keycloak/keycloak

[OID4VCI] Issuance with Authorization Code Flow assumes same client_id for offer creation and redemption

Open

#48.188 geöffnet am 17. Apr. 2026

Auf GitHub ansehen
 (7 Kommentare) (1 Reaktion) (0 zugewiesene Personen)Java (8.346 Forks)batch import
area/oid4vchelp wantedkind/bugpriority/normalstatus/auto-bumpstatus/auto-expireteam/core-protocols

Repository-Metriken

Stars
 (34.398 Stars)
PR-Merge-Metriken
 (Durchschn. Merge 6T 19h) (384 gemergte PRs in 30 T)

Beschreibung

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

oid4vc

Describe the bug

When testing against the German testing wallet from SPRIND i found, that Keycloak currently assumes the same client_id is used when creating the offer as when fetching it. That assumption is wrong, because the wallet uses its own client to do the authentication flow and subsequently to redeem the offer.

Version

26.6.1

Regression

  • The issue is a regression

Expected behavior

Offer can be fetched using a different client than the one used to create it, if the wallet client is authorized to do so

Actual behavior

invalid_credential_request error with "Unexpected login client"

How to Reproduce?

  • Create offer using client_id app
  • Scan offer QR code
  • Wallet initiates auth code flow using client_id wallet
  • Wallet tries to fetch the offer using client_id wallet

Anything else?

No response

Contributor Guide