fix: SVG claim extraction and consent double-auth initiation

- Add HasVCIDocuments() to skip re-initiating OIDC/SAML auth when
  documents are already cached from callback
- Add findValueByName fallback for SVG claims when JSONPath extraction
  fails due to credential_mapping mismatch
- Add diagnostic logging: document data keys, mapping attributes,
  JSONPath map for debugging claim extraction issues
- Fix pre-existing MDQ test compilation errors (missing signingCert param)

Author: leifj

internal/apigw/apiv1/handlers_issuer.go

@@ -28,6 +28,13 @@ func (c *Client) StoreVCIDocuments(ctx context.Context, sessionID string, docs m
 	return nil
 }
 
+// HasVCIDocuments checks whether documents have already been stored for the given VCI session.
+// Used by the consent endpoint to avoid re-initiating external auth when documents are already cached.
+func (c *Client) HasVCIDocuments(ctx context.Context, sessionID string) bool {
+	docs, ok := c.cacheService.Document.Get(ctx, sessionID)
+	return ok && len(docs) > 0
+}
+
 // VCICredentialOffer implements OpenID4VCI credential offer endpoint
 // https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-credential-offer-endpoint
 func (c *Client) VCICredentialOffer(ctx context.Context, req *openid4vci.CredentialOfferParameters) (*openid4vci.CredentialOfferParameters, error) {

internal/apigw/apiv1/handlers_oidcrp.go

@@ -141,9 +141,22 @@ func (c *Client) OIDCRPCallback(ctx context.Context, req *OIDCRPCallbackRequest,
 		return nil, err
 	}
 
+	// Log the mapping attributes and resulting document data for diagnostics.
+	// This helps identify mismatches between credential_mappings and the VCTM claims.
+	claimKeys := make([]string, 0, len(claims))
+	for k := range claims {
+		claimKeys = append(claimKeys, k)
+	}
+	mappingKeys := make([]string, 0, len(mapping.Attributes))
+	for k := range mapping.Attributes {
+		mappingKeys = append(mappingKeys, k)
+	}
+
 	c.log.Info("OIDC authentication successful",
 		"credential_type", session.CredentialType,
 		"claims_count", len(claims),
+		"claim_keys", claimKeys,
+		"mapping_attributes", mappingKeys,
 		"subject", authResp.IDToken.Subject)
 
 	// VCI mode: if the OIDC session was initiated from the OpenID4VCI consent flow,

internal/apigw/apiv1/handlers_users.go

@@ -244,15 +244,35 @@ func (c *Client) UserLookup(ctx context.Context, req *vcclient.UserLookupRequest
 			return nil, fmt.Errorf("failed to extract claim values from document data: %w", err)
 		}
 
-		c.log.Debug("extracted claim values",
-			"extracted_count", len(claimValues),
-			"requested_count", len(jsonPaths.Displayable),
-			"claims", claimValues)
+		if len(claimValues) == 0 && len(jsonPaths.Displayable) > 0 {
+			// Log diagnostic info when JSONPath extraction finds nothing.
+			// This typically means the credential_mappings don't produce the
+			// claim keys expected by the VCTM (check svg_id / path alignment).
+			docKeys := make([]string, 0, len(doc.DocumentData))
+			for k := range doc.DocumentData {
+				docKeys = append(docKeys, k)
+			}
+			c.log.Warn("no claims extracted: document data keys do not match VCTM JSONPaths",
+				"document_data_keys", docKeys,
+				"json_paths", jsonPaths.Displayable)
+		} else {
+			c.log.Debug("extracted claim values",
+				"extracted_count", len(claimValues),
+				"requested_count", len(jsonPaths.Displayable),
+				"claims", claimValues)
+		}
 
 		for _, claim := range req.VCTM.Claims {
 			if claim.SVGID != "" {
 				value, ok := claimValues[claim.SVGID].(string)
 				if !ok {
+					// JSONPath extraction missed this claim — try direct lookup as fallback
+					if value := findValueByName(doc.DocumentData, claim.Path); value != "" {
+						svgTemplateClaims[claim.SVGID] = vcclient.SVGClaim{
+							Label: claim.Display[0].Label,
+							Value: value,
+						}
+					}
 					continue
 				}
 				svgTemplateClaims[claim.SVGID] = vcclient.SVGClaim{

internal/apigw/httpserver/api.go

@@ -69,6 +69,7 @@ type Apiv1 interface {
 
 	// VCI integration for external auth (SAML/OIDC)
 	StoreVCIDocuments(ctx context.Context, sessionID string, docs map[string]*model.CompleteDocument) error
+	HasVCIDocuments(ctx context.Context, sessionID string) bool
 
