Release 0.26.0

[sraptis-scy]

New Feature: Credential Re-Issuance (reissueDocument)

Added support for re-issuing previously issued credentials without requiring the user to go through
the full OAuth authorization flow again. The library automatically captures and stores the
authorization context (tokens, endpoints, key aliases) after successful credential issuance,
enabling seamless credential refresh using the stored refresh token.

API

OpenId4VciManager.reissueDocument()

New method on OpenId4VciManager for re-issuing a credential:

fun reissueDocument(
    documentId: DocumentId,
    allowAuthorizationFallback: Boolean = true,
    executor: Executor? = null,
    onIssueEvent: OnIssueEvent,
)

• Interactive mode (default): If tokens are expired, falls back to full OAuth authorization
  (opens browser).
• Background mode (allowAuthorizationFallback = false): If tokens are expired, delivers a
  ReissuanceAuthorizationException via IssueEvent.Failure instead of opening a browser. Designed
  for WorkManager or other background execution contexts.

ReissuanceAuthorizationException

New public exception class (eu.europa.ec.eudi.wallet.issue.openid4vci.reissue.ReissuanceAuthorizationException)
thrown when background re-issuance fails due to expired tokens. Wallet applications can check for
this exception type to schedule interactive re-authorization later.

Configuration

OpenId4VciManager.Config.Builder.withIssuanceMetadataStorage()

Optional configuration for the storage backend used to persist re-issuance metadata. When not
configured, defaults to an AndroidStorage instance in the app's no-backup files directory.

Flow

1. Initial Issuance: After a credential is successfully issued, ProcessResponse stores
   IssuanceMetadata (endpoints, tokens, key aliases) in the configured storage.
2. Re-Issuance: reissueDocument(documentId) loads the stored metadata, reconstructs the
   authorized request, creates a fresh Issuer (reusing the original DPoP key), and submits a new
   credential request.
3. Token Expiry Handling: If the credential request fails with a 401/InvalidToken error:
   • Interactive mode: Falls back to full OAuth authorization and retries.
   • Background mode: Throws ReissuanceAuthorizationException.
4. Document Lifecycle: On successful immediate issuance, the old document is deleted
   automatically. For deferred outcomes, the old document is retained until the deferred credential
   is eventually issued.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud