Package org.keycloak.protocol.oid4vc.issuance

Class OID4VCIssuerWellKnownProvider

java.lang.Object
org.keycloak.protocol.oid4vc.issuance.OID4VCIssuerWellKnownProvider
All Implemented Interfaces:
Provider, WellKnownProvider
public class OID4VCIssuerWellKnownProvider extends Object implements WellKnownProvider
WellKnownProvider implementation to provide the .well-known/openid-credential-issuer endpoint, offering the Credential Issuer Metadata as defined by the OID4VCI protocol
Author:
Stefan Wiedemann

  • Field Details

  • Constructor Details

    • OID4VCIssuerWellKnownProvider

      public OID4VCIssuerWellKnownProvider(KeycloakSession keycloakSession)

  • Method Details

    • close

      public void close()
      Specified by:
      close in interface Provider

    • getConfig

      public Object getConfig()
      Specified by:
      getConfig in interface WellKnownProvider

    • getIssuerMetadata

      public CredentialIssuer getIssuerMetadata()

    • getMetadataResponse

      public Object getMetadataResponse(CredentialIssuer issuer, KeycloakSession session)

    • getBatchCredentialIssuance

      public static CredentialIssuer.BatchCredentialIssuance getBatchCredentialIssuance(RealmModel realm)
      Returns the batch credential issuance configuration for the given realm. This method is public and static to facilitate testing without requiring session state management.
      Parameters:
      realm - The realm model
      Returns:
      The batch credential issuance configuration or null if not configured or invalid

    • generateSignedMetadata

      public Optional<String> generateSignedMetadata(CredentialIssuer metadata, KeycloakSession session)
      Generates signed metadata as a JWS using JsonWebToken infrastructure.
      Parameters:
      metadata - The CredentialIssuer metadata object to sign.
      session - The Keycloak session.
      Returns:
      Optional containing the compact JWS string if successful, empty if fallback to unsigned JSON is needed.

    • getCredentialResponseEncryption

      public static CredentialResponseEncryptionMetadata getCredentialResponseEncryption(KeycloakSession session)
      Returns the credential response encryption for the issuer. Now determines supported algorithms from available realm keys.
      Parameters:
      session - The Keycloak session
      Returns:
      The credential response encryption metadata

    • getCredentialRequestEncryption

      public static CredentialRequestEncryptionMetadata getCredentialRequestEncryption(KeycloakSession session)
      Returns the credential request encryption metadata for the issuer. Determines supported algorithms and JWK Set from available realm keys

    • getSupportedEncryptionAlgorithms

      public static List<String> getSupportedEncryptionAlgorithms(KeycloakSession session)
      Returns the supported encryption algorithms from realm attributes.

    • getSupportedCredentials

      public static Map<String,SupportedCredentialConfiguration> getSupportedCredentials(KeycloakSession keycloakSession)
      Return the supported credentials from the current session. It will take into account the configured CredentialBuilder's and their supported format and the credentials supported by the clients available in the session.

    • toSupportedCredentialConfiguration

      public static SupportedCredentialConfiguration toSupportedCredentialConfiguration(KeycloakSession keycloakSession, CredentialScopeModel credentialModel)

    • getIssuer

      public static String getIssuer(KeycloakContext context)
      Return the url of the issuer.

    • getNonceEndpoint

      public static String getNonceEndpoint(KeycloakContext context)
      Return the nonce endpoint address

    • getCredentialsEndpoint

      public static String getCredentialsEndpoint(KeycloakContext context)
      Return the credentials endpoint address

    • getSupportedSignatureAlgorithms

      public static List<String> getSupportedSignatureAlgorithms(KeycloakSession session)

    • getAuthorizationServers

      public static List<String> getAuthorizationServers(KeycloakSession session)
      Return the authorization servers from the issuer configuration.

    • getSupportedAsymmetricSignatureAlgorithms

      public static List<String> getSupportedAsymmetricSignatureAlgorithms(KeycloakSession session)
      Returns the supported asymmetric signature algorithms. Delegates to CryptoUtils for shared implementation with OIDCWellKnownProvider. This includes all asymmetric algorithms supported by Keycloak (RSA, EC, EdDSA).