 	// misc endpoints
 	Health(ctx context.Context, req *apiv1_status.StatusRequest) (*apiv1_status.StatusReply, error)

internal/apigw/httpserver/endpoints_oauth.go

@@ -210,23 +210,28 @@ func (s *Service) endpointOAuthAuthorizationConsent(ctx context.Context, c *gin.
 			return nil, err
 		}
 
-		scope, _ := session.Get("scope").(string)
-		if s.cfg.GetCredentialConstructor(scope) == nil {
-			err := fmt.Errorf("scope %q not configured for credential issuance", scope)
-			span.SetStatus(codes.Error, err.Error())
-			return nil, err
+		// Skip re-initiating auth if the callback already stored documents.
+		if !s.apiv1.HasVCIDocuments(ctx, sessionID) {
+			scope, _ := session.Get("scope").(string)
+			if s.cfg.GetCredentialConstructor(scope) == nil {
+				err := fmt.Errorf("scope %q not configured for credential issuance", scope)
+				span.SetStatus(codes.Error, err.Error())
+				return nil, err
+			}
+
+			// Determine the IdP entity ID: use static IdP or default from config
+			idpEntityID := s.samlSPService.GetStaticIDPEntityID()
+
+			authReq, err := s.samlSPService.InitiateAuthForVCI(ctx, idpEntityID, scope, sessionID)
+			if err != nil {
+				span.SetStatus(codes.Error, err.Error())
+				return nil, err
+			}
+
+			redirectURL = authReq.RedirectURL
+		} else {
+			s.log.Debug("SAML auth already completed, documents cached", "session_id", sessionID)
 		}
-
-		// Determine the IdP entity ID: use static IdP or default from config
-		idpEntityID := s.samlSPService.GetStaticIDPEntityID()
-
-		authReq, err := s.samlSPService.InitiateAuthForVCI(ctx, idpEntityID, scope, sessionID)
-		if err != nil {
-			span.SetStatus(codes.Error, err.Error())
-			return nil, err
-		}
-
-		redirectURL = authReq.RedirectURL
 	}
 
 	if authMethod == model.AuthMethodOIDC {
@@ -236,20 +241,25 @@ func (s *Service) endpointOAuthAuthorizationConsent(ctx context.Context, c *gin.
 			return nil, err
 		}
 
-		scope, _ := session.Get("scope").(string)
-		if s.cfg.GetCredentialConstructor(scope) == nil {
-			err := fmt.Errorf("scope %q not configured for credential issuance", scope)
-			span.SetStatus(codes.Error, err.Error())
-			return nil, err
-		}
-
-		authReq, err := s.oidcrpService.InitiateAuthForVCI(ctx, scope, sessionID)
-		if err != nil {
-			span.SetStatus(codes.Error, err.Error())
-			return nil, err
+		// Skip re-initiating auth if the callback already stored documents.
+		if !s.apiv1.HasVCIDocuments(ctx, sessionID) {
+			scope, _ := session.Get("scope").(string)
+			if s.cfg.GetCredentialConstructor(scope) == nil {
+				err := fmt.Errorf("scope %q not configured for credential issuance", scope)
+				span.SetStatus(codes.Error, err.Error())
+				return nil, err
+			}
+
+			authReq, err := s.oidcrpService.InitiateAuthForVCI(ctx, scope, sessionID)
+			if err != nil {
+				span.SetStatus(codes.Error, err.Error())
+				return nil, err
+			}
+
+			redirectURL = authReq.AuthorizationURL
+		} else {
+			s.log.Debug("OIDC auth already completed, documents cached", "session_id", sessionID)
 		}
-
-		redirectURL = authReq.AuthorizationURL
 	}
 
 	c.HTML(http.StatusOK, "consent.html", gin.H{

internal/apigw/httpserver/endpoints_saml.go

@@ -184,9 +184,14 @@ func (s *Service) endpointSAMLACS(ctx context.Context, c *gin.Context) (any, err
 		return nil, err
 	}
 
