Skip to content

Add OpenID4VP server configuration, API resources, access control, and Digital Credentials connection extension#8192

Open
Zeta201 wants to merge 5 commits into
wso2:masterfrom
Zeta201:openid4vp-config
Open

Add OpenID4VP server configuration, API resources, access control, and Digital Credentials connection extension#8192
Zeta201 wants to merge 5 commits into
wso2:masterfrom
Zeta201:openid4vp-config

Conversation

@Zeta201

@Zeta201 Zeta201 commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Purpose

Wires up the server-side configuration and security layer required to expose the OpenID for Verifiable Presentations (OpenID4VP) feature, and introduces the Digital Credentials connection extension that surfaces it in the Console UI.

Changes

identity.xml / identity.xml.j2

Adds the <OpenID4VP> configuration block with:

  • Enabled flag to toggle the feature.
  • RequestAudience — the aud claim for VP Request JWTs, defaulting to https://self-issued.me/v2 as defined by the OpenID4VP specification.

org.wso2.carbon.identity.core.server.feature.default.json

  • Adds default configuration values:
    • openid4vp.enabled
    • openid4vp.client_id_scheme
    • openid4vp.request_audience
  • Adds OpenID4VPAuthenticator to the session nonce cookie whitelist.

system-api-resource.xml / system-api-resource.xml.j2

Registers two new system API resources for both TENANT and ORGANIZATION resource types:

  • VP Template Management API (/api/server/v1/vp/template)
    • Scopes: view, create, update, delete
  • VP Verification API (/api/server/v1/vp/verification)
    • Scopes:
      • create — initiate a verification session
      • view — poll verification status

resource-access-control-v2.xml / resource-access-control-v2.xml.j2

  • Marks OpenID4VP protocol endpoints as unsecured, as they are public-facing endpoints required by the specification:
    • /oid4vp/v1/vp-request
    • /oid4vp/v1/response
    • /oid4vp/v1/verifications
  • Exposes /.well-known/did.json as an unsecured endpoint.
  • Secures VP Template Management and VP Verification REST API endpoints using the corresponding internal scopes for both tenant and organization paths.

extensions/connections/digital-credentials/ (new)

Adds the Digital Credentials connection template for the extension management UI:

  • info.json
    • Registers the connection with its category, display order, and Wallet / Digital Credentials tags.
  • metadata.json
    • Defines Console create and edit form fields:
      • Connection name
      • Description
      • presentationDefinitionId
      • timeout
  • template.json
    • Defines the IdP template wiring for OpenID4VPAuthenticator (T3BlbklENFZQQXV0aGVudGljYXRvcg) and its required properties.

@coderabbitai

coderabbitai Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Warning

Review limit reached

@Zeta201, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 47 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: bf393835-15a3-473d-94ca-b2c92c3539fe

📥 Commits

Reviewing files that changed from the base of the PR and between 84c6141 and 99c7a25.

📒 Files selected for processing (4)
  • features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/identity.xml
  • features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/identity.xml.j2
  • features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/org.wso2.carbon.identity.core.server.feature.default.json
  • features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/resource-access-control-v2.xml.j2
📝 Walkthrough

Walkthrough

This PR adds OpenID4VP server configuration, VP endpoint access-control rules, VP API resource and scope definitions, and digital-credentials connection extension resources.

Changes

OpenID4VP and VP Management Support

Layer / File(s) Summary
OpenID4VP server configuration
features/identity-core/.../identity.xml, features/identity-core/.../identity.xml.j2, features/identity-core/.../org.wso2.carbon.identity.core.server.feature.default.json
Adds OpenID4VP settings, nonce-cookie authenticator support, and VP session cache configuration.
VP API resource and scope definitions
features/api-resource-mgt/.../system-api-resource.xml, features/api-resource-mgt/.../system-api-resource.xml.j2
Registers tenant and organization VP template management and verification APIs with authorization scopes.
VP endpoint access control
features/identity-core/.../resource-access-control-v2.xml, features/identity-core/.../resource-access-control-v2.xml.j2
Adds unsecured OID4VP routes and secured VP template and verification routes with method-specific scope checks.
Digital Credentials connection definition
features/extension-mgt/.../connections/digital-credentials/*
Adds connection metadata, create/edit UI schemas, and a standard identity-provider template with VP authenticator properties.

Suggested reviewers: shashimalcse, thamindur, piraveena

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Description check ⚠️ Warning The description covers Purpose and Changes, but most required template sections like Goals, Approach, tests, and security checks are missing. Add the missing template sections with concise details for goals, approach, user stories, release note, docs, tests, security, related PRs, and environment.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the main change set around OpenID4VP configuration, API resources, access control, and the Digital Credentials extension.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@Zeta201 Zeta201 force-pushed the openid4vp-config branch from e1f724f to 2a2acc1 Compare July 5, 2026 07:16

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@features/extension-mgt/org.wso2.carbon.identity.extension.mgt.feature/resources/extensions/connections/digital-credentials/info.json`:
- Line 5: The image path in the digital-credentials info.json should not point
to an asset in this repository. Update the image field to reference the
corresponding logo path from the identity-apps frontend assets, and verify the
target exists there; keep the change localized to the info.json entry for the
wallet/logo asset.

In
`@features/extension-mgt/org.wso2.carbon.identity.extension.mgt.feature/resources/extensions/connections/digital-credentials/metadata.json`:
- Around line 37-46: The metadata JSON has a trailing comma after the last entry
in the properties array, which makes it invalid and prevents the extension
metadata from loading. Remove the extra comma in the digital-credentials
metadata so the properties list in metadata.json is valid JSON and can be parsed
by ExtensionManagerComponent’s metadata loader.

In
`@features/extension-mgt/org.wso2.carbon.identity.extension.mgt.feature/resources/extensions/connections/digital-credentials/template.json`:
- Line 6: The image paths in the digital-credentials template should not point
to assets in the carbon-identity-framework repo; update the referenced `image`
fields in `template.json` to use the corresponding asset location from the
`identity-apps` repository. Use the existing `image` entries in this template as
the places to change, and make them consistent with the same cross-repo asset
guidance already noted for `info.json`.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 4ae499af-4fd6-4c6a-99a6-6c2d64c1fac5

📥 Commits

Reviewing files that changed from the base of the PR and between 7fad7eb and e1f724f.

📒 Files selected for processing (10)
  • features/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt.server.feature/resources/system-api-resource.xml
  • features/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt.server.feature/resources/system-api-resource.xml.j2
  • features/extension-mgt/org.wso2.carbon.identity.extension.mgt.feature/resources/extensions/connections/digital-credentials/info.json
  • features/extension-mgt/org.wso2.carbon.identity.extension.mgt.feature/resources/extensions/connections/digital-credentials/metadata.json
  • features/extension-mgt/org.wso2.carbon.identity.extension.mgt.feature/resources/extensions/connections/digital-credentials/template.json
  • features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/identity.xml
  • features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/identity.xml.j2
  • features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/org.wso2.carbon.identity.core.server.feature.default.json
  • features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/resource-access-control-v2.xml
  • features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/resource-access-control-v2.xml.j2

"name": "Digital Credentials",
"description": "Login users with their Digital Credentials.",
"docLink": "https://github.com/wso2-extensions/identity-inbound-auth-openid4vp",
"image": "assets/images/logos/wallet.svg",

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🗄️ Data Integrity & Integration | 🟡 Minor | ⚡ Quick win

Same cross-repo image path concern as info.json.

assets/images/logos/wallet.svg (Lines 6 and 14) should reference an asset in identity-apps, per the same guidance flagged for info.json.

Based on learnings, "image paths ... must reference assets from the identity-apps repository where frontend code resides, not assets stored in the carbon-identity-framework repository."

Also applies to: 14-14

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@features/extension-mgt/org.wso2.carbon.identity.extension.mgt.feature/resources/extensions/connections/digital-credentials/template.json`
at line 6, The image paths in the digital-credentials template should not point
to assets in the carbon-identity-framework repo; update the referenced `image`
fields in `template.json` to use the corresponding asset location from the
`identity-apps` repository. Use the existing `image` entries in this template as
the places to change, and make them consistent with the same cross-repo asset
guidance already noted for `info.json`.

Source: Learnings

@coderabbitai coderabbitai Bot requested a review from piraveena July 5, 2026 07:20

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/resource-access-control-v2.xml.j2`:
- Around line 139-178: The secured VP Template and Verification management
resources are currently placed before the login_only_mode no_access_granted
catch-all, so they can still be matched in that mode. Move the secured POST and
PUT entries for the VP management APIs in resource-access-control-v2.xml.j2 into
the same section as the other /api/server/v1/... management APIs, below the
login_only_mode block, and keep the public oid4vp/v1 endpoints unchanged.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: dc276a0b-5f4c-4d84-a1dc-8ddd4244c2a8

📥 Commits

Reviewing files that changed from the base of the PR and between e1f724f and 2a2acc1.

📒 Files selected for processing (10)
  • features/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt.server.feature/resources/system-api-resource.xml
  • features/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt.server.feature/resources/system-api-resource.xml.j2
  • features/extension-mgt/org.wso2.carbon.identity.extension.mgt.feature/resources/extensions/connections/digital-credentials/info.json
  • features/extension-mgt/org.wso2.carbon.identity.extension.mgt.feature/resources/extensions/connections/digital-credentials/metadata.json
  • features/extension-mgt/org.wso2.carbon.identity.extension.mgt.feature/resources/extensions/connections/digital-credentials/template.json
  • features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/identity.xml
  • features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/identity.xml.j2
  • features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/org.wso2.carbon.identity.core.server.feature.default.json
  • features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/resource-access-control-v2.xml
  • features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/resource-access-control-v2.xml.j2
✅ Files skipped from review due to trivial changes (1)
  • features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/identity.xml
🚧 Files skipped from review as they are similar to previous changes (5)
  • features/extension-mgt/org.wso2.carbon.identity.extension.mgt.feature/resources/extensions/connections/digital-credentials/info.json
  • features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/identity.xml.j2
  • features/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt.server.feature/resources/system-api-resource.xml.j2
  • features/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt.server.feature/resources/system-api-resource.xml
  • features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/org.wso2.carbon.identity.core.server.feature.default.json

@codecov

codecov Bot commented Jul 5, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 52.35%. Comparing base (0ebc488) to head (99c7a25).
⚠️ Report is 163 commits behind head on master.

Additional details and impacted files
@@             Coverage Diff              @@
##             master    #8192      +/-   ##
============================================
- Coverage     52.95%   52.35%   -0.60%     
- Complexity    20988    21865     +877     
============================================
  Files          2186     2200      +14     
  Lines        129041   137659    +8618     
  Branches      19224    21644    +2420     
============================================
+ Hits          68328    72073    +3745     
- Misses        52394    56677    +4283     
- Partials       8319     8909     +590     
Flag Coverage Δ
unit 38.46% <ø> (+0.33%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@Zeta201 Zeta201 force-pushed the openid4vp-config branch from 84c6141 to 99c7a25 Compare July 16, 2026 16:40
@sonarqubecloud

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant