Keycloak: Credential time field is named 'nbf' but on the wallet is 'iat'

hugoib commented 4 months ago

For the demo, the following change was made:

Marcjazz commented 3 months ago

@francis-pouatcha I have gone through the keycloack oid4vc issuance implementation, I noticed that we've default the value of the nbf claim to iat but we've not added the iat claim/value set in our rootNode.

I will like to cease this opportunity to contribute to keycloack.

  // Get the issuance date from the credential. Since nbf is mandatory, we set it to the current time if not
  // provided
  long iat = Optional.ofNullable(verifiableCredential.getIssuanceDate())
          .map(issuanceDate -> issuanceDate.toInstant().getEpochSecond())
          .orElse((long) timeProvider.currentTimeSeconds());
  rootNode.put(NOT_BEFORE_CLAIM, iat);

https://github.com/adorsys/keycloak-oid4vc/blob/e3f8e70f61cf7f41d6b9c79bfac8af46e781df1b/services/src/main/java/org/keycloak/protocol/oid4vc/issuance/signing/SdJwtSigningService.java#L126

francis-pouatcha commented 3 months ago

Field is not mandatory, was removed with:

https://github.com/keycloak/keycloak/pull/30692

IngridPuppet commented 2 months ago

We cannot merge it yet. We'll send another PR to Keycloak.

francis-pouatcha commented 2 months ago

Issue: https://github.com/keycloak/keycloak/issues/31581
Fixed by: https://github.com/keycloak/keycloak/pull/31620

adorsys / keycloak-ssi-deployment

Keycloak: Credential time field is named 'nbf' but on the wallet is 'iat' #44