Skip to content

fix client_id for iso_18013_7_mdoc profile.#1510

Open
jann0k wants to merge 1 commit intowalt-id:mainfrom
jann0k:fix_client_id_for_iso_18013_7_mdoc
Open

fix client_id for iso_18013_7_mdoc profile.#1510
jann0k wants to merge 1 commit intowalt-id:mainfrom
jann0k:fix_client_id_for_iso_18013_7_mdoc

Conversation

@jann0k
Copy link

@jann0k jann0k commented Feb 16, 2026
edited by coderabbitai bot
Loading

Description

When "client_id_scheme":"x509_san_dns", then client_id MUST be a DNS name and match a dNSName Subject Alternative Name in x5c

https://openid.net/specs/openid-4-verifiable-presentations-1_0-20.html#name-verifier-metadata-managemen

509_san_dns: When the Client Identifier Scheme is x509_san_dns, the Client Identifier MUST be a DNS name and match a dNSName Subject Alternative Name (SAN) [RFC5280] entry in the leaf certificate passed with the request.

If x509SanDnsClientId is configured with requestSigningKeyFile and requestSigningCertFile in verifier-service.conf

and Autorization Request is done as with ISO_18013_7_MDOC profile as in https://docs.walt.id/community-stack/verifier/credential-verification/mdl-oid4vc, then payload of Request Object (jwt) from request_uri will contain client_id with value of x509SanDnsClientId from verifier-service.conf

Docker image

To build docker image (from waltid-identity root):

DOCKER_REGISTRY="my-repo" \
DOCKER_REPOSITORY="waltid-verifier" \
IMAGE_NAME="verifier-api" \
GIT_SHA="$(git rev-parse --short HEAD)" \
GITHUB_USER="jann0k"
TAG="${GITHUB_USER}-sha-${GIT_SHA}" \
IMAGE="${DOCKER_REGISTRY}/${DOCKER_REPOSITORY}/${IMAGE_NAME}:${TAG}" \
./gradlew :waltid-services:waltid-verifier-api:jibDockerBuild \
  -Djib.to.image="${IMAGE}"

Test

verifier-service.conf:

baseUrl = "http://localhost:7003"
x509SanDnsClientId = "verifier.potential.walt-test.cloud"

curl -X 'POST' \
>   'http://localhost:7003/openid4vc/verify' \
>   -H 'accept: */*' \
>   -H 'authorizeBaseUrl: mdoc-openid4vp://' \
>   -H 'responseMode: direct_post.jwt' \
>   -H 'Content-Type: application/json' \
>   -H "openId4VPProfile: ISO_18013_7_MDOC" \
>   -d '{
>   "request_credentials": [
>     {
>       "id": "mDL-request",
>       "input_descriptor": {
>         "id": "org.iso.18013.5.1.mDL",
>         "format": {
>           "mso_mdoc": {
>             "alg": [
>               "ES256"
>             ]
>           }
>         },
>         "constraints": {
>           "fields": [
>             {
>               "path": [
>                 "$['org.iso.18013.5.1']['birth_date']"
>               ],
>               "intent_to_retain": false
>             },
>             {
>               "path": [
>                 "$['org.iso.18013.5.1']['issue_date']"
>               ],
>               "intent_to_retain": false
>             },
>             {
>               "path": [
>                 "$['org.iso.18013.5.1']['expiry_date']"
>               ],
>               "intent_to_retain": false
>             }
>           ],
>           "limit_disclosure": "required"
>         }
>       }
>     }
>   ],
>   "trusted_root_cas": [
>     "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUAOXLkeu9penFRno6oDcOBgT1odYwCgYIKoZIzj0EAwIwKDELMAkGA1UEBhMCQVQxGTAXBgNVBAMMEFdhbHRpZCBUZXN0IElBQ0EwHhcNMjUwNjAyMDYzOTQ0WhcNNDAwNTI5MDYzOTQ0WjAoMQswCQYDVQQGEwJBVDEZMBcGA1UEAwwQV2FsdGlkIFRlc3QgSUFDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAZGrRN7Oeanhn7MOaGU6HhaCt8ZMySk/nRHefLbRq8lChr+PS6JqpCJ503sEvByXzPDgPsp0urKg/y0E+F7q9+jYTBfMB0GA1UdDgQWBBTxCn2nWMrE70qXb614U14BweY2azASBgNVHRMBAf8ECDAGAQH/AgEAMBoGA1UdEgQTMBGGD2h0dHBzOi8vd2FsdC5pZDAOBgNVHQ8BAf8EBAMCAQYwCgYIKoZIzj0EAwIDSQAwRgIhAOM37BjC48KhsSlU6mdJwlTLrad9VzlXVKc1GmjoCNm1AiEAkFRJalpz62QCOby9l7Vkq0LAdWVKiFMd0DmSxjsdT2U=\n-----END CERTIFICATE-----\n"
>   ]
> }'
mdoc-openid4vp://?client_id=verifier.potential.walt-test.cloud&request_uri=http%3A%2F%2Flocalhost%3A7003%2Fopenid4vc%2Frequest%2F9QNPaYAVBQJj

