Skip to content

Fix critical bugs in OID4VC and FAPI security code#48678

Closed
deepshekhardas wants to merge 15 commits intokeycloak:mainfrom
deepshekhardas:main
Closed

Fix critical bugs in OID4VC and FAPI security code#48678
deepshekhardas wants to merge 15 commits intokeycloak:mainfrom
deepshekhardas:main

Conversation

@deepshekhardas
Copy link
Copy Markdown

@deepshekhardas deepshekhardas commented May 4, 2026
edited
Loading

This PR fixes critical bugs, improves logging, and enhances code quality:

Bug Fixes:

  • SdJwtCredentialBuilder.java: Fixed unreachable branch - changed entry instanceof List to entry.getValue() instanceof List
  • SecureRequestObjectExecutor.java: Fixed Y2K38 bug by using Time.currentTimeMillis() / 1000 instead of Time.currentTime() for long timestamp comparisons (3 places)
  • SecureCibaSignedAuthenticationRequestExecutor.java: Fixed Y2K38 bug by using Time.currentTimeMillis() / 1000 instead of Time.currentTime() for long timestamp comparisons (2 places)

Logging Improvements:

  • WebAuthnCredentialProvider.java: Replaced wae.printStackTrace() with logger.error()
  • KeycloakErrorHandler.java: Replaced e.printStackTrace() with logger.warn()
  • LinkedAccountsResource.java: Replaced spe.printStackTrace() with logger.error()
  • AbstractClaimMapper.java: Added logging to 4 empty catch blocks for Double/Integer/Boolean/JsonNode parsing
  • OIDCAttributeMapperHelper.java: Added logging to 3 empty catch blocks for auth_time and JSON parsing
  • ProtocolMapperUtils.java: Added logging to empty catch block for method invocation
  • MtlsHoKTokenUtil.java: Added logging to empty catch block for certificate thumbprint
  • FileTruststoreProviderFactory.java: Added logging to empty catch block for JKS truststore loading

Documentation Improvements:

  • DefaultClientTypeManager.java: Added comprehensive javadoc to validateAndCastConfiguration method
  • UserConsentManager.java: Updated javadoc to explain boolean vs Boolean return type
  • DefaultClientTypeProvider.java: Removed obsolete TODO comment

Impact:

  • Proper handling of array claims in SD-JWT credentials
  • Timestamp comparisons now work correctly beyond year 2038
  • Improved error logging and debugging across 11 files
  • Removed 9 TODO/FIXME comments total

Fix critical bugs in OID4VC and FAPI security code
b9d9cd0 
- Fix SdJwtCredentialBuilder: entry.getValue() instanceof List instead of entry instanceof List
- Fix SecureRequestObjectExecutor: Use currentTimeMillis()/1000 for proper long timestamp comparison (Y2K38 bug)
- Fix SecureCibaSignedAuthenticationRequestExecutor: Use currentTimeMillis()/1000 for proper long timestamp comparison

Resolves TODO/FIXME comments from top contributors' work
@deepshekhardas deepshekhardas requested a review from a team as a code owner May 4, 2026 12:44
deepshekhardas added 2 commits May 4, 2026 18:15
Add documentation and cleanup remaining TODOs
28ebf99 
- Add comprehensive javadoc to validateAndCastConfiguration method
- Update UserConsentManager javadoc to explain boolean vs Boolean return type
- Remove obsolete TODO comment from DefaultClientTypeProvider
Replace printStackTrace with proper logging
5fe8940
@deepshekhardas deepshekhardas requested review from a team as code owners May 5, 2026 11:28
@deepshekhardas deepshekhardas requested a review from a team as a code owner May 9, 2026 07:47
deepshekhardas and others added 6 commits May 9, 2026 13:20
Feat: AuthZen Evaluations API - Add multi-evaluation endpoint
89536d9 
Cherry-picked from upstream: 5811348

Implements the AuthZen Evaluations API endpoint for batch authorization
decisions. This is part of the AuthZen authorization standard.

Changes:
- Added EvaluationsRequest and EvaluationsResponse models
- Implemented new /access/v1/evaluations endpoint
- Added support for evaluation semantics:
  - execute_all: Execute all evaluations
  - deny_on_first_deny: Stop on first deny
  - permit_on_first_permit: Stop on first permit
- Added test client helpers and test cases

Closes: keycloak#47825
Feat: OID4VCI Credentials CRUD - Database and Admin REST endpoints
3d63a2c 
Cherry-picked from upstream: f66ae8a

Implements CRUD operations for Verifiable Credentials in OID4VCI protocol.

Changes:
- Added UserVerifiableCredentialEntity for database storage
- Added UserVerifiableCredentialModel for data model
- Added UserVerifiableCredentialRepresentation for API
- Created Admin REST endpoints:
  - POST /users/{id}/verifiable-credentials
  - GET /users/{id}/verifiable-credentials
  - DELETE /users/{id}/verifiable-credentials/{credentialId}
- Added JPA changelog for database schema
- Added test cases for CRUD operations

Closes: keycloak#48546
Feat: Add startup check for missing database indexes
3b7bf6d 
Cherry-picked from upstream: 53f0251

Adds a startup validation check to verify that all required database
indexes exist. This helps prevent performance issues and identifies
missing indexes early.

Changes:
- Added DatabaseIndexChecker class for startup validation
- Checks for critical indexes like:
  - IDX_IDP_FOR_LOGIN (for identity provider login)
  - Other performance-critical indexes
- Added test cases to verify the checker works correctly
- Helps with database migration validation

This is important for production deployments to ensure optimal
database performance.
@deepshekhardas
Merge pull request #6 from deepshekhardas/pr/authzen-evaluations
f474ce6 
Feat: AuthZen Evaluations API - Add multi-evaluation endpoint
@deepshekhardas
Merge pull request #7 from deepshekhardas/pr/oid4vci-credentials
72268a6 
Feat: OID4VCI Credentials CRUD - Database and Admin REST endpoints
@deepshekhardas
Merge pull request #9 from deepshekhardas/pr/database-index-check
8668ce0 
Feat: Add startup check for missing database indexes
@matlipowski matlipowski mentioned this pull request May 9, 2026
Open
@ahus1
Copy link
Copy Markdown
Member

ahus1 commented May 9, 2026

Please consult CONTIBUTING.md before contributing. Also, you already have to PRs open which is the maximum for new contributors.

@ahus1 ahus1 closed this May 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

team/cloud-native team/core-clients team/core-iam

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@deepshekhardas @ahus1