Auth: Allow enabling/disabling OpenID4VP and OpenID4VCI independently

[Copilot]

Previously, auth.authorizationendpoint.enabled enabled both OpenID4VP and OpenID4VCI together, making it impossible to use OpenID4VCI without also enabling OpenID4VP.

New configuration

Two separate flags replace the combined flag:

auth:
  openid4vp:
    enabled: true   # OpenID4VP verifier/wallet (authorization endpoint, VP flows)
  openid4vci:
    enabled: true   # OpenID4VCI client (credential issuance requests + callback)

The old auth.authorizationendpoint.enabled is deprecated but remains functional — it still enables both protocols for backward compatibility. A deprecation warning is logged at startup when this flag is set, directing users to the new flags.

Changes

• auth/config.go: Added OpenID4VPConfig and OpenID4VCIConfig structs; kept AuthorizationEndpointConfig as deprecated
• auth/interface.go: Replaced AuthorizationEndpointEnabled() with OpenID4VPEnabled() and OpenID4VCIEnabled()
• auth/auth.go: Both new methods OR with the deprecated flag for backward compat; logs a WARN when the deprecated flag is in use
• auth/api/iam/api.go:
  • HandleAuthorizeRequest gated on OpenID4VPEnabled()
  • Callback enabled when either protocol is enabled
  • authorization_endpoint omitted from AS metadata when OpenID4VP is disabled
• auth/api/iam/openid4vci.go: RequestOpenid4VCICredentialIssuance gated on OpenID4VCIEnabled()
• auth/cmd/cmd.go: New flags registered; old flag marked deprecated with migration hint

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Auth: Allow enabling/disabling protocols</issue_title>
<issue_description>Currently, we support:

• vp_bearer grant type (enabled by default)
• OpenID4VP (when AUTHORZATION_ENDPOINT_ENABLED = true)
• OpenID4VCI (client) (when AUTHORZATION_ENDPOINT_ENABLED = true)
• Authorization Code Flow when OpenID4VP is enabled

Upcoming support:

• JWT bearer grant type

Since we have an actual use case for OpenID4VCI, but not for OpenID4VP, we should allow enabling the OpenID4VCI without enabling OpenID4VP at the same time.

Configuration structure:

auth.openid4vp.enabled (true/false)
auth.openid4vci.enabled (true/false)

We can then add sub-items in the future.
</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Auth: Allow enabling/disabling protocols #4118

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[reinkrul]

Log error when deprecated AuthorizationEndpoint is used, telling to use the other properties.

[Copilot]

Log error when deprecated AuthorizationEndpoint is used, telling to use the other properties.

Done in 2c4ddd5. When auth.authorizationendpoint.enabled = true is set, Configure() now logs a WARN message: auth.authorizationendpoint.enabled is deprecated, use auth.openid4vp.enabled and auth.openid4vci.enabled instead.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• example.com
  • Triggering command: /tmp/go-build2924061989/b1080/iam.test /tmp/go-build2924061989/b1080/iam.test -test.paniconexit0 -test.count=1 -test.timeout=2m0s /tmp/go-build2471165822/b914/vet.cfg IyoLvoTcu rg/x/crypto@v0.4-ifaceassert ux-amd64/pkg/tool/linux_amd64/vet . t/internal/tag mpile ux-amd64/pkg/too/tmp/go-build2471165822/b946/vet.cfg -o om/robfig/cron/v3@v3.0.1/chain.g-errorsas om/robfig/cron/v3@v3.0.1/constan-ifaceassert ux-amd64/pkg/tool/linux_amd64/vet d.go foundation/go-st-atomic mpile ux-amd64/pkg/too-buildtags (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[qltysh]

Coverage Impact

⬆️ Merging this pull request will increase total coverage on master by 0.01%.

Modified Files with Diff Coverage (4)

Rating	File	% Diff	Uncovered Line #s
	auth/auth.go	75.0%	151-152
	auth/cmd/cmd.go	100.0%
	auth/api/iam/api.go	100.0%
	auth/api/iam/openid4vci.go	100.0%
	Total	88.9%

🤖 Increase coverage with AI coding...

In the `copilot/enable-disable-openid4vp-vci` branch, add test coverage for this new code:

- `auth/auth.go` -- Line 151-152

🚦 See full report on Qlty Cloud »

🛟 Help

• Diff Coverage: Coverage for added or modified lines of code (excludes deleted files). Learn more.

• Total Coverage: Coverage for the whole repository, calculated as the sum of all File Coverage. Learn more.

• File Coverage: Covered Lines divided by Covered Lines plus Missed Lines. (Excludes non-executable lines including blank lines and comments.)

  • Indirect Changes: Changes to File Coverage for files that were not modified in this PR. Learn more.

[reinkrul]

@copilot the openid4vp e2e tests still specify auth.authorizationendpoint in the YAML files, replace this with the new property

[qltysh]

2 new issues

Tool	Category	Rule	Count
qlty	Structure	Function with many returns (count = 13): RequestOpenid4VCICredentialIssuance	2

[Copilot]

@copilot the openid4vp e2e tests still specify auth.authorizationendpoint in the YAML files, replace this with the new property

Updated in 3e6f62c. All three e2e test configs now use auth.openid4vp.enabled: true instead of auth.authorizationendpoint.enabled: true:

• e2e-tests/browser/openid4vp_employeecredential/config/nuts.yaml
• e2e-tests/oauth-flow/openid4vp/node-A/nuts.yaml
• e2e-tests/oauth-flow/openid4vp/node-B/nuts.yaml