curl -X GET http://localhost:7003/openid4vc/request/9QNPaYAVBQJj

Request Object (jwt):

eyJraWQiOiI2NjA1ZWRmMS1hNWU3LTRmNzctOTBkZC02OTljYThhMjE1NWEiLCJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJyZXNwb25zZV91cmkiOiJodHRwOi8vbG9jYWxob3N0OjcwMDMvb3BlbmlkNHZjL3ZlcmlmeS85UU5QYVlBVkJRSmoiLCJhdWQiOiIiLCJjbGllbnRfaWRfc2NoZW1lIjoieDUwOV9zYW5fZG5zIiwiaXNzIjoidmVyaWZpZXIucG90ZW50aWFsLndhbHQtdGVzdC5jbG91ZCIsInJlc3BvbnNlX3R5cGUiOiJ2cF90b2tlbiIsInByZXNlbnRhdGlvbl9kZWZpbml0aW9uIjp7ImlkIjoiTEtNUWJYMmNuZ2ZTIiwiaW5wdXRfZGVzY3JpcHRvcnMiOlt7ImlkIjoib3JnLmlzby4xODAxMy41LjEubURMIiwiZm9ybWF0Ijp7Im1zb19tZG9jIjp7ImFsZyI6WyJFUzI1NiJdfX0sImNvbnN0cmFpbnRzIjp7ImZpZWxkcyI6W3sicGF0aCI6WyIkW29yZy5pc28uMTgwMTMuNS4xXVtiaXJ0aF9kYXRlXSJdLCJpbnRlbnRfdG9fcmV0YWluIjpmYWxzZX0seyJwYXRoIjpbIiRbb3JnLmlzby4xODAxMy41LjFdW2lzc3VlX2RhdGVdIl0sImludGVudF90b19yZXRhaW4iOmZhbHNlfSx7InBhdGgiOlsiJFtvcmcuaXNvLjE4MDEzLjUuMV1bZXhwaXJ5X2RhdGVdIl0sImludGVudF90b19yZXRhaW4iOmZhbHNlfV0sImxpbWl0X2Rpc2Nsb3N1cmUiOiJyZXF1aXJlZCJ9fV19LCJzdGF0ZSI6IjlRTlBhWUFWQlFKaiIsImV4cCI6MTc3MDk5NTY5Miwibm9uY2UiOiIxYzZhYThkZi0zOTIzLTRlMDUtYTIyZC1lMzU5MmZiNjYzOWYiLCJjbGllbnRfaWQiOiJ2ZXJpZmllci5wb3RlbnRpYWwud2FsdC10ZXN0LmNsb3VkIiwiY2xpZW50X21ldGFkYXRhIjp7Imp3a3MiOnsia2V5cyI6W3sia3R5IjoiRUMiLCJjcnYiOiJQLTI1NiIsImtpZCI6InVVc0VJOEt4ZWRFdWJhaE0tU0tIRk5pSG5IQTdFX0lud2F6R2FCQ2xwZzQiLCJ4IjoiWG9wWllxSzVQbXlOVjFYeWRNN3E1Y3dtRmgyVE9kZ0M4VHF3d19jUjAyWSIsInkiOiJ3NlZFelQyVU92TjRpVUZ0b2dWYnR3cWp5M1hpMHo2b0EwNmhXZFpGcXVzIiwidXNlIjoiZW5jIiwiYWxnIjoiRUNESC1FUyJ9XX0sImF1dGhvcml6YXRpb25fZW5jcnlwdGVkX3Jlc3BvbnNlX2FsZyI6IkVDREgtRVMiLCJhdXRob3JpemF0aW9uX2VuY3J5cHRlZF9yZXNwb25zZV9lbmMiOiJBMjU2R0NNIn0sInJlc3BvbnNlX21vZGUiOiJkaXJlY3RfcG9zdC5qd3QifQ.OSoYbt1rs0GWj1YDpGBJhtMGk6-RzcCzJWULc1rAx9p1rj2gjTvyWR9EUodarYWfYo2ATdExNC4tl8PvZeXoGw

jwt decoded with https://jwt.io:

