feat: support Interactive Authorization Flow

[nanderstabel]

Description of change

Interactive Authorization Flow (OpenID4VCI 1.1)

Overview

Adds support for the Interactive Authorization Flow as defined in OpenID4VCI 1.1. When enabled, the authorization server can request an OpenID4VP presentation from the wallet before issuing an authorization code, enabling credential-gated issuance.

Key Changes

• New InteractiveAuthorizationService — handles the two-step interactive flow: initial request (returns an OpenID4VP presentation request) and follow-up (submits the VP response, returns an authorization code).
• /auth/par endpoint extended — now dispatches between standard PAR, interactive authorization requests, and follow-up requests via an AuthorizationRequestDto enum.
• New OpenId4VpPresentationService trait — abstraction for creating/verifying OpenID4VP requests, with mockall support for testing.
• New verification-authorization infrastructure adapter — implements OpenId4VpPresentationService by delegating to the agent_verification domain.

Important Notes

• The interactive authorization flow must be explicitly enabled via the enable_interactive_authorization_flow configuration variable (defaults to false).
• This PR contains a hardcoded DCQL query in VerificationAuthorizationAdapter requesting eduID and Entitlement credentials with specific claims (e.g. name, email, eduperson_scoped_affiliation, entitlement). This should be made configurable by the client in a follow-up.
• The integration test for the full interactive flow is #[ignore]d pending holder-state test infrastructure improvements.

Links to any relevant issues

• feat: support Interactive Authorization flow identity-wallet#736

How the change has been tested

Manually tested, for more details, see: https://github.com/impierce/ssi-agent-integration-server

Definition of Done checklist

Add an x to the boxes that are relevant to your changes.

• I have followed the contribution guidelines for this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• I have successfully tested this change in a docker environment

[codecov-commenter]

Codecov Report

❌ Patch coverage is 18.84498% with 267 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
...c/application/interactive_authorization_service.rs	0.00%	127 Missing ⚠️
...p/src/v0/authorization/authorization_server/par.rs	8.33%	99 Missing ⚠️
agent_application/src/lib.rs	0.00%	21 Missing ⚠️
...ure/adapters/verification-authorization/src/lib.rs	0.00%	10 Missing ⚠️
agent_authorization/src/services.rs	52.94%	8 Missing ⚠️
agent_issuance/src/state.rs	81.81%	2 Missing ⚠️

Files with missing lines	Coverage Δ
...v0/authorization/authorization_server/authorize.rs	100.00% <ø> (ø)
...src/v0/authorization/authorization_server/token.rs	95.45% <ø> (ø)
...tp/src/v0/issuance/credential_issuer/credential.rs	97.02% <ø> (ø)
.../src/v0/issuance/credential_issuer/notification.rs	98.95% <100.00%> (+0.05%)	⬆️
...v0/issuance/credential_issuer/token_status_list.rs	98.19% <100.00%> (+0.08%)	⬆️
...http/src/v0/verification/authorization_requests.rs	86.72% <100.00%> (+0.11%)	⬆️
...on/src/application/oauth2_authorization_service.rs	88.67% <100.00%> (ø)
...on/src/application/pushed_authorization_service.rs	89.79% <100.00%> (+0.21%)	⬆️
...ization/src/domain/authorization_code/aggregate.rs	100.00% <100.00%> (ø)
...thorization/src/domain/authorization_code/event.rs	0.00% <ø> (ø)
... and 15 more

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Copilot]

Pull request overview

Adds OpenID4VCI 1.1 Interactive Authorization Flow support, allowing the AS to require an OpenID4VP presentation before issuing an authorization code (credential-gated issuance).

Changes:

• Introduces an interactive /auth/par flow (initial request → OpenID4VP presentation request; follow-up → VP submission → authorization code).
• Adds an OpenId4VpPresentationService abstraction and a verification-authorization adapter delegating to agent_verification.
• Extends authorization/issuance metadata and domain models to support interactive endpoints and OpenID4VP-related state.

