keycloak/keycloak
Ver no GitHub[OID4VCI] Issuance with Authorization Code Flow assumes same client_id for offer creation and redemption
Open
#48.188 aberto em 17 de abr. de 2026
area/oid4vchelp wantedkind/bugpriority/normalstatus/auto-bumpstatus/auto-expireteam/core-protocols
Métricas do repositório
- Stars
- (34.398 stars)
- Métricas de merge de PR
- (Mesclagem média 6d 19h) (384 fundiu PRs em 30d)
Description
Before reporting an issue
- I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
oid4vc
Describe the bug
When testing against the German testing wallet from SPRIND i found, that Keycloak currently assumes the same client_id is used when creating the offer as when fetching it.
That assumption is wrong, because the wallet uses its own client to do the authentication flow and subsequently to redeem the offer.
Version
26.6.1
Regression
- The issue is a regression
Expected behavior
Offer can be fetched using a different client than the one used to create it, if the wallet client is authorized to do so
Actual behavior
invalid_credential_request error with "Unexpected login client"
How to Reproduce?
- Create offer using client_id
app - Scan offer QR code
- Wallet initiates auth code flow using client_id
wallet - Wallet tries to fetch the offer using client_id
wallet
Anything else?
No response