{
  "response_uri": "http://localhost:7003/openid4vc/verify/9QNPaYAVBQJj",
  "aud": "",
  "client_id_scheme": "x509_san_dns",
  "iss": "verifier.potential.walt-test.cloud",
  "response_type": "vp_token",
  "presentation_definition": {
    "id": "LKMQbX2cngfS",
    "input_descriptors": [
      {
        "id": "org.iso.18013.5.1.mDL",
        "format": {
          "mso_mdoc": {
            "alg": [
              "ES256"
            ]
          }
        },
        "constraints": {
          "fields": [
            {
              "path": [
                "$[org.iso.18013.5.1][birth_date]"
              ],
              "intent_to_retain": false
            },
            {
              "path": [
                "$[org.iso.18013.5.1][issue_date]"
              ],
              "intent_to_retain": false
            },
            {
              "path": [
                "$[org.iso.18013.5.1][expiry_date]"
              ],
              "intent_to_retain": false
            }
          ],
          "limit_disclosure": "required"
        }
      }
    ]
  },
  "state": "9QNPaYAVBQJj",
  "exp": 1770995692,
  "nonce": "1c6aa8df-3923-4e05-a22d-e3592fb6639f",
  "client_id": "verifier.potential.walt-test.cloud",
  "client_metadata": {
    "jwks": {
      "keys": [
        {
          "kty": "EC",
          "crv": "P-256",
          "kid": "uUsEI8KxedEubahM-SKHFNiHnHA7E_InwazGaBClpg4",
          "x": "XopZYqK5PmyNV1XydM7q5cwmFh2TOdgC8Tqww_cR02Y",
          "y": "w6VEzT2UOvN4iUFtogVbtwqjy3Xi0z6oA06hWdZFqus",
          "use": "enc",
          "alg": "ECDH-ES"
        }
      ]
    },
    "authorization_encrypted_response_alg": "ECDH-ES",
    "authorization_encrypted_response_enc": "A256GCM"
  },
  "response_mode": "direct_post.jwt"
}

Type of Change

  • [ X ] bug fix - change which fixes an issue
  • new feature - change which adds functionality

Checklist

  • code cleanup and self-review
  • unit + e2e test coverage
  • documentation updated accordingly

Breaking

  • -

Summary by CodeRabbit

  • Bug Fixes
    • Improved client identification handling in OpenID4VCP credential verification for MDOC profile verification to correctly resolve client IDs using the configured client ID mapping with appropriate fallback logic.

@coderabbitai
Copy link

coderabbitai bot commented Feb 16, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

📝 Walkthrough

Walkthrough

Modified clientId selection logic in OpenIDCredentialVerifier for the ISO_18013_7_MDOC profile, switching from using redirectUri to clientIdMap lookup with defaultClientId fallback.

Changes

Cohort / File(s) Summary
ClientId Selection Logic
waltid-libraries/protocols/waltid-openid4vc/src/commonMain/kotlin/id/walt/oid4vc/providers/OpenIDCredentialVerifier.kt		 Updated clientId resolution for ISO_18013_7_MDOC profile to prioritize config.clientIdMap[clientIdScheme] over config.redirectUri, with fallback to config.defaultClientId.
🚥 Pre-merge checks | ✅ 2 | ❌ 2

❌ Failed checks (2 warnings)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
Merge Conflict Detection ⚠️ Warning ❌ Merge conflicts detected (35 files):

