From d38ee4c1102e174d214cc0af7d4fb8f395f7fe29 Mon Sep 17 00:00:00 2001
From: Thomas Diesler <tdiesler@proton.me>
Date: Sat, 21 Mar 2026 06:16:15 +0100
Subject: [PATCH] [OID4VCI] Migrate preauth offer tests to separate package

Signed-off-by: Thomas Diesler <tdiesler@proton.me>
---
 .../deprecation-check.sh                      |   2 +-
 .../realm/RealmConfigBuilder.java             |   4 +-
 .../tests/oid4vc/OID4VCActionTest.java        |   6 +-
 .../tests/oid4vc/OID4VCBasicWallet.java       |  28 ++++-
 .../oid4vc/OID4VCIWellKnownProviderTest.java  |  25 +---
 .../oid4vc/OID4VCIssuerEndpointTest.java      |   2 +-
 .../tests/oid4vc/OID4VCIssuerTestBase.java    | 118 +++++++++---------
 .../tests/oid4vc/OID4VCTestContext.java       |  17 +--
 ... => OID4VCredentialOfferAuthCodeTest.java} |  14 +--
 .../OID4VCActionPreAuthTest.java              |   5 +-
 .../OID4VCJWTIssuerEndpointPreAuthTest.java   |   4 +-
 .../OID4VCredentialOfferPreAuthTest.java}     |  15 +--
 12 files changed, 115 insertions(+), 125 deletions(-)
 rename tests/base/src/test/java/org/keycloak/tests/oid4vc/{OID4VCAuthCodeOfferTest.java => OID4VCredentialOfferAuthCodeTest.java} (96%)
 rename tests/base/src/test/java/org/keycloak/tests/oid4vc/{ => preauth}/OID4VCActionPreAuthTest.java (97%)
 rename tests/base/src/test/java/org/keycloak/tests/oid4vc/{ => preauth}/OID4VCJWTIssuerEndpointPreAuthTest.java (98%)
 rename tests/base/src/test/java/org/keycloak/tests/oid4vc/{OID4VCPreAuthorizedCodeOfferTest.java => preauth/OID4VCredentialOfferPreAuthTest.java} (93%)

diff --git a/.github/actions/testsuite-deprecation-check/deprecation-check.sh b/.github/actions/testsuite-deprecation-check/deprecation-check.sh
index 45f59698c42..4f57836f483 100755
--- a/.github/actions/testsuite-deprecation-check/deprecation-check.sh
+++ b/.github/actions/testsuite-deprecation-check/deprecation-check.sh
@@ -18,7 +18,7 @@ if [ $GITHUB_EVENT_NAME == "pull_request" ]; then
     echo "========================================================================================"
     echo "Deprecated testsuite module: "
     echo " * Adding new file(s) is forbidden."
-    echo " * Maximum 50 lines can be added to a single file."
+    echo " * Maximum 100 lines can be added to a single file."
     echo ""
     echo "Please, migrate the added/changed file(s) and use the new test framework instead."
     echo "See: https://github.com/keycloak/keycloak/tree/main/testsuite/DEPRECATED.md for more details."
diff --git a/test-framework/core/src/main/java/org/keycloak/testframework/realm/RealmConfigBuilder.java b/test-framework/core/src/main/java/org/keycloak/testframework/realm/RealmConfigBuilder.java
index 16661eab90b..0c27c2a3af1 100644
--- a/test-framework/core/src/main/java/org/keycloak/testframework/realm/RealmConfigBuilder.java
+++ b/test-framework/core/src/main/java/org/keycloak/testframework/realm/RealmConfigBuilder.java
@@ -327,13 +327,13 @@ public class RealmConfigBuilder {
         return this;
     }
 
