Skip to content

Add OpenID4VP REST API modules for Presentation Definition management and VP verification#1140

Open
Zeta201 wants to merge 21 commits into
wso2:masterfrom
Zeta201:openid4vp
Open

Add OpenID4VP REST API modules for Presentation Definition management and VP verification#1140
Zeta201 wants to merge 21 commits into
wso2:masterfrom
Zeta201:openid4vp

Conversation

@Zeta201

@Zeta201 Zeta201 commented Jun 18, 2026

Copy link
Copy Markdown

Overview

This PR introduces two new REST API modules to the Identity API Server for the OpenID4VP (Verifiable Presentations) feature:

  1. VP Presentation Definition Management API

    • CRUD operations for managing Presentation Definitions (VP templates that define what credentials a verifier requires from a wallet).
  2. VP Verification API

    • Standalone VP verification flow for verifier portals to initiate a verification session, display a wallet QR code, and poll for the verification result.

Module 1: org.wso2.carbon.identity.api.server.vp.template.management

Exposes endpoints under:

/api/server/v1/vp/template

for managing tenant-scoped Presentation Definitions.

Endpoints

Method Path Description
GET /vp/template List all presentation definitions for the tenant
POST /vp/template Create a new presentation definition
GET /vp/template/{definition-id} Get a specific presentation definition
PUT /vp/template/{definition-id} Update a presentation definition
DELETE /vp/template/{definition-id} Delete a presentation definition

Purpose

A Presentation Definition describes the credential requirements for a VP request, including:

  • Trusted issuer information
  • List of claims requested from the wallet

These definitions are referenced by:

  • OpenID4VP Authenticator login flows
  • Standalone verifier portal verification flows

when generating VP requests.


Module 2: org.wso2.carbon.identity.api.server.vp.verification

Exposes endpoints under:

/api/server/v1/vp/verification

for the standalone verifier portal pattern, where a third-party application (e.g., a verifier web portal) needs to verify a user's credentials independently of the Identity Server login flow.

Endpoints

Method Path Description
POST /vp/verification/initiate Start a new verification session
GET /vp/verification/status/{txn_id} Poll for session status

Verification Flow

  1. The verifier portal calls:

    POST /vp/verification/initiate

    with a presentationDefinitionId.

  2. Identity Server creates a verification session and returns:

    • walletUrl (deep link used to generate a QR code)
    • txnId
  3. The verifier portal displays the QR code.

  4. The wallet scans the QR code and submits the VP to the Identity Server response endpoint.

  5. The verifier portal polls:

    GET /vp/verification/status/{txnId}

    until the status transitions from:

    ACTIVE → VERIFIED
    

    or

    ACTIVE → FAILED
    

Verification Response

When the verification status is VERIFIED, the API returns a structured presentation object instead of a raw JWT claims dump.

Example response:

{
  "txnId": "abc-123",
  "status": "VERIFIED",
  "presentation": {
    "format": "vc+sd-jwt",
    "submittedAt": "2026-06-18T10:30:00Z",
    "credential": {
      "type": "IdentityCredential",
      "issuer": "did:web:issuer.example.com",
      "issuedAt": "2026-06-01T00:00:00Z",
      "expiresAt": "2027-06-01T00:00:00Z",
      "signingAlgorithm": "ES256",
      "holderBinding": {
        "method": "cnf.jwk",
        "keyType": "EC",
        "curve": "P-256"
      }
    },
    "holder": {
      "id": "did:web:holder.example.com",
      "claims": {
        "email": "user@example.com",
        "given_name": "John"
      }
    },
    "keyBinding": {
      "verified": true,
      "presentedAt": "2026-06-18T10:30:00Z",
      "audience": "https://verifier.example.com",
      "nonce": "abc123"
    }
  },
  "errors": []
}

Presentation Object

The presentation object surfaces:

credential

Information extracted from the credential itself:

  • Issuer identity
  • Credential validity period
  • Signing algorithm
  • Holder binding key information (cnf.jwk)

holder

Information about the credential subject:

  • Subject identifier (sub)
  • All disclosed SD-JWT claims

JWT/SD-JWT internal technical fields are excluded.

keyBinding

Information extracted from the Key Binding JWT (KB-JWT):

  • Whether key binding verification succeeded
  • Presentation timestamp (iat)
  • Intended verifier (aud)
  • Nonce associated with the VP request

This proves that the wallet possessed the private key corresponding to the credential at presentation time.

