Is it possible to request that a transaction code is returned with the OIDVC credential offer response when pre-authorized grant is used ? #44567
Replies: 1 comment 3 replies
-
|
Hi @sberyozkin - As you have probably noticed already, there is currently no support altogether for transaction codes in Keycloak's OpenID4VCI implementation. So your contribution in this regard, whatsoever, would be greatly appreciated. Though a bit anti-pattern to send the pre-authorized code "alongside" the transaction code, it makes sense to me to delegate the out-of-band forwarding to the issuer app as you are suggesting. I'm commenting so the discussion gets more traction. |
Beta Was this translation helpful? Give feedback.
-
|
Hi @IngridPuppet, thanks for the feedback.
I may be able to do some contributions going forward, currently I'm trying to work out a demo structure, with https://github.com/adorsys/keycloak-ssi-deployment that is linked to from the Keycloak docs being of great help to see what currently works and what does not.
What I'm thinking is that Keycloak itself will return both in the grant response. But the custom issuer application that interposes over Keycloak such as a University and that interacts with a a wallet, would for example, email the transaction code to the logged in user, and the wallet, at the credential offer UI page will request the user to add that transaction code... I'm not sure Keycloak itself will deal with providing the transaction code out of band, the user's email or phone number is not available at the pre-authorized code grant request, perhaps only indirectly. Is it what you are thinking about too ? Thanks |
Beta Was this translation helpful? Give feedback.
-
|
Hi @sberyozkin.
Great! Then, you would want to know that the project now lives in the
Exactly what I understood from your point. The highlight that details such as the user's phone number may not be known to Keycloak constitutes a reasonable motivation for the projected implementation, in my opinion. |
Beta Was this translation helpful? Give feedback.
-
Thanks, neatly restructured indeed. FYI, I'm using OK, so I'm going to experiment with my demo issuer which is a confidential client where it would get the preauthorized code from Keycloak, such that the wallet does not interact with the Keycloak issuer endpoint itself but via this demo issuer only, to see how associating a transaction code can work... Will take a little while, I'll get back at some point to this discussion Thanks |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Hi All, is it possible right now to request that a transaction code is returned with a VC credential offer, alongside a pre-authorized code ?
It is more or less an essential requirement for the issuer app which offers VC to the wallet, otherwise it is hard to guarantee a pre-authorized code has not been leaked, but with the wallet user receiving it out of band and entering into the wallet makes it more realistic.
Perhaps I can open an enhancement request ?
Thanks
Beta Was this translation helpful? Give feedback.
All reactions