-    public RealmConfigBuilder clientPolicy(ClientPolicyRepresentation clienPolicyRep) {
+    public RealmConfigBuilder clientPolicy(ClientPolicyRepresentation clientPolicyRep) {
         ClientPoliciesRepresentation clientPolicies = rep.getParsedClientPolicies();
         if (clientPolicies == null) {
             clientPolicies = new ClientPoliciesRepresentation();
         }
         List<ClientPolicyRepresentation> policies = clientPolicies.getPolicies();
-        policies.add(clienPolicyRep);
+        policies.add(clientPolicyRep);
         rep.setParsedClientPolicies(clientPolicies);
         return this;
     }
diff --git a/tests/base/src/test/java/org/keycloak/tests/oid4vc/OID4VCActionTest.java b/tests/base/src/test/java/org/keycloak/tests/oid4vc/OID4VCActionTest.java
index b8033578482..caaa9d9d4ec 100644
--- a/tests/base/src/test/java/org/keycloak/tests/oid4vc/OID4VCActionTest.java
+++ b/tests/base/src/test/java/org/keycloak/tests/oid4vc/OID4VCActionTest.java
@@ -62,7 +62,7 @@ public class OID4VCActionTest extends OID4VCIssuerTestBase {
         user.admin().logout();
     }
 
-    static String getKcActionParameter(String clientId, String credentialConfigId, boolean preAuthorized) {
+    public static String getKcActionParameter(String clientId, String credentialConfigId, boolean preAuthorized) {
         try {
             VerifiableCredentialOfferAction.CredentialOfferActionConfig cfg = new VerifiableCredentialOfferAction.CredentialOfferActionConfig();
             cfg.setCredentialConfigurationId(credentialConfigId);
@@ -76,11 +76,11 @@ public class OID4VCActionTest extends OID4VCIssuerTestBase {
         }
     }
 
-    static String getNonceFromCredentialOfferUri(String credentialOfferUri) {
+    public static String getNonceFromCredentialOfferUri(String credentialOfferUri) {
         return credentialOfferUri.substring(credentialOfferUri.lastIndexOf("/") + 1);
     }
 
-    static void verifyVCActionCredentialResponse(CredentialResponse credResponse) {
+    public static void verifyVCActionCredentialResponse(CredentialResponse credResponse) {
         CredentialResponse.Credential credentialObj = credResponse.getCredentials().get(0);
         assertNotNull(credentialObj, "The first credential in the array should not be null");
         IssuerSignedJWT issuerSignedJWT = SdJwtVP.of(credentialObj.getCredential().toString()).getIssuerSignedJWT();
diff --git a/tests/base/src/test/java/org/keycloak/tests/oid4vc/OID4VCBasicWallet.java b/tests/base/src/test/java/org/keycloak/tests/oid4vc/OID4VCBasicWallet.java
index b32002c112a..1918c467775 100644
--- a/tests/base/src/test/java/org/keycloak/tests/oid4vc/OID4VCBasicWallet.java
+++ b/tests/base/src/test/java/org/keycloak/tests/oid4vc/OID4VCBasicWallet.java
@@ -1,5 +1,6 @@
 package org.keycloak.tests.oid4vc;
 
+import java.io.IOException;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.HashSet;
@@ -13,6 +14,7 @@ import org.keycloak.admin.client.resource.RealmResource;
 import org.keycloak.admin.client.resource.UserResource;
 import org.keycloak.jose.jws.JWSHeader;
 import org.keycloak.jose.jws.JWSInput;
+import org.keycloak.jose.jws.JWSInputException;
 import org.keycloak.protocol.oid4vc.model.CredentialIssuer;
 import org.keycloak.protocol.oid4vc.model.CredentialOfferURI;
 import org.keycloak.protocol.oid4vc.model.CredentialRequest;
@@ -74,7 +76,7 @@ public class OID4VCBasicWallet {
 
     // Composite Actions -----------------------------------------------------------------------------------------------
 
-    public CredentialsOffer createAuthCodeCredentialOffer(OID4VCTestContext ctx, String targetUser) throws Exception {
+    public CredentialsOffer createAuthCodeCredentialOffer(OID4VCTestContext ctx, String targetUser) {
 
         // Get Issuer AccessToken
         //
@@ -110,7 +112,7 @@ public class OID4VCBasicWallet {
         return credOffer;
     }
 
-    public CredentialsOffer createPreAuthCredentialOffer(OID4VCTestContext ctx, String targetUser) throws Exception {
+    public CredentialsOffer createPreAuthCredentialOffer(OID4VCTestContext ctx, String targetUser) {
 
         // Get Issuer AccessToken
         //
@@ -269,10 +271,17 @@ public class OID4VCBasicWallet {
             AccessTokenResponse tokenResponse,
             List<String> includeScopes, List<String> excludeScopes,
             List<String> includeRoles, List<String> excludeRoles
-    ) throws Exception {
+    ) {
 
         String accessToken = tokenResponse.getAccessToken();
-        JsonWebToken jwt = JsonSerialization.readValue(new JWSInput(accessToken).getContent(), JsonWebToken.class);
+
+        JsonWebToken jwt;
+        try {
+            jwt = JsonSerialization.readValue(new JWSInput(accessToken).getContent(), JsonWebToken.class);
+        } catch (IOException | JWSInputException ex) {
+            throw new IllegalStateException(ex);
+        }
+
         List<String> wasScopes = Arrays.stream(((String) jwt.getOtherClaims().get("scope")).split("\\s")).toList();
         includeScopes.forEach(it -> assertTrue(wasScopes.contains(it), "Missing scope: " + it));
         excludeScopes.forEach(it -> assertFalse(wasScopes.contains(it), "Invalid scope: " + it));
@@ -297,7 +306,7 @@ public class OID4VCBasicWallet {
         return accessToken;
     }
 
-    public String validateHolderAccessToken(OID4VCTestContext ctx, AccessTokenResponse tokenResponse) throws Exception {
+    public String validateHolderAccessToken(OID4VCTestContext ctx, AccessTokenResponse tokenResponse) {
 
         // Check that we can extract the AccessToken
         if (!tokenResponse.isSuccess()) {
@@ -314,7 +323,14 @@ public class OID4VCBasicWallet {
 
         // Extract authorization_details from AccessToken (JWT)
         //
-        JsonWebToken jwt = new JWSInput(tokenResponse.getAccessToken()).readJsonContent(JsonWebToken.class);
+
+        JsonWebToken jwt;
+        try {
+            jwt = new JWSInput(tokenResponse.getAccessToken()).readJsonContent(JsonWebToken.class);
+        } catch (JWSInputException ex) {
+            throw new IllegalStateException(ex);
+        }
+
         Object authDetailsClaim = jwt.getOtherClaims().get(AUTHORIZATION_DETAILS);
         String authDetailsJson = Optional.ofNullable(authDetailsClaim)
                 .map(JsonSerialization::valueAsString)
diff --git a/tests/base/src/test/java/org/keycloak/tests/oid4vc/OID4VCIWellKnownProviderTest.java b/tests/base/src/test/java/org/keycloak/tests/oid4vc/OID4VCIWellKnownProviderTest.java
index 6e8cb5776f9..1927e49e3e7 100644
--- a/tests/base/src/test/java/org/keycloak/tests/oid4vc/OID4VCIWellKnownProviderTest.java
+++ b/tests/base/src/test/java/org/keycloak/tests/oid4vc/OID4VCIWellKnownProviderTest.java
@@ -43,28 +43,15 @@ public class OID4VCIWellKnownProviderTest extends OID4VCIssuerTestBase {
     @InjectRunOnServer
     RunOnServerClient runOnServer;
 
-    boolean configuredAlready;
-
     @TestSetup
     public void configureTestRealm() {
+        super.configureTestRealm();
 
-        // When named differently this method is called before OID4VCIssuerTestBase.configureTestRealm()
-        // When named the same name, it is called twice (i.e. does not override)
-        //
-        // [TODO] IntegrationTest sub class @TestSetup called before super class
-        // https://github.com/keycloak/keycloak/issues/46667
-
-        if (!configuredAlready) {
-            super.configureTestRealm();
-
-            ComponentsResource components = testRealm.admin().components();
-            components.add(getRsaKeyProvider(getRsaKey_Default())).close();
-            components.add(getRsaEncKeyProvider(RSA_OAEP_256, "enc-key-oaep256", 100)).close();
-            components.add(getAesKeyProvider(A128KW, "aes-enc", "ENC", "aes-generated")).close();
-            components.add(getAesKeyProvider(Algorithm.HS256, "aes-sig", "SIG", "hmac-generated")).close();
-
-            configuredAlready = true;
-        }
+        ComponentsResource components = testRealm.admin().components();
+        components.add(getRsaKeyProvider(getRsaKey_Default())).close();
+        components.add(getRsaEncKeyProvider(RSA_OAEP_256, "enc-key-oaep256", 100)).close();
+        components.add(getAesKeyProvider(A128KW, "aes-enc", "ENC", "aes-generated")).close();
+        components.add(getAesKeyProvider(Algorithm.HS256, "aes-sig", "SIG", "hmac-generated")).close();
     }
 
     @Test
diff --git a/tests/base/src/test/java/org/keycloak/tests/oid4vc/OID4VCIssuerEndpointTest.java b/tests/base/src/test/java/org/keycloak/tests/oid4vc/OID4VCIssuerEndpointTest.java
index 6bf36af189d..e205c070c5c 100644
--- a/tests/base/src/test/java/org/keycloak/tests/oid4vc/OID4VCIssuerEndpointTest.java
+++ b/tests/base/src/test/java/org/keycloak/tests/oid4vc/OID4VCIssuerEndpointTest.java
@@ -388,7 +388,7 @@ public abstract class OID4VCIssuerEndpointTest extends OID4VCIssuerTestBase {
         }
     }
 
-    protected class CredentialResponseHandler {
+    public static class CredentialResponseHandler {
         final Logger log = Logger.getLogger(OID4VCIssuerEndpointTest.class);
 
         protected void handleCredentialResponse(CredentialResponse credentialResponse, ClientScopeRepresentation clientScope) throws VerificationException {
diff --git a/tests/base/src/test/java/org/keycloak/tests/oid4vc/OID4VCIssuerTestBase.java b/tests/base/src/test/java/org/keycloak/tests/oid4vc/OID4VCIssuerTestBase.java
index f53aa8ff049..0f24dd8120b 100644
--- a/tests/base/src/test/java/org/keycloak/tests/oid4vc/OID4VCIssuerTestBase.java
+++ b/tests/base/src/test/java/org/keycloak/tests/oid4vc/OID4VCIssuerTestBase.java
@@ -23,6 +23,8 @@ import java.util.UUID;
 import org.keycloak.OID4VCConstants;
 import org.keycloak.VCFormat;
 import org.keycloak.admin.client.Keycloak;
+import org.keycloak.admin.client.resource.ClientScopeResource;
+import org.keycloak.admin.client.resource.ClientScopesResource;
 import org.keycloak.admin.client.resource.RealmResource;
 import org.keycloak.common.Profile;
 import org.keycloak.common.crypto.CryptoIntegration;
@@ -50,7 +52,6 @@ import org.keycloak.representations.idm.ClientScopeRepresentation;
 import org.keycloak.representations.idm.ComponentRepresentation;
 import org.keycloak.representations.idm.ProtocolMapperRepresentation;
 import org.keycloak.representations.idm.RealmEventsConfigRepresentation;
-import org.keycloak.representations.idm.RealmRepresentation;
 import org.keycloak.representations.idm.UserRepresentation;
 import org.keycloak.representations.userprofile.config.UPConfig;
 import org.keycloak.testframework.annotations.InjectAdminClient;
@@ -112,33 +113,33 @@ public abstract class OID4VCIssuerTestBase {
     public static final String minimalJwtTypeCredentialScopeName = "vc-with-minimal-config";
     public static final String minimalJwtTypeCredentialConfigurationIdName = "vc-with-minimal-config-id";
 
-    @InjectRealm(config = VCTestRealmConfig.class)
-    protected ManagedRealm testRealm;
-
-    @InjectClient(ref = "oid4vci-client", config = OID4VCIClient.class)
-    ManagedClient managedClient;
-
-    @InjectOAuthClient
-    protected OAuthClient oauth;
-
-    @InjectTimeOffSet
-    TimeOffSet timeOffSet;
-
-    @InjectEvents
-    protected Events events;
-
-    @InjectWebDriver
-    ManagedWebDriver driver;
-
-    @InjectAdminClient
-    Keycloak keycloak;
-
     protected CredentialScopeRepresentation minimalJwtTypeCredentialScope;
     protected CredentialScopeRepresentation jwtTypeCredentialScope;
     protected CredentialScopeRepresentation sdJwtTypeCredentialScope;
 
     protected ClientRepresentation client;
 
