DO NOT MERGE: Project branch for Generic Functions (Pilot Phase)#4308
Draft
reinkrul wants to merge 107 commits into
Draft
DO NOT MERGE: Project branch for Generic Functions (Pilot Phase)#4308reinkrul wants to merge 107 commits into
reinkrul wants to merge 107 commits into
Conversation
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Extract the Jaeger trace verification out of the rfc021 OAuth flow test into a dedicated, simpler test with a single node. Keeps the rfc021 test focused on OAuth and avoids coupling tracing verification to an unrelated multi-node flow. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…ly, use traced endpoint The node fails to start under strictmode without a SQL connection string, and its internal HTTP binds to 127.0.0.1 by default. Also /status/health/metrics are excluded from tracing middleware, so the test now hits an endpoint that produces spans. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- SC1091 in tracing run-test.sh: disable directive (qlty doesn't run with -x) - SC2086 on modified line in rfc021 do-test.sh: quote $REQUEST Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The node was stuck downloading IRMA schemes at startup on slower CI runners, causing the container healthcheck to time out before HTTP was ready. Switch to a nuts.yaml config that disables IRMA schema autoupdate and restricts contract validators to 'dummy' (IRMA isn't used by this test). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
handleAccessTokenRequest stopped filling InputDescriptorConstraintIdMap after createAccessToken was refactored to take an AccessToken template, causing the browser e2e Test_UserAccessToken_EmployeeCredential to fail with an empty AdditionalProperties map on introspection. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sets non-sensitive OAuth2 request params (grant_type, client_id, scope, response_type, error) as attributes on the current OTEL span so traces and logs can be filtered by them. Covers the token, authorize and authorize-response endpoints. Logs the verbose oauth.error_description separately to avoid high-cardinality trace attributes. Assisted by AI
Extracts the shared helper from auth/api/iam into auth/oauth so both the server-side token/authorize handlers and the outbound HTTPClient token request attach oauth.grant_type, oauth.client_id, oauth.scope and oauth.response_type to the current OTEL span. Assisted by AI
Assisted by AI
Without an explicit span, oauth.SetSpanAttributes ran before otelhttp created the HTTP span, so attributes landed on the parent handler span (or were dropped when no parent existed) instead of on the outbound token request span where they're useful. Assisted by AI
Assisted by AI
When using mCSD for addressing, the OAuth token endpoint must be provided to the AT-Request instead of being resolved via a DID-Document. This commit adds a request param for this.
…l Request
Adds an optional credential_details JSON object to POST /internal/auth/v2/{subjectID}/request-credential.
The node uses it as the base body of the outgoing OpenID4VCI Credential Request and overlays its own
JWT proof on top. Lets the wallet integrate with issuers (e.g. AET SDK) that accept additional fields
in the Credential Request body beyond what OpenID4VCI v1.0 defines.
Closes #4233
Assisted by AI
Switch VerifiableCredentials to TestResponseCodeWithLog so the upstream response body is surfaced in the logs, making it possible to diagnose 4xx/5xx responses from the credential endpoint. Assisted by AI
The 1.0 spec wraps credentials in a "credentials" array; pre-1.0 drafts returned a single "credential" string. Custom UnmarshalJSON on CredentialResponse handles both, taking the first entry from the array form and warning if the issuer returned more. Assisted by AI
; Conflicts: ; auth/api/iam/bearer_token.go ; auth/api/iam/s2s_vptoken_test.go ; auth/auth.go ; auth/client/iam/client.go ; auth/client/iam/openid4vp.go ; auth/client/iam/openid4vp_test.go ; auth/services/oauth/authz_server_test.go ; auth/test.go ; crypto/jwx/algorithm.go ; crypto/jwx_test.go
; Conflicts: ; auth/api/iam/openid4vci.go ; auth/api/iam/openid4vci_test.go ; auth/api/iam/session.go ; auth/client/iam/client.go ; docs/_static/auth/v2.yaml ; docs/pages/release_notes.rst
When the OpenID4VCI credential endpoint returns a non-2xx status, log the status code and response body (Warn) so issuance failures (e.g. 400) can be diagnosed without enabling debug. The body is already buffered for structured-error parsing, so no extra read. Assisted by AI
Pilot branch carrying the master merge so project-gf stays untouched. Conflict resolution (overlapping RFC 7523 jwt-bearer work on both sides): - jwt-bearer flow: adopted master's design (two-VP flow gated by service_provider_subject_id + auth.experimental.jwtbearerclient). Dropped project-gf's single-VP grant negotiation. - Consolidated grant-type constant to oauth.JwtBearerGrantType. - Dropped policy_id (request param, client signature, OpenAPI field); the presentation definition is resolved from scope. Regenerated API. - Preserved project-gf-only behavior: disabled access-token cache (credential-revocation testing), OpenIdCredentialIssuerMetadata / VerifiableCredentials client methods, server-side jwt-bearer handler, GrantTypes config, gorm pinned at v1.30.2. - Regenerated mocks and IAM API after resolving. Assisted by AI
Contributor
|
Coverage Impact ⬇️ Merging this pull request will decrease total coverage on Modified Files with Diff Coverage (28) 🤖 Increase coverage with AI coding...🚦 See full report on Qlty Cloud » 🛟 Help
|
Add project-gf-pilot to the build-images push/pull_request triggers so it builds and pushes a branch-tagged image, same as project-gf. Assisted by AI
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pilot Phase branch for Generic Functions, branched from
project-gfwithmastermerged in. Kept separate fromproject-gfso the PoC branch's backwards compatibility stays untouched.Merge resolution notes
Both
project-gfandmasterindependently implemented an RFC 7523 jwt-bearer flow; resolved as follows:service_provider_subject_id+auth.experimental.jwtbearerclient. Dropped project-gf's single-VP grant negotiation.oauth.JwtBearerGrantType.policy_id— dropped (request param, client signature, and OpenAPI field); the presentation definition is resolved fromscope. API regenerated.OpenIdCredentialIssuerMetadata/VerifiableCredentialsclient methods, server-side jwt-bearer handler,GrantTypesconfig,gormpinned at v1.30.2.go mod tidyreconciled dependencies.Full test suite passes.
Assisted by AI