⚔️ .gitignore (content)
⚔️ gradle/libs.versions.toml (content)
⚔️ settings.gradle.kts (content)
⚔️ waltid-libraries/credentials/waltid-digital-credentials-examples/build.gradle.kts (content)
⚔️ waltid-libraries/credentials/waltid-digital-credentials/build.gradle.kts (content)
⚔️ waltid-libraries/credentials/waltid-mdoc-credentials2/build.gradle.kts (content)
⚔️ waltid-libraries/credentials/waltid-mdoc-credentials2/src/commonMain/kotlin/id/walt/mdoc/crypto/MdocCryptoHelper.kt (content)
⚔️ waltid-libraries/credentials/waltid-mdoc-credentials2/src/commonMain/kotlin/id/walt/mdoc/objects/SessionTranscript.kt (content)
⚔️ waltid-libraries/credentials/waltid-mdoc-credentials2/src/commonMain/kotlin/id/walt/mdoc/objects/dcapi/DCAPIEncryptionInfo.kt (content)
⚔️ waltid-libraries/credentials/waltid-mdoc-credentials2/src/commonMain/kotlin/id/walt/mdoc/objects/deviceretrieval/DeviceRequest.kt (content)
⚔️ waltid-libraries/credentials/waltid-mdoc-credentials2/src/commonMain/kotlin/id/walt/mdoc/verification/MdocVerificationContext.kt (content)
⚔️ waltid-libraries/credentials/waltid-mdoc-credentials2/src/commonMain/kotlin/id/walt/mdoc/verification/MdocVerifier.kt (content)
⚔️ waltid-libraries/credentials/waltid-verification-policies2-vp/README.md (content)
⚔️ waltid-libraries/credentials/waltid-verification-policies2-vp/build.gradle.kts (content)
⚔️ waltid-libraries/credentials/waltid-verification-policies2-vp/src/commonMain/kotlin/id/walt/policies2/vp/policies/VPVerificationContext.kt (content)
⚔️ waltid-libraries/credentials/waltid-verification-policies2-vp/src/commonMain/kotlin/id/walt/policies2/vp/policies/mso_mdoc/DeviceAuthMdocVpPolicy.kt (content)
⚔️ waltid-libraries/credentials/waltid-verification-policies2-vp/src/jvmTest/kotlin/id/walt/policies2/vp/policies/mso_mdoc/IssuerSignedDataMdocVpPolicyTest.kt (content)
⚔️ waltid-libraries/credentials/waltid-vical/build.gradle.kts (content)
⚔️ waltid-libraries/crypto/waltid-cose/build.gradle.kts (content)
⚔️ waltid-libraries/crypto/waltid-cose/src/commonMain/kotlin/id/walt/cose/Cose.kt (content)
⚔️ waltid-libraries/crypto/waltid-crypto/build.gradle.kts (content)
⚔️ waltid-libraries/crypto/waltid-crypto/src/jvmMain/kotlin/id/walt/crypto/keys/jwk/JWKKey.jvm.kt (content)
⚔️ waltid-libraries/protocols/waltid-openid4vc/src/commonMain/kotlin/id/walt/oid4vc/providers/OpenIDCredentialVerifier.kt (content)
⚔️ waltid-libraries/protocols/waltid-openid4vp-verifier-openapi/README.md (content)
⚔️ waltid-libraries/protocols/waltid-openid4vp-verifier/README.md (content)
⚔️ waltid-libraries/protocols/waltid-openid4vp-verifier/build.gradle.kts (content)
⚔️ waltid-libraries/protocols/waltid-openid4vp-wallet/build.gradle.kts (content)
⚔️ waltid-services/waltid-openid4vp-conformance-runners/src/main/kotlin/id/walt/openid4vp/conformance/testplans/ConformanceTestRunner.kt (content)
⚔️ waltid-services/waltid-openid4vp-conformance-runners/src/main/kotlin/id/walt/openid4vp/conformance/testplans/http/Verifier2Interface.kt (content)
⚔️ waltid-services/waltid-openid4vp-conformance-runners/src/main/kotlin/id/walt/openid4vp/conformance/testplans/plans/MdlX509SanDnsRequestUriSignedDirectPost.kt (content)
⚔️ waltid-services/waltid-openid4vp-conformance-runners/src/main/kotlin/id/walt/openid4vp/conformance/testplans/plans/SdJwtVcX509SanDnsRequestUriSignedDirectPost.kt (content)
⚔️ waltid-services/waltid-openid4vp-conformance-runners/src/main/kotlin/id/walt/openid4vp/conformance/testplans/plans/TestPlanResult.kt (content)
⚔️ waltid-services/waltid-openid4vp-conformance-runners/src/main/kotlin/id/walt/openid4vp/conformance/testplans/runner/TestPlanRunner.kt (content)
⚔️ waltid-services/waltid-openid4vp-conformance-runners/src/main/kotlin/id/walt/openid4vp/conformance/testplans/runner/req/TestPlanConfiguration.kt (content)
⚔️ waltid-services/waltid-verifier-api2/build.gradle.kts (content)

These conflicts must be resolved before merging into main.		 Resolve conflicts locally and push changes to this branch.
✅ Passed checks (2 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately describes the main change: fixing client_id for the ISO_18013_7_MDOC profile in OpenID credential verification.
Description check ✅ Passed The description provides comprehensive context with OpenID spec references, configuration details, Docker build instructions, and test reproduction steps with curl commands and JWT payloads.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

Tip

Issue Planner is now in beta. Read the docs and try it out! Share your feedback on Discord.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@sonarqubecloud
Copy link

sonarqubecloud bot commented Feb 16, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@jann0k jann0k mentioned this pull request Feb 16, 2026
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jann0k