Null Suppression

Optional sections are omitted when unavailable:

  • holderBinding
  • keyBinding

Related Modules

These REST API modules delegate to services provided by identity-openid4vc:

Module Responsibility
org.wso2.carbon.identity.openid4vc.presentation.management Presentation Definition persistence
org.wso2.carbon.identity.openid4vc.presentation.authenticator Standalone verification session lifecycle
org.wso2.carbon.identity.openid4vc.presentation.verification VP token verification (SD-JWT + KB-JWT)

@coderabbitai

coderabbitai Bot commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

Warning

Review limit reached

@Zeta201, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 4 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 7e899c3e-349d-4840-a7fd-20c402372ebd

📥 Commits

Reviewing files that changed from the base of the PR and between bb56735 and c449eb7.

⛔ Files ignored due to path filters (21)
  • components/org.wso2.carbon.identity.api.server.configs/org.wso2.carbon.identity.api.server.configs.v1/src/gen/java/org/wso2/carbon/identity/api/server/configs/v1/ConfigsApi.java is excluded by !**/gen/**
  • components/org.wso2.carbon.identity.api.server.configs/org.wso2.carbon.identity.api.server.configs.v1/src/gen/java/org/wso2/carbon/identity/api/server/configs/v1/ConfigsApiService.java is excluded by !**/gen/**
  • components/org.wso2.carbon.identity.api.server.configs/org.wso2.carbon.identity.api.server.configs.v1/src/gen/java/org/wso2/carbon/identity/api/server/configs/v1/model/OpenID4VPConfiguration.java is excluded by !**/gen/**
  • components/org.wso2.carbon.identity.api.server.vp.template.management/org.wso2.carbon.identity.api.server.vp.template.management.v1/src/gen/java/org/wso2/carbon/identity/api/server/vp/template/management/v1/ClaimConstraintModel.java is excluded by !**/gen/**
  • components/org.wso2.carbon.identity.api.server.vp.template.management/org.wso2.carbon.identity.api.server.vp.template.management.v1/src/gen/java/org/wso2/carbon/identity/api/server/vp/template/management/v1/Error.java is excluded by !**/gen/**
  • components/org.wso2.carbon.identity.api.server.vp.template.management/org.wso2.carbon.identity.api.server.vp.template.management.v1/src/gen/java/org/wso2/carbon/identity/api/server/vp/template/management/v1/PresentationDefinitionCreationModel.java is excluded by !**/gen/**
  • components/org.wso2.carbon.identity.api.server.vp.template.management/org.wso2.carbon.identity.api.server.vp.template.management.v1/src/gen/java/org/wso2/carbon/identity/api/server/vp/template/management/v1/PresentationDefinitionList.java is excluded by !**/gen/**
  • components/org.wso2.carbon.identity.api.server.vp.template.management/org.wso2.carbon.identity.api.server.vp.template.management.v1/src/gen/java/org/wso2/carbon/identity/api/server/vp/template/management/v1/PresentationDefinitionListItem.java is excluded by !**/gen/**
  • components/org.wso2.carbon.identity.api.server.vp.template.management/org.wso2.carbon.identity.api.server.vp.template.management.v1/src/gen/java/org/wso2/carbon/identity/api/server/vp/template/management/v1/PresentationDefinitionResponse.java is excluded by !**/gen/**
  • components/org.wso2.carbon.identity.api.server.vp.template.management/org.wso2.carbon.identity.api.server.vp.template.management.v1/src/gen/java/org/wso2/carbon/identity/api/server/vp/template/management/v1/PresentationDefinitionUpdateModel.java is excluded by !**/gen/**
  • components/org.wso2.carbon.identity.api.server.vp.template.management/org.wso2.carbon.identity.api.server.vp.template.management.v1/src/gen/java/org/wso2/carbon/identity/api/server/vp/template/management/v1/PresentationDefinitionsApi.java is excluded by !**/gen/**
  • components/org.wso2.carbon.identity.api.server.vp.template.management/org.wso2.carbon.identity.api.server.vp.template.management.v1/src/gen/java/org/wso2/carbon/identity/api/server/vp/template/management/v1/PresentationDefinitionsApiService.java is excluded by !**/gen/**