+    @InjectRealm(config = VCTestRealmConfig.class)
+    protected ManagedRealm testRealm;
+
+    @InjectClient(ref = "oid4vci-client", config = OID4VCIClient.class)
+    protected ManagedClient managedClient;
+
+    @InjectOAuthClient
+    protected OAuthClient oauth;
+
+    @InjectTimeOffSet
+    protected TimeOffSet timeOffSet;
+
+    @InjectEvents
+    protected Events events;
+
+    @InjectWebDriver
+    protected ManagedWebDriver driver;
+
+    @InjectAdminClient
+    protected Keycloak keycloak;
+
     @TestSetup
     public void configureTestRealm() {
         RealmResource realmResource = testRealm.admin();
@@ -159,29 +160,7 @@ public abstract class OID4VCIssuerTestBase {
         enableVerifiableCredentialEvents(testRealm);
     }
 
-    public static void enableVerifiableCredentialEvents(ManagedRealm realm) {
-        RealmEventsConfigRepresentation realmEventsConfig = realm.admin().getRealmEventsConfig();
-        List<String> enabledEventTypes = realmEventsConfig.getEnabledEventTypes();
-        if (!enabledEventTypes.contains(EventType.VERIFIABLE_CREDENTIAL_NONCE_REQUEST.name())) {
-            enabledEventTypes.add(EventType.VERIFIABLE_CREDENTIAL_NONCE_REQUEST.name());
-            realm.admin().updateRealmEventsConfig(realmEventsConfig);
-        }
-    }
-
-    boolean shouldEnableOid4vci(RealmRepresentation realm) {
-        return true;
-    }
-
-    boolean shouldEnableOid4vci(ClientRepresentation client) {
-        return true;
-    }
-
-    boolean isOid4vciEnabled(ClientRepresentation client) {
-        Map<String, String> attributes = Optional.ofNullable(client.getAttributes()).orElse(new HashMap<>());
-        return Boolean.parseBoolean(attributes.get(OID4VCI_ENABLED_ATTRIBUTE_KEY));
-    }
-
-    CredentialScopeRepresentation getExistingCredentialScope(String scopeName) {
+    protected CredentialScopeRepresentation getExistingCredentialScope(String scopeName) {
         return testRealm.admin().clientScopes().findAll().stream()
                 .filter(it -> scopeName.equals(it.getName()))
                 .map(CredentialScopeRepresentation::new)
@@ -189,7 +168,7 @@ public abstract class OID4VCIssuerTestBase {
                 .orElse(null);
     }
 
-    KeyWrapper getRsaKey(KeyUse keyUse, String algorithm, String keyName) {
+    protected KeyWrapper getRsaKey(KeyUse keyUse, String algorithm, String keyName) {
         try {
             KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
             kpg.initialize(2048);
@@ -209,20 +188,20 @@ public abstract class OID4VCIssuerTestBase {
         }
     }
 
-    ComponentRepresentation getRsaKeyProvider(KeyWrapper keyWrapper) {
+    protected ComponentRepresentation getRsaKeyProvider(KeyWrapper keyWrapper) {
         return createRsaKeyProviderComponent(keyWrapper, "rsa-key-provider", 0);
     }
 
-    ComponentRepresentation getRsaEncKeyProvider(String algorithm, String keyName, int priority) {
+    protected ComponentRepresentation getRsaEncKeyProvider(String algorithm, String keyName, int priority) {
         KeyWrapper keyWrapper = getRsaKey(KeyUse.ENC, algorithm, keyName);
         return createRsaKeyProviderComponent(keyWrapper, keyName, priority);
     }
 
-    KeyWrapper getRsaKey_Default() {
+    protected KeyWrapper getRsaKey_Default() {
         return getRsaKey(KeyUse.SIG, "RS256", null);
     }
 
-    ComponentRepresentation getAesKeyProvider(String algorithm, String keyName, String keyUse, String providerId) {
+    protected ComponentRepresentation getAesKeyProvider(String algorithm, String keyName, String keyUse, String providerId) {
         // Generate a random AES key (default length: 256 bits)
         byte[] secret = SecretGenerator.getInstance().randomBytes(32); // 32 bytes = 256 bits
         String secretBase64 = Base64.getEncoder().encodeToString(secret);
@@ -245,23 +224,23 @@ public abstract class OID4VCIssuerTestBase {
         return component;
     }
 
