From 4ed128bb59609449ed66fd00a06a85f43ef6e256 Mon Sep 17 00:00:00 2001
From: Rein Krul <info@reinkrul.nl>
Date: Mon, 4 May 2026 16:12:38 +0200
Subject: [PATCH 1/5] Add Authorization Details JSON input to Request
 Credential form

Assisted by AI
---
 .../admin/credentials/RequestCredential.vue   | 45 +++++++++++++++++++
 1 file changed, 45 insertions(+)

diff --git a/web/src/admin/credentials/RequestCredential.vue b/web/src/admin/credentials/RequestCredential.vue
index 54e5a1f..0e2753a 100644
--- a/web/src/admin/credentials/RequestCredential.vue
+++ b/web/src/admin/credentials/RequestCredential.vue
@@ -28,6 +28,14 @@
         <label>Issuer</label>
         <p>{{ getIssuerForType(selectedCredentialType) }}</p>
       </div>
+      <details>
+        <summary>Authorization Details (JSON)</summary>
+        <textarea v-model="authorizationDetails"
+                  rows="8"
+                  :placeholder="authorizationDetailsPlaceholder"
+                  spellcheck="false"></textarea>
+        <p v-if="authorizationDetailsError" class="text-red-500 text-sm">{{ authorizationDetailsError }}</p>
+      </details>
     </div>
   </modal-window>
 </template>
@@ -43,6 +51,8 @@ export default {
     return {
       selectedCredentialType: '',
       selectedWalletDID: '',
+      authorizationDetails: '',
+      authorizationDetailsError: undefined,
       issueError: undefined,
       credentialProfiles: [],
       walletDIDs: [],
@@ -51,6 +61,9 @@ export default {
   computed: {
     subjectID() {
       return this.$route.params.subjectID
+    },
+    authorizationDetailsPlaceholder() {
+      return '[{"type": "openid_credential", ...}]'
     }
   },
   created() {
@@ -93,6 +106,7 @@ export default {
     },
     issueCredential() {
       this.issueError = undefined
+      this.authorizationDetailsError = undefined
       const issuerDID = this.getIssuerForType(this.selectedCredentialType)
       if (!issuerDID) {
         this.issueError = 'No issuer found for selected credential type'
@@ -104,6 +118,17 @@ export default {
         return
       }
 
+      let parsedAuthorizationDetails
+      const trimmedAuthorizationDetails = this.authorizationDetails.trim()
+      if (trimmedAuthorizationDetails) {
+        try {
+          parsedAuthorizationDetails = JSON.parse(trimmedAuthorizationDetails)
+        } catch (e) {
+          this.authorizationDetailsError = 'Invalid JSON: ' + e.message
+          return
+        }
+      }
+
       const redirectUri = `${window.location.origin}${window.location.pathname}${this.$router.resolve({name: 'admin.identityDetails', params: {subjectID: this.subjectID}}).href}`
 
       const requestBody = {
@@ -112,6 +137,9 @@ export default {
         wallet_did: this.selectedWalletDID,
         redirect_uri: redirectUri,
       }
+      if (parsedAuthorizationDetails !== undefined) {
+        requestBody.authorization_details = parsedAuthorizationDetails
+      }
 
       this.$api.post(`api/proxy/internal/auth/v2/${encodeURIPath(this.subjectID)}/request-credential`, requestBody)
           .then(data => {
@@ -147,5 +175,22 @@ export default {
 :deep(select) {
   width: 100%;
 }
+
+details {
+  margin-top: 0.5rem;
+}
+
+details > summary {
+  cursor: pointer;
+  user-select: none;
+  font-weight: 500;
+}
+
+details > textarea {
+  width: 100%;
+  margin-top: 0.5rem;
+  font-family: ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, monospace;
+  font-size: 0.875rem;
+}
 </style>
 

From d6ce401922e4cf7b76270b3524627ca667b02439 Mon Sep 17 00:00:00 2001
From: Rein Krul <info@reinkrul.nl>
Date: Tue, 5 May 2026 10:27:37 +0200
Subject: [PATCH 2/5] Validate Authorization Details shape and tidy form state

Reject non-array JSON or arrays containing non-object entries with
inline errors (matches the Nuts node API contract: array of objects).
Clear the parse/validation error reactively while the user edits, and
demote the placeholder from a computed property to a static data field.

Assisted by AI
---
 .../admin/credentials/RequestCredential.vue   | 20 ++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/web/src/admin/credentials/RequestCredential.vue b/web/src/admin/credentials/RequestCredential.vue
index 0e2753a..5d0fde9 100644
--- a/web/src/admin/credentials/RequestCredential.vue
+++ b/web/src/admin/credentials/RequestCredential.vue
@@ -53,6 +53,7 @@ export default {
       selectedWalletDID: '',
       authorizationDetails: '',
       authorizationDetailsError: undefined,
+      authorizationDetailsPlaceholder: '[{"type": "openid_credential", ...}]',
       issueError: undefined,
       credentialProfiles: [],
       walletDIDs: [],
@@ -61,9 +62,11 @@ export default {
   computed: {
     subjectID() {
       return this.$route.params.subjectID
-    },
-    authorizationDetailsPlaceholder() {
-      return '[{"type": "openid_credential", ...}]'
+    }
+  },
+  watch: {
+    authorizationDetails() {
+      this.authorizationDetailsError = undefined
     }
   },
   created() {
@@ -127,6 +130,17 @@ export default {
           this.authorizationDetailsError = 'Invalid JSON: ' + e.message
           return
         }
+        if (!Array.isArray(parsedAuthorizationDetails)) {
+          this.authorizationDetailsError = 'Authorization Details must be a JSON array'
+          return
+        }
+        const nonObject = parsedAuthorizationDetails.find(
+            entry => entry === null || typeof entry !== 'object' || Array.isArray(entry)
+        )
+        if (nonObject !== undefined) {
+          this.authorizationDetailsError = 'Each Authorization Details entry must be a JSON object'
+          return
+        }
       }
 
       const redirectUri = `${window.location.origin}${window.location.pathname}${this.$router.resolve({name: 'admin.identityDetails', params: {subjectID: this.subjectID}}).href}`

From 85ec36b8527d0d45d42da2500c0cc912f272c7b9 Mon Sep 17 00:00:00 2001
From: Rein Krul <info@reinkrul.nl>
Date: Tue, 5 May 2026 11:44:23 +0200
Subject: [PATCH 3/5] Show error banner when credential request flow fails

The OpenID4VCI flow redirects back to the identity details page with
"error" (and optional "error_description") query parameters when the
issuer or Nuts node rejects the request. Surface them in a dedicated
banner and strip them from the URL so a refresh doesn't re-show.

Assisted by AI
---
 web/src/admin/IdentityDetails.vue | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/web/src/admin/IdentityDetails.vue b/web/src/admin/IdentityDetails.vue
index 4e5e87d..33585b8 100644
--- a/web/src/admin/IdentityDetails.vue
+++ b/web/src/admin/IdentityDetails.vue
@@ -1,6 +1,7 @@
 <template>
   <div>
     <h1>Identity: {{ $route.params.subjectID }}</h1>
+    <ErrorMessage v-if="requestCredentialError" :title="'Credential request failed'" :message="requestCredentialError"/>
     <ErrorMessage v-if="fetchError" :message="fetchError"/>
     <div v-if="details">
       <section>
@@ -136,6 +137,7 @@ export default {
   data() {
     return {
       fetchError: undefined,
+      requestCredentialError: undefined,
       details: undefined,
       shownDIDDocument: undefined,
       discoveryServices: {},
@@ -143,12 +145,21 @@ export default {
     }
   },
   created() {
+    this.captureRedirectError()
     this.fetchData()
   },
   methods: {
     updateStatus(event) {
       this.$emit('statusUpdate', event)
     },
+    captureRedirectError() {
+      const {error, error_description, ...rest} = this.$route.query
+      if (!error) {
+        return
+      }
+      this.requestCredentialError = error_description ? `${error}: ${error_description}` : error
+      this.$router.replace({name: this.$route.name, params: this.$route.params, query: rest})
+    },
     fetchData() {
       this.$api.get('api/config')
           .then(data => {

From 1b49f511a4e40efc1a8d15d48a586d3eeee67511 Mon Sep 17 00:00:00 2001
From: Rein Krul <info@reinkrul.nl>
Date: Tue, 5 May 2026 11:51:28 +0200
Subject: [PATCH 4/5] Read credential request error params from
 window.location.search

The router uses hash mode, so the redirect_uri ends in
#/admin/identity/<id>. OAuth-compliant issuers append error and
error_description to the URL's query component (before the fragment),
so they land in window.location.search and are invisible to the
hash-based vue-router. Read from both locations and clean up both.

Assisted by AI
---
 web/src/admin/IdentityDetails.vue | 23 ++++++++++++++++++++---
 1 file changed, 20 insertions(+), 3 deletions(-)

diff --git a/web/src/admin/IdentityDetails.vue b/web/src/admin/IdentityDetails.vue
index 33585b8..e1d0183 100644
--- a/web/src/admin/IdentityDetails.vue
+++ b/web/src/admin/IdentityDetails.vue
@@ -153,12 +153,29 @@ export default {
       this.$emit('statusUpdate', event)
     },
     captureRedirectError() {
-      const {error, error_description, ...rest} = this.$route.query
+      // OAuth-compliant issuers put error params in the URL's query component (window.location.search),
+      // which is outside the hash-router's view. Check both locations.
+      const searchParams = new URLSearchParams(window.location.search)
+      const error = searchParams.get('error') || this.$route.query.error
+      const errorDescription = searchParams.get('error_description') || this.$route.query.error_description
       if (!error) {
         return
       }
-      this.requestCredentialError = error_description ? `${error}: ${error_description}` : error
-      this.$router.replace({name: this.$route.name, params: this.$route.params, query: rest})
+      this.requestCredentialError = errorDescription ? `${error}: ${errorDescription}` : error
+
+      if (searchParams.has('error') || searchParams.has('error_description')) {
+        searchParams.delete('error')
+        searchParams.delete('error_description')
+        const newSearch = searchParams.toString()
+        const newUrl = window.location.pathname + (newSearch ? '?' + newSearch : '') + window.location.hash
+        window.history.replaceState(window.history.state, '', newUrl)
+      }
+      if (this.$route.query.error || this.$route.query.error_description) {
+        const rest = Object.fromEntries(
+            Object.entries(this.$route.query).filter(([k]) => k !== 'error' && k !== 'error_description')
+        )
+        this.$router.replace({name: this.$route.name, params: this.$route.params, query: rest})
+      }
     },
     fetchData() {
       this.$api.get('api/config')

From eb61032acb18c0a59efb28c254d94728d22adcd4 Mon Sep 17 00:00:00 2001
From: Rein Krul <info@reinkrul.nl>
Date: Tue, 5 May 2026 15:25:41 +0200
Subject: [PATCH 5/5] Format credential request error for readability

Render the OAuth error code as a small uppercase mono badge and the
description on its own line. Insert a newline before each ", word:"
fragment in the description so wrapped Go-style errors break onto
their own line.

Adds a default slot to ErrorMessage so callers can supply structured
body content; the existing message prop keeps working as the fallback.

Assisted by AI
---
 web/src/admin/IdentityDetails.vue   | 17 +++++++++++++++--
 web/src/components/ErrorMessage.vue |  2 +-
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/web/src/admin/IdentityDetails.vue b/web/src/admin/IdentityDetails.vue
index e1d0183..315ad96 100644
--- a/web/src/admin/IdentityDetails.vue
+++ b/web/src/admin/IdentityDetails.vue
@@ -1,7 +1,10 @@
 <template>
   <div>
     <h1>Identity: {{ $route.params.subjectID }}</h1>
-    <ErrorMessage v-if="requestCredentialError" :title="'Credential request failed'" :message="requestCredentialError"/>
+    <ErrorMessage v-if="requestCredentialError" title="Credential request failed">
+      <div class="font-mono text-xs uppercase tracking-wide">{{ requestCredentialError }}</div>
+      <div v-if="formattedRequestCredentialErrorDescription" class="whitespace-pre-line mt-2">{{ formattedRequestCredentialErrorDescription }}</div>
+    </ErrorMessage>
     <ErrorMessage v-if="fetchError" :message="fetchError"/>
     <div v-if="details">
       <section>
@@ -138,12 +141,21 @@ export default {
     return {
       fetchError: undefined,
       requestCredentialError: undefined,
+      requestCredentialErrorDescription: undefined,
       details: undefined,
       shownDIDDocument: undefined,
       discoveryServices: {},
       credentialProfiles: [],
     }
   },
+  computed: {
+    formattedRequestCredentialErrorDescription() {
+      if (!this.requestCredentialErrorDescription) {
+        return ''
+      }
+      return this.requestCredentialErrorDescription.replace(/, ([a-zA-Z]+):/g, '\n$1:')
+    }
+  },
   created() {
     this.captureRedirectError()
     this.fetchData()
@@ -161,7 +173,8 @@ export default {
       if (!error) {
         return
       }
-      this.requestCredentialError = errorDescription ? `${error}: ${errorDescription}` : error
+      this.requestCredentialError = error
+      this.requestCredentialErrorDescription = errorDescription
 
       if (searchParams.has('error') || searchParams.has('error_description')) {
         searchParams.delete('error')
diff --git a/web/src/components/ErrorMessage.vue b/web/src/components/ErrorMessage.vue
index 8c1bee9..efb4ee0 100644
--- a/web/src/components/ErrorMessage.vue
+++ b/web/src/components/ErrorMessage.vue
@@ -3,7 +3,7 @@
       class="appearance-none mb-2 mt-2 px-6 py-3.5 w-full text-sm text-red-500 bg-red-100 placeholder-red-500 outline-hidden border border-red-500 focus:ring-4 focus:ring-blue-200 rounded-md"
       role="alert">
     <div class="font-semibold mb-2">{{ title }}</div>
-    <div>{{ message }}</div>
+    <div><slot>{{ message }}</slot></div>
     <div v-if="showReauthenticateButton" class="mt-3">
       <button type="button"
               class="btn btn-danger"