Skip to content

Feature: DPoP Customization#294

Merged
vkanellopoulos merged 4 commits intoeu-digital-identity-wallet:release/0.25.0from
niscy-eudiw:feature/dpop_customization
Feb 25, 2026
Merged

Feature: DPoP Customization#294
vkanellopoulos merged 4 commits intoeu-digital-identity-wallet:release/0.25.0from
niscy-eudiw:feature/dpop_customization

Conversation

@sraptis-scy
Copy link
Copy Markdown
Collaborator

@sraptis-scy sraptis-scy commented Feb 25, 2026

DPoP Customization Feature

The DPoP implementation has been redesigned to provide:

  • Flexible secure area support - Use any SecureArea implementation (AndroidKeystore, SoftwareSecureArea, etc.)
  • Automatic algorithm negotiation - The library automatically negotiates signing algorithms between the server and secure area
  • Enhanced customization - Full control over key creation settings and unlock mechanisms

Breaking Changes

1. Builder Method Renamed

Old API:

OpenId4VciManager.Config.Builder()
    .withDPoPUsage(DPoPUsage.IfSupported(Algorithm.ESP256))  // ❌ OLD
    .build()

New API:

OpenId4VciManager.Config.Builder()
    .withDPopConfig(DPopConfig.Default)  // ✅ NEW
    .build()

Change: Method withDPoPUsage() renamed to withDPopConfig()

2. DPoPUsage Sealed Interface Removed

The DPoPUsage sealed interface has been completely removed and replaced with DPopConfig.

Old API:

sealed interface DPoPUsage {
    data object Disabled : DPoPUsage
    data class IfSupported(val algorithm: Algorithm = Algorithm.ESP256) : DPoPUsage
}

New API:

sealed interface DPopConfig {
    data object Disabled : DPopConfig
    data object Default : DPopConfig
    data class Custom(
        val secureArea: SecureArea,
        val createKeySettingsBuilder: (List<Algorithm>) -> CreateKeySettings,
        val keyUnlockDataProvider: KeyUnlockDataProvider = KeyUnlockDataProvider.None
    ) : DPopConfig
}

Key Differences:

  • Removed: DPoPUsage.IfSupported(algorithm) - Manual algorithm specification
  • Added: DPopConfig.Default - Uses AndroidKeystore with automatic algorithm negotiation
  • Added: DPopConfig.Custom - Full customization with any secure area

3. Algorithm Specification Changed

Old Behavior:

  • You either used default Algorithm.ESP256 by calling DPoPUsage.IfSupported() with no parameter, or manually specified the algorithm: DPoPUsage.IfSupported(Algorithm.A256GCM)
  • If the server didn't support your chosen algorithm, issuance would fail

New Behavior:

  • The library automatically negotiates the algorithm between the server and secure area
  • You don't specify the algorithm directly anymore
  • The algorithm is selected from those supported by both the server and secure area
  • For DPopConfig.Default, this happens automatically
  • For DPopConfig.Custom, your createKeySettingsBuilder receives the list of compatible algorithms

Migration:
If you were explicitly setting an algorithm preference, use DPopConfig.Custom:

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Feb 25, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@vkanellopoulos vkanellopoulos merged commit c12b5da into eu-digital-identity-wallet:release/0.25.0 Feb 25, 2026
6 checks passed
@vkanellopoulos vkanellopoulos deleted the feature/dpop_customization branch February 25, 2026 15:18
This was referenced Mar 5, 2026
Merged
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vkanellopoulos vkanellopoulos vkanellopoulos approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sraptis-scy @vkanellopoulos