-    String getBearerToken(OAuthClient oauthClient) {
+    protected String getBearerToken(OAuthClient oauthClient) {
         return getBearerToken(oauthClient, null);
     }
 
-    String getBearerToken(OAuthClient oauthClient, ClientRepresentation client) {
+    protected String getBearerToken(OAuthClient oauthClient, ClientRepresentation client) {
         return getBearerToken(oauthClient, client, null);
     }
 
-    String getBearerToken(OAuthClient oauthClient, ClientRepresentation client, String scope) {
+    protected String getBearerToken(OAuthClient oauthClient, ClientRepresentation client, String scope) {
         return getBearerToken(oauthClient, client, "john", scope);
     }
 
-    String getBearerToken(OAuthClient oauthClient, ClientRepresentation client, String username, String scope) {
+    protected String getBearerToken(OAuthClient oauthClient, ClientRepresentation client, String username, String scope) {
         return getBearerTokenCodeFlow(oauthClient, client, username, scope).getAccessToken();
     }
 
-    AccessTokenResponse getBearerTokenCodeFlow(OAuthClient oauthClient, ClientRepresentation client, String username, String scope) {
+    protected AccessTokenResponse getBearerTokenCodeFlow(OAuthClient oauthClient, ClientRepresentation client, String username, String scope) {
         var authCode = getAuthorizationCode(oauthClient, client, username, scope);
         return oauthClient.accessTokenRequest(authCode).send();
     }
@@ -287,7 +266,7 @@ public abstract class OID4VCIssuerTestBase {
         return authorizationEndpointResponse;
     }
 
-    AccessTokenResponse getBearerToken(OAuthClient oauthClient, String authCode, OID4VCAuthorizationDetail... authDetail) {
+    protected AccessTokenResponse getBearerToken(OAuthClient oauthClient, String authCode, OID4VCAuthorizationDetail... authDetail) {
         AccessTokenRequest accessTokenRequest = oauthClient.accessTokenRequest(authCode);
         if (authDetail != null && authDetail.length > 0) {
             accessTokenRequest.authorizationDetails(Arrays.asList(authDetail));
@@ -299,11 +278,17 @@ public abstract class OID4VCIssuerTestBase {
         return tokenResponse;
     }
 
-    CredentialScopeRepresentation requireExistingCredentialScope(String scopeName) {
+    protected CredentialScopeRepresentation requireExistingCredentialScope(String scopeName) {
         return Optional.ofNullable(getExistingCredentialScope(scopeName))
                 .orElseThrow(() -> new IllegalStateException("No such credential scope: " + scopeName));
     }
 
+    protected void updateCredentialScope(CredentialScopeRepresentation clientScope) {
+        ClientScopesResource clientScopesResource = testRealm.admin().clientScopes();
+        ClientScopeResource clientScopeResource = clientScopesResource.get(clientScope.getId());
+        clientScopeResource.update(clientScope);
+    }
+
     // Private ---------------------------------------------------------------------------------------------------------
 
     private ComponentRepresentation createRsaKeyProviderComponent(KeyWrapper keyWrapper, String name, int priority) {
@@ -329,6 +314,15 @@ public abstract class OID4VCIssuerTestBase {
         return component;
     }
 
+    private void enableVerifiableCredentialEvents(ManagedRealm realm) {
+        RealmEventsConfigRepresentation realmEventsConfig = realm.admin().getRealmEventsConfig();
+        List<String> enabledEventTypes = realmEventsConfig.getEnabledEventTypes();
+        if (!enabledEventTypes.contains(EventType.VERIFIABLE_CREDENTIAL_NONCE_REQUEST.name())) {
+            enabledEventTypes.add(EventType.VERIFIABLE_CREDENTIAL_NONCE_REQUEST.name());
+            realm.admin().updateRealmEventsConfig(realmEventsConfig);
+        }
+    }
+
     // Static Config and RunOnServer Helpers ---------------------------------------------------------------------------
 
     public static class VCTestServerConfig implements KeycloakServerConfig {
@@ -338,7 +332,7 @@ public abstract class OID4VCIssuerTestBase {
         }
     }
 
