enhancements for the keycloak-ssi-deployment project to support Keycloak 25.05 and dedicated realms

.env

@@ -8,13 +8,17 @@ TOOLS_DIR=$TARGET_DIR/tools
 # Dev dir where to clone keycloak
 # KC_TARGET_BRANCH=main
 # KC_TARGET_BRANCH=DEPLOY-20240725
-KC_TARGET_BRANCH=DEPLOY-BSK-DEMO-86
+KC_TARGET_BRANCH=25.0.5
 KC_OID4VCI="keycloak_${KC_TARGET_BRANCH}"
 
 # Ensure all sensitive data like passwords and keys are passed through environment variables or secure stores.
 KEYCLOAK_ADMIN=admin
 KEYCLOAK_ADMIN_PASSWORD=admin
 
+# Keycloak Realms
+# KEYCLOAK_REALM=master
+KEYCLOAK_REALM=ssi-realm
+
 # Keystore configuration
 ###
 # If a keystore with the same base name as `KEYCLOAK_KEYSTORE_FILE` 
@@ -33,7 +37,7 @@ KEYCLOAK_KEYSTORE_AES_ENC_KEY_ALIAS=aes_enc_key
 # KC_INSTALL_DIR=$DEV_DIR/keycloak/quarkus/dist/target/keycloak-client-tools
 ####
 # if you unpacked: Keycloak installation directory
-KC_INSTALL_DIR=$TOOLS_DIR/keycloak-999.0.0-SNAPSHOT
+KC_INSTALL_DIR=$TOOLS_DIR/keycloak-25.0.5
 
 # User credentials
 USER_FRANCIS_NAME=francis
@@ -44,6 +48,7 @@ CLIENT_SECRET=uArydomqOymeF0tBrtipkPYujNNUuDlt
 
 # For AWS ($WORK_DIR/../env/.env)
 KEYCLOAK_HTTPS_PORT=8443
+KEYCLOAK_HTTP_PORT=8080
 
 # Define Keycloak host and port
 # For AWS ($WORK_DIR/../env/.env)
@@ -55,10 +60,11 @@ KEYCLOAK_ADMIN_ADDR=https://localhost:8443
 # For AWS ($WORK_DIR/../env/.env)
 # KEYCLOAK_EXTERNAL_ADDR=https://keycloak.solutions.adorsys.com
 # KEYCLOAK_EXTERNAL_ADDR=http://localhost:8080
-KEYCLOAK_EXTERNAL_ADDR=https://keycloak-demo.solutions.adorsys.com
-# KEYCLOAK_EXTERNAL_ADDR=https://localhost:8443
+# KEYCLOAK_EXTERNAL_ADDR=https://keycloak-demo.solutions.adorsys.com
+KEYCLOAK_EXTERNAL_ADDR=https://localhost:8443
 
-ISSUER_DID="${KEYCLOAK_EXTERNAL_ADDR}/realms/master"
+# ISSUER_DID="${KEYCLOAK_EXTERNAL_ADDR}/realms/master"
+ISSUER_DID="${KEYCLOAK_EXTERNAL_ADDR}/realms/ssi-realm"
 
 FRANCIS_KEYSTORE_FILE=$TARGET_DIR/francis_kc_keystore.pkcs12
 FRANCIS_KEYSTORE_PASSWORD=francis_store_key_password
@@ -90,15 +96,19 @@ KC_START="start --hostname-strict=false --https-port=$KEYCLOAK_HTTPS_PORT --http
 # For local env
 # KC_START=start-dev
 
-# Keycloak config CLI
+# Keycloak config CLI configurations
+###
 REPO_URL="https://github.com/adorsys/keycloak-config-cli.git"
-KC_CLI_DIR=$WORK_DIR/config
+KC_CLI_DIR=$WORK_DIR
 KC_CLI_JAR_FILE=keycloak-config-cli.jar
-KEYCLOAK_URL=https://kc-ssi.solutions.adorsys.com/
+
+# KEYCLOAK_URL=https://keycloak-demo.solutions.adorsys.com/
 # Use this url when running locally
-# KEYCLOAK_URL=https://localhost:8443
-KC_REALM_FILE=$KC_CLI_DIR/realm.json
+KEYCLOAK_URL=https://localhost:8443
+KC_REALM_FILE=$KC_CLI_DIR/config/ssi-realm-configuration.json
 KC_CLI_PROJECT_DIR=$KC_CLI_DIR/keycloak-config-cli
-KC_KEYSTORE_PATH=/opt/keycloak/target/kc_keystore.pkcs12
+
+# Running keycloak with the image, use this as the keystore path instead
+# KC_KEYSTORE_PATH=/opt/keycloak/target/kc_keystore.pkcs12
 # Running locally(without the image) use this path for Keystore file
-# KC_KEYSTORE_PATH=$TARGET_DIR/kc_keystore.pkcs12
+KC_KEYSTORE_PATH=$TARGET_DIR/kc_keystore.pkcs12

.gitignore

@@ -1,4 +1,4 @@
 signing_service-tmp.json
 target
 /.idea/
-config/keycloak-config-cli
+keycloak-config-cli

0.start-kc-oid4vci.sh

@@ -23,15 +23,13 @@ esac
 ./build-kc-oid4vci.sh
 
 # Start database container
-if [ -z "${KC_DB_OPTS}" ]; then
-    echo "Starting database container..."
-    docker-compose up -d db || { echo 'Could not start database container' ; exit 1; }
-    KC_DB_OPTS="--db postgres --db-url-port $KC_DB_EXPOSED_PORT --db-url-database $KC_DB_NAME --db-username $KC_DB_USERNAME --db-password $KC_DB_PASSWORD"
-fi
+echo "Starting database container..."
+docker-compose up -d db || { echo 'Could not start database container' ; exit 1; }
+KC_DB_OPT="--db postgres --db-url-port $KC_DB_EXPOSED_PORT --db-url-database $KC_DB_NAME --db-username $KC_DB_USERNAME --db-password $KC_DB_PASSWORD"
 
 # Start keycloak with OID4VCI feature
 ####
 # Use org.keycloak.quarkus._private.IDELauncher if you want to debug through keycloak sources
 export KEYCLOAK_ADMIN KEYCLOAK_ADMIN_PASSWORD \
 && cd $KC_INSTALL_DIR \
-&& bin/kc.sh $KC_START $KC_DB_OPTS --features=oid4vc-vci &
+&& bin/kc.sh $KC_START $KC_DB_OPT --features=oid4vc-vci &

1.oid4vci_test_deployment.sh

@@ -32,18 +32,21 @@ echo "Obtaining admin token..."
 $KC_INSTALL_DIR/bin/kcadm.sh config truststore --trustpass $KC_TRUST_STORE_PASS $KC_TRUST_STORE
 $KC_INSTALL_DIR/bin/kcadm.sh config credentials --server $KEYCLOAK_ADMIN_ADDR --realm master --user $KEYCLOAK_ADMIN --password $KEYCLOAK_ADMIN_PASSWORD
 
+# Create new realm 
+$KC_INSTALL_DIR/bin/kcadm.sh create realms -s realm=$KEYCLOAK_REALM -s enabled=true
+
 # Collect the 4 active keys to be disabled.
-RSA_OAEP_KID=$($KC_INSTALL_DIR/bin/kcadm.sh get keys --fields 'active(RSA-OAEP)' | jq -r '.active."RSA-OAEP"')
-RSA_OAEP_PROV_ID=$($KC_INSTALL_DIR/bin/kcadm.sh get keys | jq --arg kid "$RSA_OAEP_KID" '.keys[] | select(.kid == $kid)' | jq -r '.providerId')
-echo "Generated RSA-OAEP key will be disbled... KID=$RSA_OAEP_KID PROV_ID=$RSA_OAEP_PROV_ID"
+RSA_OAEP_KID=$($KC_INSTALL_DIR/bin/kcadm.sh get keys -r $KEYCLOAK_REALM --fields 'active(RSA-OAEP)' | jq -r '.active."RSA-OAEP"')
+RSA_OAEP_PROV_ID=$($KC_INSTALL_DIR/bin/kcadm.sh get keys -r $KEYCLOAK_REALM | jq --arg kid "$RSA_OAEP_KID" '.keys[] | select(.kid == $kid)' | jq -r '.providerId')
+echo "Generated RSA-OAEP key will be disabled... KID=$RSA_OAEP_KID PROV_ID=$RSA_OAEP_PROV_ID"
 
