keycloak/keycloak
Vedi su GitHub[OID4VCI] Issuance with Authorization Code Flow assumes same client_id for offer creation and redemption
Open
#48.188 aperta il 17 apr 2026
area/oid4vchelp wantedkind/bugpriority/normalstatus/auto-bumpstatus/auto-expireteam/core-protocols
Metriche repository
- Star
- (34.398 star)
- Metriche merge PR
- (Merge medio 6g 19h) (384 PR mergiate in 30 g)
Descrizione
Before reporting an issue
- I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
oid4vc
Describe the bug
When testing against the German testing wallet from SPRIND i found, that Keycloak currently assumes the same client_id is used when creating the offer as when fetching it.
That assumption is wrong, because the wallet uses its own client to do the authentication flow and subsequently to redeem the offer.
Version
26.6.1
Regression
- The issue is a regression
Expected behavior
Offer can be fetched using a different client than the one used to create it, if the wallet client is authorized to do so
Actual behavior
invalid_credential_request error with "Unexpected login client"
How to Reproduce?
- Create offer using client_id
app - Scan offer QR code
- Wallet initiates auth code flow using client_id
wallet - Wallet tries to fetch the offer using client_id
wallet
Anything else?
No response