keycloak/keycloak

[OID4VCI] Issuance with Authorization Code Flow assumes same client_id for offer creation and redemption

Open

#48.188 aberto em 17 de abr. de 2026

Ver no GitHub
 (7 comments) (1 reaction) (0 assignees)Java (8.346 forks)batch import
area/oid4vchelp wantedkind/bugpriority/normalstatus/auto-bumpstatus/auto-expireteam/core-protocols

Métricas do repositório

Stars
 (34.398 stars)
Métricas de merge de PR
 (Mesclagem média 6d 19h) (384 fundiu PRs em 30d)

Description

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

oid4vc

Describe the bug

When testing against the German testing wallet from SPRIND i found, that Keycloak currently assumes the same client_id is used when creating the offer as when fetching it. That assumption is wrong, because the wallet uses its own client to do the authentication flow and subsequently to redeem the offer.

Version

26.6.1

Regression

  • The issue is a regression

Expected behavior

Offer can be fetched using a different client than the one used to create it, if the wallet client is authorized to do so

Actual behavior

invalid_credential_request error with "Unexpected login client"

How to Reproduce?

  • Create offer using client_id app
  • Scan offer QR code
  • Wallet initiates auth code flow using client_id wallet
  • Wallet tries to fetch the offer using client_id wallet

Anything else?

No response

Guia do colaborador