Unable to Complete Credential Retrieval Using Wallet with Keycloak VC Issuer

[idrissyou]

Hello,

We are attempting to generate credentials and store them in the wallet. Our goal is to use openid4vc to exchange verifiable credentials (VC). We are leveraging an extension of Keycloak developed by FIWARE to use SSIKIT (https://github.com/FIWARE/keycloak-vc-issuer). While we understand that SSIKIT will be migrated to a new issuer implementation, we currently need it to generate JSON-LD credentials.

System Setup
Domain: https://dataspace4health.local
Keycloak deployed under: /IAM
Wallet API deployed under: /wallet/api
Wallet UI deployed under: /wallet/ui
Issue Description
Credential Offer Generation
We successfully generated the credential offer using Keycloak. The generated credential offer URL is:

openid-credential-offer://dataspace4health.local/iam/realms/ds4h/verifiable-credential/did:web:dataspace4health.local:wallet:api:wallet-api:registry:0/credential-offer?credential_offer_uri=https%3A%2F%2Fdataspace4health.local%2Fiam%2Frealms%2Fds4h%2Fverifiable-credential%2Fdid%3Aweb%3Adataspace4health.local%3Awallet%3Aapi%3Awallet-api:registry:0%2Fcredential-offer%2F63ef403e-f0b3-4573-af4f-67c4f1b2c809.0b2e0fc0-749d-4509-8589-c26d9c58b399.cd89e91f-7620-4ce2-b4dd-a002f13601ed
Generated QR Code:

Wallet Interaction
Using the "Scan to receive or present credentials" functionality in the wallet, we pasted the credential offer. The wallet presented a page to accept the credential.

On accepting, the wallet made the following requests:

Request 1: Receive Credential Offer

Request URL (POST):
https://dataspace4health.local/wallet/api/wallet-api/wallet/{walletId}/exchange/resolveCredentialOffer
Payload:

{
  "openid-credential-offer": "openid-credential-offer://dataspace4health.local/iam/realms/ds4h/verifiable-credential/..."
}
Response:

{
  "credential_issuer": "https://dataspace4health.local/iam/realms/ds4h/verifiable-credential/...",
  "credential_configuration_ids": ["LegalPerson_ldp_vc"],
  "grants": {
    "urn:ietf:params:oauth:grant-type:pre-authorized_code": {
      "pre-authorized_code": "..."
    }
  }
}

Request 2: Retrieve OpenID Credential Issuer Metadata

Request URL:
`https://dataspace4health.local/iam/realms/ds4h/verifiable-credential/..."
Response:

{
  "credential_issuer": "https://dataspace4health.local/iam/realms/ds4h/verifiable-credential/...",
  "credential_endpoint": "https://dataspace4health.local/iam/realms/ds4h/verifiable-credential/...",
  "credential_configurations_supported": { ... }
}

Request 3: Retrieve Wallet DIDs

Request URL:
https://dataspace4health.local/wallet/api/wallet-api/wallet/{walletId}/dids
On clicking "Accept", we encountered an error.

Error Details
Wallet Request (POST):
https://dataspace4health.local/wallet/api/wallet-api/wallet/{walletId}/exchange/useOfferRequest?did=did:web:dataspace4health.local:wallet:api:wallet-api:registry:0
Payload:

openid-credential-offer://dataspace4health.local/iam/realms/ds4h/verifiable-credential/...
Response (400 Bad Request):

{
  "error": "Fields [credential_issuer, credential_configuration_ids] are required for type ..."
}

Wallet API Logs:
The wallet API attempts to call the Keycloak issuer but receives an invalid token response:
FROM: https://dataspace4health.local/iam/realms/ds4h/verifiable-credential/did:web:dataspace4health.local:wallet:api:wallet-api:registry:0/credential-offer/c54e8b2c-4e40-45c0-9884-351895e4bb84.216b3363-b532-495f-92ae-142077de2ffc.cd89e91f-7620-4ce2-b4dd-a002f13601ed
COMMON HEADERS
-> content-length: 25
-> content-type: application/json
-> date: Thu, 16 Jan 2025 16:58:02 GMT
-> referrer-policy: no-referrer
-> strict-transport-security: max-age=31536000; includeSubDomains
-> x-content-type-options: nosniff
-> x-frame-options: SAMEORIGIN
-> x-xss-protection: 1; mode=block
{
"error": "invalid_token"
}
Keycloak Logs:
Keycloak logs indicate that the nonce is already used for the user session:

Code '...' already used for userSession '...' and client '...'.
Observations
The wallet seems to use the nonce as a code to request the credentials, which is not compliant with OpenID for Verifiable Credentials Draft 13.
Per the draft, the wallet should utilize the credential offer directly to retrieve the credentials.
Request
Could you confirm the correct steps or point out any misconfiguration on our side? Is there an update required in the wallet or Keycloak configuration to align with the OpenID for Verifiable Credentials specification?

[antoniogfs]

I had a look at it and it seems that the Wallet UI calls two different endpoint of the Wallet API.

• first call the "/wallet-api/wallet/<wallet id>/exchange/resolveCredentialOffer" which on the background call the credential offer enpoint with the nonce provided in the offering link
• once the credential offering metadata are received, the Wallet UI display the credential with the Reject and Accept buttons. When the user accept the credentials, the Wallet UI call the endpoint "/wallet-api/wallet/<wallet id>/exchange/useOfferRequest" which in background call again the credential offer endpoint, as previous step, but with the same nonce which AFAIK is supposed to be used only once.

Is this a bug of the Wallet or an issue in the protocol?

[alegomes]

Hi @idrissyou

Sorry for the delay.

Let's start from the beginning. Are you using the Identity stack or the SSI Kit? Which version?

thanks,
Ale