Package org.keycloak.models.oid4vci
Class CredentialScopeModel
java.lang.Object
org.keycloak.models.oid4vci.CredentialScopeModel
- All Implemented Interfaces:
ClientScopeModel,OrderedModel,ProtocolMapperContainerModel,ScopeContainerModel
This class acts as delegate for a
ClientScopeModel implementation and adds additional functionality for
OpenId4VC credentials- Author:
- Pascal Knüppel
-
Nested Class Summary
Nested classes/interfaces inherited from interface org.keycloak.models.ClientScopeModel
ClientScopeModel.ClientScopeCreatedEvent, ClientScopeModel.ClientScopeRemovedEventNested classes/interfaces inherited from interface org.keycloak.models.OrderedModel
OrderedModel.OrderedModelComparator<OM extends OrderedModel> -
Field Summary
FieldsModifier and TypeFieldDescriptionstatic final Stringstatic final StringOPTIONAL.static final StringOPTIONAL.static final Stringan optional configuration that can be used to select a specific hash algorithmstatic final Stringstatic final Stringan optional attribute that tells us which attributes should be added into the SD-JWT body.static final Stringstatic final Stringthis attribute holds the 'typ' value that will be added into the JWS header of the credential.static final Stringstatic final Stringthe credential configuration id as provided in the metadata endpointstatic final Stringthe value that is entered into the "@contexts"-attribute of a verifiable credentialstatic final Stringif the credential is only meant for specific cryptographic binding algorithms the global default list can be overridden here.static final Stringan optional attribute for the metadata endpointstatic final Stringstatic final Integerstatic final Stringstatic final Stringstatic final Stringstatic final Stringthis configuration property can be used to enforce specific claims to be included in the metadata, if they would normally not and vice versastatic final Stringstatic final StringOPTIONAL.static final StringOPTIONAL.static final StringOPTIONAL.static final Stringthis attribute holds a customizable value for the number of decoys to use in a SD-JWT credentialstatic final Integerstatic final StringThe credential signature algorithm.static final Stringan optional configuration that can be used to select a specific key for signing the credentialstatic final Stringthe value that is added into the "types"-attribute of a verifiable credentialstatic final StringFields inherited from interface org.keycloak.models.ClientScopeModel
CONSENT_SCREEN_TEXT, DISPLAY_ON_CONSENT_SCREEN, DYNAMIC_SCOPE_REGEXP, GUI_ORDER, INCLUDE_IN_OPENID_PROVIDER_METADATA, INCLUDE_IN_TOKEN_SCOPE, IS_DYNAMIC_SCOPE, VALUE_SEPARATOR -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionvoidaddScopeMapping(RoleModel role) voiddeleteScopeMapping(RoleModel role) getAttribute(String name) getId()getName()getProtocolMapperByName(String protocol, String name) Returns protocol mappers as a stream.getRealm()From the scope mappings returned byScopeContainerModel.getScopeMappingsStream()returns only those that belong to the realm that owns this scope container.The list of proof types that are required for this credential configuration when binding is required.getScope()Returns scope mappings for this scope container as a stream.getVct()booleanhasDirectScope(RoleModel role) Returnstrue, if this object has the given role directly in its scope.booleanReturnstrue, if this object has the given role directly or indirectly in its scope,falseotherwise.booleanWhether cryptographic holder binding is required for this credential configuration.booleanbooleanbooleanbooleanvoidremoveAttribute(String name) voidremoveProtocolMapper(ProtocolMapperModel mapping) voidsetAttribute(String name, String value) voidsetBindingRequired(boolean required) voidsetBuildConfigHashAlgorithm(String hashAlgorithm) voidsetBuildConfigSdJwtVisibleClaims(String sdJwtVisibleClaims) voidsetBuildConfigSdJwtVisibleClaims(List<String> sdJwtVisibleClaims) voidsetBuildConfigTokenJwsType(String tokenJwsType) voidsetConsentScreenText(String consentScreenText) voidsetCredentialConfigurationId(String credentialConfigurationId) voidsetCredentialIdentifier(String credentialIdentifier) voidsetCryptographicBindingMethods(String cryptographicBindingMethods) voidsetCryptographicBindingMethods(List<String> cryptographicBindingMethods) voidsetDescription(String description) voidsetDisplayOnConsentScreen(boolean displayOnConsentScreen) voidsetExpiryInSeconds(Integer expiryInSeconds) voidvoidsetGuiOrder(String guiOrder) voidsetIncludeInTokenScope(boolean