Skip to content

v2.2.0#529

Merged
peppelinux merged 20 commits intomainfrom
dev
Mar 11, 2026
Merged

v2.2.0#529
peppelinux merged 20 commits intomainfrom
dev

Conversation

@peppelinux
Copy link
Member

@peppelinux peppelinux commented Mar 3, 2026
edited
Loading

This pull request introduces several improvements:

  • feat(openid4vci): bind access and refresh tokens to DPoP key (RFC 9449)
  • feat(openid4vci): reject PAR jti replay (RFC 9126)
  • feat(openid4vci): verify key_attestation (WUA) in credential proof when present
  • doc(openid4vci): document OpenID Federation integration for trust evaluation
  • feat(openid4vp): validate mdoc SessionTranscript for OpenID4VP profile (ISO 18013-7)
  • feat: openid4vci add proof jwt specific checks

It also brings the following ones:

Documentation and Protocol Support:

  • Added a comprehensive protocol compliance checklist for OpenID4VCI and OpenID4VP, detailing supported and unsupported features according to the Italian Wallet implementation profile in the README.md.
  • Clarified the use and meaning of the default_acr_value in authorization configuration, emphasizing its role as an IdP fallback and not part of OpenID4VP.
  • Documented the new proof_jwt_required configuration option for credential endpoints, specifying its behavior and defaults.
  • Added explanation of OpenID Federation trust evaluation in the credential issuer documentation.

Configuration and Integration Test Updates:

  • Introduced the proof_jwt_required flag in integration_test/conf/openid4vci_frontend.yaml to control proof JWT requirements at the credential endpoint.
  • Removed the scopes field from backend configuration in test files, aligning with updated claim handling logic. [1] [2]
  • Removed redundant or misplaced security configuration sections from backend test configs.

Codebase Refactoring and Improvements:

  • Refactored imports of BaseVPParser from internal SATOSA backend modules to a centralized location in pyeudiw.credential_presentation.base_vp_parser for better modularity and testability. [1] [2] [3]
  • Moved the MissingHandler exception to a new dedicated module, improving error handling in DCQL parsing. [1] [2]
  • Simplified the handling of vp_token and presentation_submission in authorization response parsing, focusing on DCQL flow requirements and improving robustness for varying input formats. [1] [2]
  • Removed unused or redundant fields from test helpers and configuration. [1] [2]

GitHub Actions Workflow Enhancements:

  • Improved the security-audit.yml workflow to skip duplicate runs using the fkirc/skip-duplicate-actions action, reducing unnecessary CI runs.
  • Removed the deprecated concurrency group configuration from both python-app.yml and security-audit.yml workflows. [1] [2]

Documentation Acknowledgments:

  • Added M&Ms to the acknowledgments section in the README.md.

  • Updated the version number to 2.2.0 in pyeudiw/__init__.py.

manpace and others added 4 commits February 17, 2026 13:04
@manpace
fixes:
d8ce245 
 - removed private jwks from EC
 - added federation jwks to EC
@manpace
fix CI reports
1118d6d 
- update dependencies with vulnerabilities
- mock aligned in tests with the correct jwks structure
@peppelinux
feat: added VCI tests to prevent private keys publication within publ…
e8de262 
…ic metadata
@peppelinux
Merge pull request #528 from italia/fix/526-openid4vcifrontend-securi…
4f9c00b 
…ty-vulnerability

Fix Private Key Exposure in JWKS
@peppelinux peppelinux marked this pull request as draft March 3, 2026 17:30
peppelinux added 13 commits March 3, 2026 18:33
@peppelinux
ci: improvements in actions duplication skip
c6763de
@peppelinux
breaking change: definitively removed presentation exchange support -…
f1222a3 
… only duckle
@peppelinux
breaking change: definitively removed presentation exchange support -…
5cbf312 
… only duckle
@peppelinux
breakign change: openid4vp removed scopes
a453344
@peppelinux
doc: default_acr_value now documented
a2fa58c
@peppelinux
breaking change: WIA not required anymore in openid4vp - moved in the…
56b3b7d 
… top folder
@peppelinux
fix(openid4vci): reject PAR request with request_uri (RFC 9126) and a…
10a6d52 
…dd protocol support recap to README

- PAR endpoint: reject requests containing request_uri parameter per RFC 9126
- Add unit test for request_uri rejection
- Add Protocol Support Recap section to README with checkboxes for:
  - OpenID4VCI: supported features and batch/deferred marked as not supported
  - OpenID4VP: supported features and transaction_data marked as not supported
@peppelinux
feat(openid4vci): bind access and refresh tokens to DPoP key (RFC 9449)
d74c238 
When DPoP is required, include cnf.jkt (JWK thumbprint) in both access
and refresh tokens to cryptographically bind them to the DPoP key.
@peppelinux
feat(openid4vci): reject PAR jti replay (RFC 9126)
04c0442
@peppelinux
feat(openid4vci): verify key_attestation (WUA) in credential proof wh…
de21f6d 
…en present
@peppelinux
doc(openid4vci): document OpenID Federation integration for trust eva…
857de31 
…luation
@peppelinux
feat(openid4vp): validate mdoc SessionTranscript for OpenID4VP profil…
7e80511 
…e (ISO 18013-7)
@peppelinux
feat: openid4vci add proof jwt specific checks
f45e845
@peppelinux peppelinux requested review from manpace and mciofo March 3, 2026 20:06
@peppelinux peppelinux marked this pull request as ready for review March 11, 2026 14:55
@peppelinux peppelinux merged commit 1247bcd into main Mar 11, 2026
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mciofo mciofo Awaiting requested review from mciofo

@manpace manpace Awaiting requested review from manpace

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@peppelinux @manpace