Reviewed changes

Copilot reviewed 36 out of 37 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
infrastructure/adapters/verification-authorization/src/lib.rs	New adapter implementing OpenId4VpPresentationService using verification state.
infrastructure/adapters/verification-authorization/Cargo.toml	New crate manifest for the adapter.
Cargo.toml	Adds adapter crate to workspace; bumps OpenID4VC deps; adds mockall.
Cargo.lock	Locks updated deps for bumped OpenID4VC rev + mockall and adapter crate.
agent_verification/src/authorization_request/command.rs	Adds alternative_response_mode to create authorization requests.
agent_verification/src/authorization_request/aggregate.rs	Wires alternative_response_mode into OID4VP authorization request builder.
agent_store/src/lib.rs	Passes domain services into OAuth2 authorization request aggregate wiring.
agent_shared/src/config/mod.rs	Adds enable_interactive_authorization_flow configuration flag.
agent_shared/Cargo.toml	Formatting adjustment in dev-deps (no functional change).
agent_issuance/src/state.rs	Conditionally publishes interactive authorization metadata based on config.
agent_issuance/src/server_config/aggregate.rs	Updates issuer URL behavior and metadata endpoints (incl. interactive endpoint).
agent_holder/src/offer/aggregate.rs	Updates tests for new authorization_state(...) signature.
agent_authorization/src/services.rs	Adds OpenId4VpPresentationService + OAuth2 auth request domain services (+ mock default).
agent_authorization/src/domain/oauth2_authorization_request/views/mod.rs	Persists openid4vp_presentation in the view.
agent_authorization/src/domain/oauth2_authorization_request/event.rs	Extends created event with openid4vp_presentation.
agent_authorization/src/domain/oauth2_authorization_request/error.rs	Adds OpenID4VP creation/verification error variants.
agent_authorization/src/domain/oauth2_authorization_request/command.rs	Adds interaction_type + SubmitOpenId4VpResponse command.
agent_authorization/src/domain/oauth2_authorization_request/aggregate.rs	Implements interactive creation + VP submission path; stores presentation request JSON.
agent_authorization/src/domain/authorization_code/views/mod.rs	Adjusts redirect URI handling for Option<Url>.
agent_authorization/src/domain/authorization_code/event.rs	Makes redirect_uri optional in events.
agent_authorization/src/domain/authorization_code/command.rs	Makes redirect_uri optional in commands.
agent_authorization/src/domain/authorization_code/aggregate.rs	Propagates optional redirect URI through authorization code lifecycle + tests.
agent_authorization/src/application/pushed_authorization_service.rs	Sets interaction_type: None when creating OAuth2 auth requests via PAR.
agent_authorization/src/application/oauth2_authorization_service.rs	Creates auth code with redirect_uri: Some(...) under standard flow.
agent_authorization/src/application/mod.rs	Exposes new interactive_authorization_service module.
agent_authorization/src/application/interactive_authorization_service.rs	New interactive flow service (initial + follow-up).
agent_authorization/Cargo.toml	Adds optional mockall; extends test_utils feature to include it.
agent_application/src/lib.rs	Wires verification state + adapter into authorization state construction.
agent_application/Cargo.toml	Adds dependency on verification-authorization adapter crate.
agent_api_http/src/v0/verification/authorization_requests.rs	Passes alternative_response_mode: None into verification request creation.
agent_api_http/src/v0/issuance/credential_issuer/token_status_list.rs	Updates tests for new authorization_state(...) signature.
agent_api_http/src/v0/issuance/credential_issuer/notification.rs	Updates tests for new authorization_state(...) signature.
agent_api_http/src/v0/issuance/credential_issuer/credential.rs	Updates tests for new authorization_state(...) signature.
agent_api_http/src/v0/authorization/authorization_server/token.rs	Updates tests for new authorization_state(...) signature.
agent_api_http/src/v0/authorization/authorization_server/par.rs	Extends /auth/par to dispatch between PAR + interactive init + interactive follow-up.
agent_api_http/src/v0/authorization/authorization_server/authorize.rs	Updates tests for new authorization_state(...) signature.
agent_api_http/Cargo.toml	Adds dependency on verification-authorization adapter crate.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

🎉 This PR is included in version 1.0.0-beta.19 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