 # HS512_KID=$($KC_INSTALL_DIR/bin/kcadm.sh get keys --fields 'active(HS512)' | jq -r '.active.HS512')
 # HS512_PROV_ID=$($KC_INSTALL_DIR/bin/kcadm.sh get keys | jq --arg kid "$HS512_KID" '.keys[] | select(.kid == $kid)' | jq -r '.providerId')
 # echo "Generated HS512 key will be disbled... KID=$HS512_KID PROV_ID=$HS512_PROV_ID"
 
-RS256_KID=$($KC_INSTALL_DIR/bin/kcadm.sh get keys --fields 'active(RS256)' | jq -r '.active.RS256')
-RS256_PROV_ID=$($KC_INSTALL_DIR/bin/kcadm.sh get keys | jq --arg kid "$RS256_KID" '.keys[] | select(.kid == $kid)' | jq -r '.providerId')
-echo "Generated RS256 key will be disbled... KID=$RS256_KID PROV_ID=$RS256_PROV_ID"
+RS256_KID=$($KC_INSTALL_DIR/bin/kcadm.sh get keys -r $KEYCLOAK_REALM --fields 'active(RS256)' | jq -r '.active.RS256')
+RS256_PROV_ID=$($KC_INSTALL_DIR/bin/kcadm.sh get keys -r $KEYCLOAK_REALM | jq --arg kid "$RS256_KID" '.keys[] | select(.kid == $kid)' | jq -r '.providerId')
+echo "Generated RS256 key will be disabled... KID=$RS256_KID PROV_ID=$RS256_PROV_ID"
 
 # AES_KID=$($KC_INSTALL_DIR/bin/kcadm.sh get keys --fields 'active(AES)' | jq -r '.active.AES')
 # AES_PROV_ID=$($KC_INSTALL_DIR/bin/kcadm.sh get keys | jq --arg kid "$AES_KID" '.keys[] | select(.kid == $kid)' | jq -r '.providerId')
@@ -131,31 +134,31 @@ RSA_ENC_KEY_PROVIDER=$(cat $WORK_DIR/encryption_key_rsa.json | \
 
 # Register the EC-key with Keycloak
 echo "Registering issuer key ecdsa..."
-echo "$ECDSA_KEY_PROVIDER" | $KC_INSTALL_DIR/bin/kcadm.sh create components -r master -o -f - || { echo 'ECDSA Issuer Key registration failed' ; exit 1; }
+echo "$ECDSA_KEY_PROVIDER" | $KC_INSTALL_DIR/bin/kcadm.sh create components -r $KEYCLOAK_REALM -o -f - || { echo 'ECDSA Issuer Key registration failed' ; exit 1; }
 
 echo "Registering issuer key rsa..."
-echo "$RSA_KEY_PROVIDER" | $KC_INSTALL_DIR/bin/kcadm.sh create components -r master -o -f - || { echo 'RSA Issuer Key registration failed' ; exit 1; }
+echo "$RSA_KEY_PROVIDER" | $KC_INSTALL_DIR/bin/kcadm.sh create components -r $KEYCLOAK_REALM -o -f - || { echo 'RSA Issuer Key registration failed' ; exit 1; }
 
 echo "Registering encryption key rsa..."
-echo "$RSA_ENC_KEY_PROVIDER" | $KC_INSTALL_DIR/bin/kcadm.sh create components -r master -o -f - || { echo 'RSA Encryption Key registration failed' ; exit 1; }
+echo "$RSA_ENC_KEY_PROVIDER" | $KC_INSTALL_DIR/bin/kcadm.sh create components -r $KEYCLOAK_REALM -o -f - || { echo 'RSA Encryption Key registration failed' ; exit 1; }
 
