Incorrect auth server is used for credential offers#974
Merged
tnotheis merged 4 commits intorelease/openid4vcfrom Feb 25, 2026
Merged
Conversation
There was a problem hiding this comment.
Pull request overview
This PR fixes an issue where the incorrect authorization server was being used for credential offers in the OpenID4VC flow. The code was previously using credentialOffer.metadata.authorizationServers[0].issuer (now removed), but has been changed to use credentialOffer.credentialOfferPayload.grants.authorization_code.authorization_server instead.
Changes:
- Replaced the authorization server extraction logic to use the correct source from the credential offer payload's grants section
- Added validation to check if the authorization server exists and show an appropriate error if it doesn't
- Added a new error message for invalid credential offers
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| packages/app-runtime/src/AppStringProcessor.ts | Updated authorization server extraction logic and added validation for missing authorization server in credential offers |
| packages/app-runtime/src/AppRuntimeErrors.ts | Added new error message for invalid credential offers |
Comments suppressed due to low confidence (1)
packages/app-runtime/src/AppStringProcessor.ts:103
- The non-null assertion operators (!) are used on a chain that could potentially be undefined. While line 84 checks for grants?.authorization_code before calling this function, the non-null assertions on line 103 assume that grants, authorization_code, and authorization_server are all defined. However, the subsequent null check on line 104 suggests that authorization_server can be undefined, which makes the non-null assertion misleading. Consider removing the non-null assertion operator on authorization_server to accurately reflect that this value can be undefined, or use optional chaining instead.
const authorizationServer = credentialOffer.credentialOfferPayload.grants!.authorization_code!.authorization_server!;
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
britsta
previously approved these changes
Feb 25, 2026
britsta
approved these changes
Feb 25, 2026
tnotheis
deleted the
incorrect-auth-server-is-used-for-credential-offers
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Readiness checklist