+	claimKeys := make([]string, 0, len(claims))
+	for k := range claims {
+		claimKeys = append(claimKeys, k)
+	}
 	s.log.Info("SAML authentication successful",
 		"credential_type", session.CredentialType,
-		"claims_count", len(claims))
+		"claims_count", len(claims),
+		"claim_keys", claimKeys)
 
 	// VCI mode: if the SAML session was initiated from the OpenID4VCI consent flow,
 	// store the transformed claims as a document in the VCI session cache and redirect

internal/apigw/integration/oidc_integration_test.go

@@ -495,7 +495,7 @@ func createTestOIDCRPConfig(op *mockOIDCProvider) *model.OIDCRPConfig {
 		Enable: true,
 		Registration: &model.OIDCRPRegistrationConfig{
 			Preconfigured: &model.OIDCRPPreconfiguredConfig{
-				Enable:      true,
+				Enable:       true,
 				ClientID:     op.clientID,
 				ClientSecret: op.clientSecret,
 			},

internal/apigw/samlsp/mdq_static_test.go

@@ -30,7 +30,7 @@ func TestNewStaticMDQClient_FromFile(t *testing.T) {
 	require.NoError(t, err)
 
 	// Create static MDQ client from file
-	client, err := NewStaticMDQClient(metadataPath, "https://static-idp.example.com/idp", false, log)
+	client, err := NewStaticMDQClient(metadataPath, "https://static-idp.example.com/idp", false, nil, log)
 	require.NoError(t, err)
 	require.NotNil(t, client)
 
@@ -62,7 +62,7 @@ func TestNewStaticMDQClient_FromURL(t *testing.T) {
 	require.NoError(t, err)
 
 	// Create static MDQ client from URL
-	client, err := NewStaticMDQClient(server.URL+"/metadata", "https://static-idp.example.com/idp", true, log)
+	client, err := NewStaticMDQClient(server.URL+"/metadata", "https://static-idp.example.com/idp", true, nil, log)
 	require.NoError(t, err)
 	require.NotNil(t, client)
 
@@ -89,7 +89,7 @@ func TestStaticMDQClient_GetIDPMetadata_IgnoresEntityID(t *testing.T) {
 	log, err := logger.New("test", "", false)
 	require.NoError(t, err)
 
-	client, err := NewStaticMDQClient(metadataPath, "https://static-idp.example.com/idp", false, log)
+	client, err := NewStaticMDQClient(metadataPath, "https://static-idp.example.com/idp", false, nil, log)
 	require.NoError(t, err)
 
 	ctx := t.Context()
@@ -113,7 +113,7 @@ func TestNewStaticMDQClient_FileNotFound(t *testing.T) {
 	require.NoError(t, err)
 
 	// Try to create client with non-existent file
-	_, err = NewStaticMDQClient("/nonexistent/metadata.xml", "https://idp.example.com", false, log)
+	_, err = NewStaticMDQClient("/nonexistent/metadata.xml", "https://idp.example.com", false, nil, log)
 	require.Error(t, err)
 	assert.Contains(t, err.Error(), "failed to read metadata file")
 }
@@ -127,7 +127,7 @@ func TestNewStaticMDQClient_InvalidXML(t *testing.T) {
 	log, err := logger.New("test", "", false)
 	require.NoError(t, err)
 
-	_, err = NewStaticMDQClient(metadataPath, "https://idp.example.com", false, log)
+	_, err = NewStaticMDQClient(metadataPath, "https://idp.example.com", false, nil, log)
 	require.Error(t, err)
 	assert.Contains(t, err.Error(), "failed to parse IdP metadata XML")
 }
@@ -147,7 +147,7 @@ func TestNewStaticMDQClient_NoIDPDescriptor(t *testing.T) {
 	log, err := logger.New("test", "", false)
 	require.NoError(t, err)
 
-	_, err = NewStaticMDQClient(metadataPath, "https://sp.example.com", false, log)
+	_, err = NewStaticMDQClient(metadataPath, "https://sp.example.com", false, nil, log)
 	require.Error(t, err)
 	assert.Contains(t, err.Error(), "does not contain IdP SSO descriptor")
 }
@@ -157,7 +157,7 @@ func TestNewStaticMDQClient_URLFetchError(t *testing.T) {
 	require.NoError(t, err)
 