  • components/org.wso2.carbon.identity.api.server.vp.template.management/org.wso2.carbon.identity.api.server.vp.template.management.v1/src/gen/java/org/wso2/carbon/identity/api/server/vp/template/management/v1/RequestedCredentialModel.java is excluded by !**/gen/**
  • components/org.wso2.carbon.identity.api.server.vp.template.management/org.wso2.carbon.identity.api.server.vp.template.management.v1/src/gen/java/org/wso2/carbon/identity/api/server/vp/template/management/v1/factories/PresentationDefinitionsApiServiceFactory.java is excluded by !**/gen/**
  • components/org.wso2.carbon.identity.api.server.vp.verification/org.wso2.carbon.identity.api.server.vp.verification.v1/src/gen/java/org/wso2/carbon/identity/api/server/vp/verification/v1/Error.java is excluded by !**/gen/**
  • components/org.wso2.carbon.identity.api.server.vp.verification/org.wso2.carbon.identity.api.server.vp.verification.v1/src/gen/java/org/wso2/carbon/identity/api/server/vp/verification/v1/VerificationInitiateRequest.java is excluded by !**/gen/**
  • components/org.wso2.carbon.identity.api.server.vp.verification/org.wso2.carbon.identity.api.server.vp.verification.v1/src/gen/java/org/wso2/carbon/identity/api/server/vp/verification/v1/VerificationInitiateResponse.java is excluded by !**/gen/**
  • components/org.wso2.carbon.identity.api.server.vp.verification/org.wso2.carbon.identity.api.server.vp.verification.v1/src/gen/java/org/wso2/carbon/identity/api/server/vp/verification/v1/VerificationStatusResponse.java is excluded by !**/gen/**
  • components/org.wso2.carbon.identity.api.server.vp.verification/org.wso2.carbon.identity.api.server.vp.verification.v1/src/gen/java/org/wso2/carbon/identity/api/server/vp/verification/v1/VpVerificationApi.java is excluded by !**/gen/**
  • components/org.wso2.carbon.identity.api.server.vp.verification/org.wso2.carbon.identity.api.server.vp.verification.v1/src/gen/java/org/wso2/carbon/identity/api/server/vp/verification/v1/VpVerificationApiService.java is excluded by !**/gen/**
  • components/org.wso2.carbon.identity.api.server.vp.verification/org.wso2.carbon.identity.api.server.vp.verification.v1/src/gen/java/org/wso2/carbon/identity/api/server/vp/verification/v1/factories/VpVerificationApiServiceFactory.java is excluded by !**/gen/**
📒 Files selected for processing (26)
  • components/org.wso2.carbon.identity.api.server.configs/org.wso2.carbon.identity.api.server.configs.common/pom.xml
  • components/org.wso2.carbon.identity.api.server.configs/org.wso2.carbon.identity.api.server.configs.common/src/main/java/org/wso2/carbon/identity/api/server/configs/common/ConfigsServiceHolder.java
  • components/org.wso2.carbon.identity.api.server.configs/org.wso2.carbon.identity.api.server.configs.common/src/main/java/org/wso2/carbon/identity/api/server/configs/common/Constants.java
  • components/org.wso2.carbon.identity.api.server.configs/org.wso2.carbon.identity.api.server.configs.v1/pom.xml
  • components/org.wso2.carbon.identity.api.server.configs/org.wso2.carbon.identity.api.server.configs.v1/src/main/java/org/wso2/carbon/identity/api/server/configs/v1/core/ServerConfigManagementService.java
  • components/org.wso2.carbon.identity.api.server.configs/org.wso2.carbon.identity.api.server.configs.v1/src/main/java/org/wso2/carbon/identity/api/server/configs/v1/impl/ConfigsApiServiceImpl.java
  • components/org.wso2.carbon.identity.api.server.configs/org.wso2.carbon.identity.api.server.configs.v1/src/main/resources/configs.yaml
  • components/org.wso2.carbon.identity.api.server.flow.management/org.wso2.carbon.identity.api.server.flow.management.v1/src/main/java/org/wso2/carbon/identity/api/server/flow/management/v1/constants/FlowEndpointConstants.java
  • components/org.wso2.carbon.identity.api.server.flow.management/org.wso2.carbon.identity.api.server.flow.management.v1/src/main/java/org/wso2/carbon/identity/api/server/flow/management/v1/response/handlers/AbstractMetaResponseHandler.java
  • components/org.wso2.carbon.identity.api.server.flow.management/org.wso2.carbon.identity.api.server.flow.management.v1/src/main/java/org/wso2/carbon/identity/api/server/flow/management/v1/response/handlers/RegistrationFlowMetaHandler.java