 # echo "Registering signature key hmac..."
-# $KC_INSTALL_DIR/bin/kcadm.sh create components -r master -o -f - < $TARGET_DIR/signature_key_hmac-tmp.json || { echo 'Hmac Signature Key registration failed' ; exit 1; }
+# $KC_INSTALL_DIR/bin/kcadm.sh create components -r $KEYCLOAK_REALM -o -f - < $TARGET_DIR/signature_key_hmac-tmp.json || { echo 'Hmac Signature Key registration failed' ; exit 1; }
 # echo "Registering issuer key ecdsa..."
-# $KC_INSTALL_DIR/bin/kcadm.sh create components -r master -o -f - < $TARGET_DIR/encryption_key_aes-tmp.json || { echo 'AES Encryption Key registration failed' ; exit 1; }
+# $KC_INSTALL_DIR/bin/kcadm.sh create components -r $KEYCLOAK_REALM -o -f - < $TARGET_DIR/encryption_key_aes-tmp.json || { echo 'AES Encryption Key registration failed' ; exit 1; }
 
 # Disable generated keys
 echo "Deactivating generated RSA-OAEP... KID=$RSA_OAEP_KID PROV_ID=$RSA_OAEP_PROV_ID"
-$KC_INSTALL_DIR/bin/kcadm.sh update components/$RSA_OAEP_PROV_ID -s 'config.active=["false"]' || { echo 'Updating RSA_OAEP provider failed' ; exit 1; }
-$KC_INSTALL_DIR/bin/kcadm.sh get keys | jq --arg kid "$RSA_OAEP_KID" '.keys[] | select(.kid == $kid)'
+$KC_INSTALL_DIR/bin/kcadm.sh update components/$RSA_OAEP_PROV_ID -r $KEYCLOAK_REALM -s 'config.active=["false"]' || { echo 'Updating RSA_OAEP provider failed' ; exit 1; }
+$KC_INSTALL_DIR/bin/kcadm.sh get keys -r $KEYCLOAK_REALM | jq --arg kid "$RSA_OAEP_KID" '.keys[] | select(.kid == $kid)'
 
 # echo "Deactivating generated HS512 key... KID=$HS512_KID PROV_ID=$HS512_PROV_ID"
 # $KC_INSTALL_DIR/bin/kcadm.sh update components/$HS512_PROV_ID -s 'config.active=["false"]' || { echo 'Updating HS512 provider failed' ; exit 1; }
 # $KC_INSTALL_DIR/bin/kcadm.sh get keys | jq --arg kid "$HS512_KID" '.keys[] | select(.kid == $kid)'
 
 echo "Deactivating generated RS256 key... KID=$RS256_KID PROV_ID=$RS256_PROV_ID"
-$KC_INSTALL_DIR/bin/kcadm.sh update components/$RS256_PROV_ID -s 'config.active=["false"]' || { echo 'Updating RS256 provider failed' ; exit 1; }
-$KC_INSTALL_DIR/bin/kcadm.sh get keys | jq --arg kid "$RS256_KID" '.keys[] | select(.kid == $kid)'
+$KC_INSTALL_DIR/bin/kcadm.sh update components/$RS256_PROV_ID -r $KEYCLOAK_REALM -s 'config.active=["false"]' || { echo 'Updating RS256 provider failed' ; exit 1; }
+$KC_INSTALL_DIR/bin/kcadm.sh get keys -r $KEYCLOAK_REALM | jq --arg kid "$RS256_KID" '.keys[] | select(.kid == $kid)'
 
 # echo "Deactivating generated AES key will... KID=$AES_KID PROV_ID=$AES_PROV_ID"
 # $KC_INSTALL_DIR/bin/kcadm.sh update components/$AES_PROV_ID -s 'config.active=["false"]' || { echo 'Updating AES provider failed' ; exit 1; }
@@ -164,38 +167,38 @@ $KC_INSTALL_DIR/bin/kcadm.sh get keys | jq --arg kid "$RS256_KID" '.keys[] | sel
 # Create the signing service component for SteuerberaterCredential
 echo "Creating signing service component for SteuerberaterCredential..."
 SIGNING_SERVICE_TEST_CRED=$(cat $WORK_DIR/signing_service-SteuerberaterCredential.json)
-echo "$SIGNING_SERVICE_TEST_CRED" | $KC_INSTALL_DIR/bin/kcadm.sh create components -r master -o -f - || { echo 'Could not create signing service component for SteuerberaterCredential' ; exit 1; }
+echo "$SIGNING_SERVICE_TEST_CRED" | $KC_INSTALL_DIR/bin/kcadm.sh create components -r $KEYCLOAK_REALM -o -f - || { echo 'Could not create signing service component for SteuerberaterCredential' ; exit 1; }
 
 echo "Creating signing service component for IdentityCredential..."
 SIGNING_SERVICE_IDENTITYCRED=$(cat $WORK_DIR/signing_service-IdentityCredential.json)
-echo "$SIGNING_SERVICE_IDENTITYCRED" | $KC_INSTALL_DIR/bin/kcadm.sh create components -r master -o -f - || { echo 'Could not create signing service component for IdentityCredential' ; exit 1; }
+echo "$SIGNING_SERVICE_IDENTITYCRED" | $KC_INSTALL_DIR/bin/kcadm.sh create components -r $KEYCLOAK_REALM -o -f - || { echo 'Could not create signing service component for IdentityCredential' ; exit 1; }
 
 # Create client for oid4vci
 echo "Creating OID4VCI client..."
 OID4VCI_CLIENT=$(cat $WORK_DIR/client-oid4vc.json)
-echo "$OID4VCI_CLIENT" | $KC_INSTALL_DIR/bin/kcadm.sh create clients -o -f - || { echo 'OID4VCIClient creation failed' ; exit 1; }
+echo "$OID4VCI_CLIENT" | $KC_INSTALL_DIR/bin/kcadm.sh create clients -r $KEYCLOAK_REALM -o -f - || { echo 'OID4VCIClient creation failed' ; exit 1; }
 
 # Passing openid4vc-rest-api.json to jq to fill it with the secret before exporting config to keycloak
 CONFIG=$(cat $WORK_DIR/openid4vc-rest-api.json | jq --arg CLIENT_SECRET "$CLIENT_SECRET" '.secret = $CLIENT_SECRET')
 
 # Create client for openid4vc-rest-api
 echo "Creating OPENID4VC-REST-API client..."
-echo "$CONFIG" | $KC_INSTALL_DIR/bin/kcadm.sh create clients -o -f - || { echo 'OPENID4VC-REST-API client creation failed' ; exit 1; }
+echo "$CONFIG" | $KC_INSTALL_DIR/bin/kcadm.sh create clients -r $KEYCLOAK_REALM -o -f - || { echo 'OPENID4VC-REST-API client creation failed' ; exit 1; }
 
 # Clear the CONFIG variable
 unset CONFIG
 
 # Add realm attribute issuerDid
 echo "Updating realm attributes for issuerDid..."
-$KC_INSTALL_DIR/bin/kcadm.sh update realms/master -s attributes.issuerDid=$ISSUER_DID || { echo 'Could not set issuer did' ; exit 1; }
+$KC_INSTALL_DIR/bin/kcadm.sh update realms/$KEYCLOAK_REALM -s attributes.issuerDid=$ISSUER_DID || { echo 'Could not set issuer did' ; exit 1; }
 
 # Increase lifespan of preauth code
 echo "Updating realm attributes for preAuthorizedCodeLifespanS..."
-$KC_INSTALL_DIR/bin/kcadm.sh update realms/master -s attributes.preAuthorizedCodeLifespanS=120  || { echo 'Could not set preAuthorizedCodeLifespanS' ; exit 1; }
+$KC_INSTALL_DIR/bin/kcadm.sh update realms/$KEYCLOAK_REALM -s attributes.preAuthorizedCodeLifespanS=120  || { echo 'Could not set preAuthorizedCodeLifespanS' ; exit 1; }
 
 
 # Check server status and oid4vc-vci feature
-response=$(curl -k -s $KEYCLOAK_ADMIN_ADDR/realms/master/.well-known/openid-credential-issuer)
+response=$(curl -k -s $KEYCLOAK_ADMIN_ADDR/realms/$KEYCLOAK_REALM/.well-known/openid-credential-issuer)
 
 if ! jq -e '."credential_configurations_supported"."SteuerberaterCredential"' <<< "$response" > /dev/null; then
     echo "Server started but error occurred. 'SteuerberaterCredential' not found in OID4VCI configuration."

2.configure_user_4_account_client.sh

@@ -10,23 +10,23 @@ $KC_INSTALL_DIR/bin/kcadm.sh config credentials --server $KEYCLOAK_ADMIN_ADDR --
 
 # Read the direct access property of the openid4vc-rest-api client
 echo "Reading direct access property of the openid4vc-rest-api client..."
-$KC_INSTALL_DIR/bin/kcadm.sh get clients -q clientId=openid4vc-rest-api --fields 'id,directAccessGrantsEnabled'
+$KC_INSTALL_DIR/bin/kcadm.sh get clients -r $KEYCLOAK_REALM -q clientId=openid4vc-rest-api --fields 'id,directAccessGrantsEnabled'
 
 # Store property ACC_CLIENT_ID in an environment variable
-export ACC_CLIENT_ID=$($KC_INSTALL_DIR/bin/kcadm.sh get clients -q clientId=openid4vc-rest-api --fields id | jq -r '.[0].id')
+export ACC_CLIENT_ID=$($KC_INSTALL_DIR/bin/kcadm.sh get clients -r $KEYCLOAK_REALM -q clientId=openid4vc-rest-api --fields id | jq -r '.[0].id')
 echo "Stored openid4vc-rest-api Client ID: $ACC_CLIENT_ID"
 
 # Enable direct grant on the openid4vc-rest-api client
 echo "Enabling direct grant on the openid4vc-rest-api client..."
-$KC_INSTALL_DIR/bin/kcadm.sh update clients/$ACC_CLIENT_ID -r master -s directAccessGrantsEnabled=true -o --fields 'id,directAccessGrantsEnabled'
+$KC_INSTALL_DIR/bin/kcadm.sh update clients/$ACC_CLIENT_ID -r $KEYCLOAK_REALM -s directAccessGrantsEnabled=true -o --fields 'id,directAccessGrantsEnabled'
 
 # Create a user named Francis
 echo "Creating user Francis..."
-$KC_INSTALL_DIR/bin/kcadm.sh create users -r master -s username=francis -s firstName=Francis -s lastName=Pouatcha -s [email protected] -s enabled=true
+$KC_INSTALL_DIR/bin/kcadm.sh create users -r $KEYCLOAK_REALM -s username=francis -s firstName=Francis -s lastName=Pouatcha -s [email protected] -s enabled=true
 
 # Set password for Francis
 echo "Setting password for user Francis..."
-$KC_INSTALL_DIR/bin/kcadm.sh set-password -r master --username $USER_FRANCIS_NAME --new-password $USER_FRANCIS_PASSWORD
+$KC_INSTALL_DIR/bin/kcadm.sh set-password -r $KEYCLOAK_REALM --username $USER_FRANCIS_NAME --new-password $USER_FRANCIS_PASSWORD
 
 # Prepare user key proof header if not existent
 if [ ! -f "$TARGET_DIR/user_key_proof_header.json" ]; then

3.retrieve_IdentityCredential.sh

@@ -4,7 +4,7 @@
 . load_env.sh
 
 # Retrieve the bearer token
-response=$(curl -k -s -o $TARGET_DIR/response.json -w "%{http_code}" -X POST $KEYCLOAK_EXTERNAL_ADDR/realms/master/protocol/openid-connect/token \
+response=$(curl -k -s -o $TARGET_DIR/response.json -w "%{http_code}" -X POST $KEYCLOAK_EXTERNAL_ADDR/realms/$KEYCLOAK_REALM/protocol/openid-connect/token \
     -d "client_id=openid4vc-rest-api" \
     -d "client_secret=$CLIENT_SECRET" \
     -d "username=$USER_FRANCIS_NAME" \
@@ -24,7 +24,7 @@ USER_ACCESS_TOKEN=$(jq -r '.access_token' < $TARGET_DIR/response.json )
 echo -e "Bearer Token: $USER_ACCESS_TOKEN \n"
 
 # Retrieve link to the credential offer
-CREDENTIAL_OFFER_LINK=$(curl -k -s $KEYCLOAK_EXTERNAL_ADDR/realms/master/protocol/oid4vc/credential-offer-uri?credential_configuration_id=IdentityCredential \
+CREDENTIAL_OFFER_LINK=$(curl -k -s $KEYCLOAK_EXTERNAL_ADDR/realms/$KEYCLOAK_REALM/protocol/oid4vc/credential-offer-uri?credential_configuration_id=IdentityCredential \
     -H 'Accept: application/json' \
     -H 'Content-Type: application/json' \
     -H "Authorization: Bearer $USER_ACCESS_TOKEN" | jq -r '"\(.issuer)\(.nonce)"')
@@ -59,11 +59,11 @@ echo -e "Pre-Authorized Code: $PRE_AUTHORIZED_CODE \n"
 
 # Obtain the credential
 # See: https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-token-request
-CREDENTIAL_BEARER_TOKEN=$(curl -k -s $KEYCLOAK_EXTERNAL_ADDR/realms/master/protocol/openid-connect/token \
+CREDENTIAL_BEARER_TOKEN=$(curl -k -s $KEYCLOAK_EXTERNAL_ADDR/realms/$KEYCLOAK_REALM/protocol/openid-connect/token \
     -H 'Accept: application/json' \
     -H 'Content-Type: application/x-www-form-urlencoded' \
     -d 'grant_type=urn:ietf:params:oauth:grant-type:pre-authorized_code' \
-    -d "pre-authorized_code=$PRE_AUTHORIZED_CODE" \
+    -d "code=$PRE_AUTHORIZED_CODE" \
     -d "client_id=openid4vc-rest-api" \
     -d "client_secret=$CLIENT_SECRET") \
 
@@ -88,12 +88,12 @@ echo -e "Credential Access Token: $CREDENTIAL_ACCESS_TOKEN \n"
 . ./generate_key_proof.sh
 
 # Prepare request payload
-REQ_BODY=$(cat $WORK_DIR/credential_request_body.json | jq --arg credential_identifier "IdentityCredential" --arg proof_jwt "$USER_KEY_PROOF" '.credential_identifier = $credential_identifier | .proof.jwt = $proof_jwt')
+REQ_BODY=$(cat $WORK_DIR/credential_request_body.json | jq --arg credential_identifier "IdentityCredential" --arg proof_jwt "$USER_KEY_PROOF" '.credential_identifier = $credential_identifier | .proof.proofObject = $proof_jwt')
 
 echo "REQ_BODY: " $REQ_BODY
 
 # Obtain the credential
-CREDENTIAL=$(curl -k -s $KEYCLOAK_EXTERNAL_ADDR/realms/master/protocol/oid4vc/credential \
+CREDENTIAL=$(curl -k -s $KEYCLOAK_EXTERNAL_ADDR/realms/$KEYCLOAK_REALM/protocol/oid4vc/credential \
     -H 'Accept: application/json' \
     -H 'Content-Type: application/json' \
     -H "Authorization: Bearer $CREDENTIAL_ACCESS_TOKEN" \