 	// Try to fetch from invalid URL
-	_, err = NewStaticMDQClient("http://nonexistent.invalid/metadata", "https://idp.example.com", true, log)
+	_, err = NewStaticMDQClient("http://nonexistent.invalid/metadata", "https://idp.example.com", true, nil, log)
 	require.Error(t, err)
 	assert.Contains(t, err.Error(), "failed to fetch metadata from URL")
 }
@@ -173,7 +173,7 @@ func TestNewStaticMDQClient_EntityIDMismatch(t *testing.T) {
 
 	// Create client with different entityID than in metadata
 	// Should succeed but log warning (not tested here, but functionality works)
-	client, err := NewStaticMDQClient(metadataPath, "https://different-idp.example.com", false, log)
+	client, err := NewStaticMDQClient(metadataPath, "https://different-idp.example.com", false, nil, log)
 	require.NoError(t, err)
 	require.NotNil(t, client)
 

internal/apigw/samlsp/mdq_test.go

@@ -33,7 +33,7 @@ func TestMDQClient_GetIDPMetadata_Success(t *testing.T) {
 	log, err := logger.New("test", "", false)
 	require.NoError(t, err)
 
-	client := NewMDQClient(server.URL, 3600, log)
+	client := NewMDQClient(server.URL, 3600, nil, log)
 
 	ctx := t.Context()
 	metadata, err := client.GetIDPMetadata(ctx, "https://idp.example.com/idp")
@@ -61,7 +61,7 @@ func TestMDQClient_GetIDPMetadata_Caching(t *testing.T) {
 	log, err := logger.New("test", "", false)
 	require.NoError(t, err)
 
-	client := NewMDQClient(server.URL, 3600, log)
+	client := NewMDQClient(server.URL, 3600, nil, log)
 
 	ctx := t.Context()
 	entityID := "https://idp.example.com/idp"
@@ -96,8 +96,7 @@ func TestMDQClient_GetIDPMetadata_CacheExpiration(t *testing.T) {
 	log, err := logger.New("test", "", false)
 	require.NoError(t, err)
 
-	// Very short cache TTL (1 second)
-	client := NewMDQClient(server.URL, 1, log)
+	client := NewMDQClient(server.URL, 1, nil, log)
 
 	ctx := t.Context()
 	entityID := "https://idp.example.com/idp"
@@ -126,7 +125,7 @@ func TestMDQClient_GetIDPMetadata_HTTPError(t *testing.T) {
 	log, err := logger.New("test", "", false)
 	require.NoError(t, err)
 
-	client := NewMDQClient(server.URL, 3600, log)
+	client := NewMDQClient(server.URL, 3600, nil, log)
 
 	ctx := t.Context()
 	_, err = client.GetIDPMetadata(ctx, "https://nonexistent.idp.com")
@@ -145,7 +144,7 @@ func TestMDQClient_GetIDPMetadata_InvalidXML(t *testing.T) {
 	log, err := logger.New("test", "", false)
 	require.NoError(t, err)
 
-	client := NewMDQClient(server.URL, 3600, log)
+	client := NewMDQClient(server.URL, 3600, nil, log)
 
 	ctx := t.Context()
 	_, err = client.GetIDPMetadata(ctx, "https://idp.example.com/idp")
@@ -171,7 +170,7 @@ func TestMDQClient_GetIDPMetadata_NoIDPDescriptor(t *testing.T) {
 	log, err := logger.New("test", "", false)
 	require.NoError(t, err)
 
-	client := NewMDQClient(server.URL, 3600, log)
+	client := NewMDQClient(server.URL, 3600, nil, log)
 
 	ctx := t.Context()
 	_, err = client.GetIDPMetadata(ctx, "https://sp.example.com")
@@ -195,7 +194,7 @@ func TestMDQClient_MultipleConcurrentRequests(t *testing.T) {
 	log, err := logger.New("test", "", false)
 	require.NoError(t, err)
 
-	client := NewMDQClient(server.URL, 3600, log)
+	client := NewMDQClient(server.URL, 3600, nil, log)
 
 	ctx := t.Context()
 	entityID := "https://idp.example.com/idp"