  • components/org.wso2.carbon.identity.api.server.vp.template.management/org.wso2.carbon.identity.api.server.vp.template.management.common/pom.xml
  • components/org.wso2.carbon.identity.api.server.vp.template.management/org.wso2.carbon.identity.api.server.vp.template.management.common/src/main/java/org/wso2/carbon/identity/api/server/vp/template/management/common/VPDefinitionManagementConstants.java
  • components/org.wso2.carbon.identity.api.server.vp.template.management/org.wso2.carbon.identity.api.server.vp.template.management.common/src/main/java/org/wso2/carbon/identity/api/server/vp/template/management/common/VPDefinitionManagementServiceHolder.java
  • components/org.wso2.carbon.identity.api.server.vp.template.management/org.wso2.carbon.identity.api.server.vp.template.management.v1/pom.xml
  • components/org.wso2.carbon.identity.api.server.vp.template.management/org.wso2.carbon.identity.api.server.vp.template.management.v1/src/main/java/org/wso2/carbon/identity/api/server/vp/template/management/v1/core/ServerVPDefinitionManagementService.java
  • components/org.wso2.carbon.identity.api.server.vp.template.management/org.wso2.carbon.identity.api.server.vp.template.management.v1/src/main/java/org/wso2/carbon/identity/api/server/vp/template/management/v1/impl/PresentationDefinitionsApiServiceImpl.java
  • components/org.wso2.carbon.identity.api.server.vp.template.management/org.wso2.carbon.identity.api.server.vp.template.management.v1/src/main/resources/PresentationDefinitions.yaml
  • components/org.wso2.carbon.identity.api.server.vp.template.management/pom.xml
  • components/org.wso2.carbon.identity.api.server.vp.verification/org.wso2.carbon.identity.api.server.vp.verification.common/pom.xml
  • components/org.wso2.carbon.identity.api.server.vp.verification/org.wso2.carbon.identity.api.server.vp.verification.common/src/main/java/org/wso2/carbon/identity/api/server/vp/verification/common/VPVerificationConstants.java
  • components/org.wso2.carbon.identity.api.server.vp.verification/org.wso2.carbon.identity.api.server.vp.verification.common/src/main/java/org/wso2/carbon/identity/api/server/vp/verification/common/VPVerificationServiceHolder.java
  • components/org.wso2.carbon.identity.api.server.vp.verification/org.wso2.carbon.identity.api.server.vp.verification.v1/pom.xml
  • components/org.wso2.carbon.identity.api.server.vp.verification/org.wso2.carbon.identity.api.server.vp.verification.v1/src/main/java/org/wso2/carbon/identity/api/server/vp/verification/v1/core/ServerVPVerificationService.java
  • components/org.wso2.carbon.identity.api.server.vp.verification/org.wso2.carbon.identity.api.server.vp.verification.v1/src/main/java/org/wso2/carbon/identity/api/server/vp/verification/v1/impl/VpVerificationApiServiceImpl.java
  • components/org.wso2.carbon.identity.api.server.vp.verification/pom.xml
  • pom.xml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@Zeta201
Zeta201 marked this pull request as draft June 18, 2026 06:47
Zeta201 and others added 20 commits July 16, 2026 12:54
VPVerificationService and VPRegistrationService were merged into a single
VPFlowService interface in the authenticator bundle. Update the service
holder and core service to look up and use VPFlowService via OSGi.
Replace the txnId field and all associated getter/setter/annotation
references with requestId in VerificationInitiateResponse,
VerificationStatusResponse, VpVerificationApi, VpVerificationApiService,
VpVerificationApiServiceImpl, and ServerVPVerificationService.

Updates the status endpoint path parameter from {txn_id} to {request_id}
and aligns JSON property names in the response models accordingly.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@Zeta201
Zeta201 marked this pull request as ready for review July 16, 2026 07:31
After rebasing onto upstream/master, the root POM advanced through
several release cycles (1.6.30 → 1.6.36-SNAPSHOT). The two new VP
modules still referenced the old parent version, causing a
non-resolvable parent POM error in CI.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant