
         return proofs != null && !proofs.isEmpty() ? proofs.get(0) : null;
     }
 
     public CredentialRequest setProof(Proof proof) {
+        if (proof != null && this.proofs != null && !this.proofs.isEmpty()) {
+            throw new IllegalStateException("Cannot set single proof when proofs list is already set");
+        }
         this.proofs = proof != null ? List.of(proof) : null;
         return this;
     }