includeInTokenScope) voidsetIsDynamicScope(boolean isDynamicScope) voidsetIssuerDid(String issuerDid) voidsetKeyAttestationRequired(boolean keyAttestationRequired) voidvoidsetProtocol(String protocol) voidsetRequiredKeyAttestationKeyStorage(List<String> keyStorage) voidsetRequiredKeyAttestationUserAuthentication(List<String> userAuthentication) voidsetRequiredProofTypes(List<String> proofTypes) voidsetSdJwtNumberOfDecoys(Integer sdJwtNumberOfDecoys) voidsetSigningAlg(String signingAlg) voidsetSigningKeyId(String signingKeyId) voidsetSupportedCredentialTypes(String supportedCredentialTypes) voidsetSupportedCredentialTypes(List<String> supportedCredentialTypes) voidsetVcContexts(String vcContexts) voidsetVcContexts(List<String> vcContexts) voidsetVcDisplay(String vcDisplay) voidvoidupdateProtocolMapper(ProtocolMapperModel mapping) Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, waitMethods inherited from interface org.keycloak.models.ClientScopeModel
isIncludeInOpenIDProviderMetadata, setIncludeInOpenIDProviderMetadata
-
Field Details
-
CRYPTOGRAPHIC_BINDING_METHODS_DEFAULT
- See Also:
-
VC_BUILD_CONFIG_HASH_ALGORITHM_DEFAULT
- See Also:
-
VC_BUILD_CONFIG_SD_JWT_VISIBLE_CLAIMS_DEFAULT
- See Also:
-
VC_BUILD_CONFIG_TOKEN_JWS_TYPE_DEFAULT
- See Also:
-
VC_EXPIRY_IN_SECONDS_DEFAULT
-
VC_FORMAT_DEFAULT
- See Also:
-
VC_SD_JWT_NUMBER_OF_DECOYS_DEFAULT
-
VC_CONFIGURATION_ID
the credential configuration id as provided in the metadata endpoint- See Also:
-
VC_IDENTIFIER
- See Also:
-
VC_FORMAT
- See Also:
-
VC_EXPIRY_IN_SECONDS
- See Also:
-
VC_ISSUER_DID
- See Also:
-
VCT
- See Also:
-
VC_SUPPORTED_TYPES
the value that is added into the "types"-attribute of a verifiable credential- See Also:
-
VC_CONTEXTS
the value that is entered into the "@contexts"-attribute of a verifiable credential- See Also:
-
VC_SIGNING_ALG
The credential signature algorithm. If it is not configured, then the realm active key is used to sign the verifiable credential- See Also:
-
VC_CRYPTOGRAPHIC_BINDING_METHODS
if the credential is only meant for specific cryptographic binding algorithms the global default list can be overridden here. The global default list is retrieved from the available keys in the realm.- See Also:
-
VC_SIGNING_KEY_ID
an optional configuration that can be used to select a specific key for signing the credential- See Also:
-
VC_DISPLAY
an optional attribute for the metadata endpoint- See Also:
-
VC_SD_JWT_NUMBER_OF_DECOYS
this attribute holds a customizable value for the number of decoys to use in a SD-JWT credential- See Also:
-
VC_BUILD_CONFIG_SD_JWT_VISIBLE_CLAIMS
an optional attribute that tells us which attributes should be added into the SD-JWT body.- See Also:
-
VC_BUILD_CONFIG_HASH_ALGORITHM
an optional configuration that can be used to select a specific hash algorithm- See Also:
-
VC_BUILD_CONFIG_TOKEN_JWS_TYPE
this attribute holds the 'typ' value that will be added into the JWS header of the credential.- See Also:
-
VC_INCLUDE_IN_METADATA
this configuration property can be used to enforce specific claims to be included in the metadata, if they would normally not and vice versa- See Also:
-
VC_KEY_ATTESTATION_REQUIRED
OPTIONAL. Object that describes the requirement for key attestations as described in Appendix D, which the Credential Issuer expects the Wallet to send within the proof(s) of the Credential Request. If the Credential Issuer does not require a key attestation, this parameter MUST NOT be present in the metadata. If both key_storage and user_authentication parameters are absent, the key_attestations_required parameter may be empty, indicating a key attestation is needed without additional constraints.- See Also:
-
VC_KEY_ATTESTATION_REQUIRED_KEY_STORAGE
OPTIONAL. A non-empty array defining values specified in Appendix D.2 accepted by the Credential Issuer.- See Also:
-
VC_KEY_ATTESTATION_REQUIRED_USER_AUTH
OPTIONAL. A non-empty array defining values specified in Appendix D.2 accepted by the Credential Issuer.- See Also:
-
VC_BINDING_REQUIRED
OPTIONAL. Flag that indicates whether cryptographic holder binding is REQUIRED for this credential configuration. If this flag is not set or set to false, the issuer metadata MUST omit thecryptographic_binding_methods_supportedandproof_types_supportedparameters for this configuration, meaning the wallet is not required to provide cryptographic key material or proofs.If true, the issuer metadata MUST include those parameters and the issuer MUST enforce the corresponding proof types during credential issuance, as per OID4VCI Section 12.2.4.
- See Also:
-
VC_BINDING_REQUIRED_PROOF_TYPES
OPTIONAL. Comma-separated list of proof types that are REQUIRED for this credential configuration whenVC_BINDING_REQUIREDis set to true. Example:"jwt,attestation".If
VC_BINDING_REQUIREDis false or this attribute is empty/absent, no proof types are required and metadata MUST omitcryptographic_binding_methods_supportedandproof_types_supported.- See Also:
-
-
Constructor Details
-
CredentialScopeModel
-
-
Method Details
-
getIssuerDid
-
setIssuerDid
-
getScope
-
getCredentialConfigurationId
-
setCredentialConfigurationId
-
getCredentialIdentifier
-
setCredentialIdentifier
-
getFormat
-
setFormat
-
getExpiryInSeconds
-
setExpiryInSeconds
-
getSdJwtNumberOfDecoys
-
setSdJwtNumberOfDecoys
-
getVct
-
setVct
-
getBuildConfigTokenJwsType
-
setBuildConfigTokenJwsType
-
getSigningKeyId
-
setSigningKeyId
-
getBuildConfigHashAlgorithm
-
setBuildConfigHashAlgorithm
-
getSupportedCredentialTypes
-
setSupportedCredentialTypes
-
setSupportedCredentialTypes
-
getVcContexts
-
setVcContexts
-
setVcContexts
-
getSigningAlg
-
setSigningAlg
-
getCryptographicBindingMethods
-
setCryptographicBindingMethods
-
setCryptographicBindingMethods
-
getBuildConfigSdJwtVisibleClaims
-
setBuildConfigSdJwtVisibleClaims
-
setBuildConfigSdJwtVisibleClaims
-
getVcDisplay
-
setVcDisplay
-
isBindingRequired
public boolean isBindingRequired()Whether cryptographic holder binding is required for this credential configuration. -
setBindingRequired
public void setBindingRequired(boolean required) -
getRequiredProofTypes
The list of proof types that are required for this credential configuration when binding is required. Returns an empty list if none are configured. -
setRequiredProofTypes
-
isKeyAttestationRequired
public boolean isKeyAttestationRequired() -
setKeyAttestationRequired
public void setKeyAttestationRequired(boolean keyAttestationRequired) -
getRequiredKeyAttestationKeyStorage
-
setRequiredKeyAttestationKeyStorage
-
getRequiredKeyAttestationUserAuthentication
-
setRequiredKeyAttestationUserAuthentication
-
getId
- Specified by:
getIdin interfaceClientScopeModel
-
getName
- Specified by:
getNamein interfaceClientScopeModel
-
setName
- Specified by:
setNamein interfaceClientScopeModel
-
getRealm
- Specified by:
getRealmin interfaceClientScopeModel
-
getDescription
- Specified by:
getDescriptionin interfaceClientScopeModel
-
setDescription
- Specified by:
setDescriptionin interfaceClientScopeModel
-
getProtocol
- Specified by:
getProtocolin interfaceClientScopeModel
-
setProtocol
- Specified by:
setProtocolin interfaceClientScopeModel
-
setAttribute
- Specified by:
setAttributein interfaceClientScopeModel
-
removeAttribute
- Specified by:
removeAttributein interfaceClientScopeModel
-
getAttribute
- Specified by:
getAttributein interfaceClientScopeModel
-
getAttributes
- Specified by:
getAttributesin interfaceClientScopeModel
-
isDisplayOnConsentScreen
public boolean isDisplayOnConsentScreen()- Specified by:
isDisplayOnConsentScreenin interfaceClientScopeModel
-
setDisplayOnConsentScreen
public void setDisplayOnConsentScreen(boolean displayOnConsentScreen) - Specified by:
setDisplayOnConsentScreenin interfaceClientScopeModel
-
getConsentScreenText
- Specified by:
getConsentScreenTextin interfaceClientScopeModel
-
setConsentScreenText
- Specified by:
setConsentScreenTextin interfaceClientScopeModel
-
getGuiOrder
- Specified by:
getGuiOrderin interfaceClientScopeModel- Specified by:
getGuiOrderin interfaceOrderedModel
-
setGuiOrder
- Specified by:
setGuiOrderin interfaceClientScopeModel
-
isIncludeInTokenScope
public boolean isIncludeInTokenScope()- Specified by:
isIncludeInTokenScopein interfaceClientScopeModel
-
setIncludeInTokenScope
public void setIncludeInTokenScope(boolean includeInTokenScope) - Specified by:
setIncludeInTokenScopein interfaceClientScopeModel
-
isDynamicScope
public boolean isDynamicScope()- Specified by:
isDynamicScopein interfaceClientScopeModel
-
setIsDynamicScope
public void setIsDynamicScope(boolean isDynamicScope) - Specified by:
setIsDynamicScopein interfaceClientScopeModel
-
getDynamicScopeRegexp
- Specified by:
getDynamicScopeRegexpin interfaceClientScopeModel
-
getOid4vcProtocolMappersStream
-
getProtocolMappersStream
Description copied from interface:ProtocolMapperContainerModelReturns protocol mappers as a stream.- Specified by:
getProtocolMappersStreamin interfaceProtocolMapperContainerModel- Returns:
- Stream of protocol mapper. Never returns
null.
-
addProtocolMapper
- Specified by:
addProtocolMapperin interfaceProtocolMapperContainerModel
-
removeProtocolMapper
- Specified by:
removeProtocolMapperin interfaceProtocolMapperContainerModel
-
updateProtocolMapper
- Specified by:
updateProtocolMapperin interfaceProtocolMapperContainerModel
-
getProtocolMapperById
- Specified by:
getProtocolMapperByIdin interfaceProtocolMapperContainerModel
-
getProtocolMapperByType
- Specified by:
getProtocolMapperByTypein interfaceProtocolMapperContainerModel
-
getProtocolMapperByName
- Specified by:
getProtocolMapperByNamein interfaceProtocolMapperContainerModel
-
getScopeMappingsStream
Description copied from interface:ScopeContainerModelReturns scope mappings for this scope container as a stream.- Specified by:
getScopeMappingsStreamin interfaceScopeContainerModel- Returns:
- Stream of
RoleModel. Never returnsnull.
-
getRealmScopeMappingsStream
Description copied from interface:ScopeContainerModelFrom the scope mappings returned byScopeContainerModel.getScopeMappingsStream()returns only those that belong to the realm that owns this scope container.- Specified by:
getRealmScopeMappingsStreamin interfaceScopeContainerModel- Returns:
- stream of
RoleModel. Never returnsnull.
-
addScopeMapping
- Specified by:
addScopeMappingin interfaceScopeContainerModel
-
deleteScopeMapping
- Specified by:
deleteScopeMappingin interfaceScopeContainerModel
-
hasDirectScope
Description copied from interface:ScopeContainerModelReturnstrue, if this object has the given role directly in its scope.- Specified by:
hasDirectScopein interfaceScopeContainerModel- Parameters:
role- the role- Returns:
- see description
- See Also:
-
hasScope
Description copied from interface:ScopeContainerModelReturnstrue, if this object has the given role directly or indirectly in its scope,falseotherwise.- Specified by:
hasScopein interfaceScopeContainerModel- Parameters:
role- the role- Returns:
- see description
- See Also:
-