-    static class VCTestServerWithPreAuthCodeEnabled implements KeycloakServerConfig {
+    public static class VCTestServerWithPreAuthCodeEnabled implements KeycloakServerConfig {
         @Override
         public KeycloakServerConfigBuilder configure(KeycloakServerConfigBuilder config) {
             return config.features(Profile.Feature.OID4VC_VCI, Profile.Feature.OID4VC_VCI_PREAUTH_CODE);
@@ -397,7 +391,7 @@ public abstract class OID4VCIssuerTestBase {
 
             realm.addUser(getUserRepresentation("John Doe", Map.of("did", "did:key:1234"), List.of(CREDENTIAL_OFFER_CREATE.getName()), Collections.emptyMap()));
             realm.addUser(getUserRepresentation("Alice Wonderland", Map.of("did", "did:key:5678"), List.of(), Map.of()));
-            
+
             return realm;
         }
 
@@ -494,7 +488,7 @@ public abstract class OID4VCIssuerTestBase {
         }
     }
 
-    static class OID4VCIClient implements ClientConfig {
+    public static class OID4VCIClient implements ClientConfig {
 
         @Override
         public ClientConfigBuilder configure(ClientConfigBuilder client) {
@@ -511,7 +505,7 @@ public abstract class OID4VCIssuerTestBase {
         }
     }
 
-    static class ProtocolMapperUtils {
+    public static class ProtocolMapperUtils {
 
         static ProtocolMapperRepresentation getIssuedAtTimeMapper(String subjectProperty, String truncateToTimeUnit, String valueSource) {
             ProtocolMapperRepresentation protocolMapperRepresentation = new ProtocolMapperRepresentation();
@@ -596,7 +590,7 @@ public abstract class OID4VCIssuerTestBase {
         }
     }
 
-    protected static class StaticTimeProvider implements TimeProvider {
+    public static class StaticTimeProvider implements TimeProvider {
         private final int currentTimeInS;
 
         public StaticTimeProvider(int currentTimeInS) {
diff --git a/tests/base/src/test/java/org/keycloak/tests/oid4vc/OID4VCTestContext.java b/tests/base/src/test/java/org/keycloak/tests/oid4vc/OID4VCTestContext.java
index d74a6cda6da..345c427a0d3 100644
--- a/tests/base/src/test/java/org/keycloak/tests/oid4vc/OID4VCTestContext.java
+++ b/tests/base/src/test/java/org/keycloak/tests/oid4vc/OID4VCTestContext.java
@@ -33,15 +33,16 @@ public class OID4VCTestContext {
     static final AttachmentKey<AccessTokenResponse> ACCESS_TOKEN_RESPONSE_ATTACHMENT_KEY = new AttachmentKey<>(AccessTokenResponse.class);
     static final AttachmentKey<CredentialResponse> CREDENTIAL_RESPONSE_ATTACHMENT_KEY = new AttachmentKey<>(CredentialResponse.class);
 
-    ClientRepresentation client;
-    String clientId;
-    String issuer;      // Issuing username (i.e. agent who creates credential offers)
-    String holder;      // Holder who requests the credential
-    String credConfigId;
-    String credScopeName;
-    CredentialScopeRepresentation credentialScope;
+    public String clientId;
+    public String issuer;      // Issuing username (i.e. agent who creates credential offers)
+    public String holder;      // Holder who requests the credential
+    public String credConfigId;
+    public String credScopeName;
 
-    Map<AttachmentKey<?>, Object> attachments = new HashMap<>();
+    public ClientRepresentation client;
+    public CredentialScopeRepresentation credentialScope;
+
+    private final Map<AttachmentKey<?>, Object> attachments = new HashMap<>();
 
     public OID4VCTestContext(ClientRepresentation client, CredentialScopeRepresentation credentialScope) {
         this.client = client;
diff --git a/tests/base/src/test/java/org/keycloak/tests/oid4vc/OID4VCAuthCodeOfferTest.java b/tests/base/src/test/java/org/keycloak/tests/oid4vc/OID4VCredentialOfferAuthCodeTest.java
similarity index 96%
rename from tests/base/src/test/java/org/keycloak/tests/oid4vc/OID4VCAuthCodeOfferTest.java
rename to tests/base/src/test/java/org/keycloak/tests/oid4vc/OID4VCredentialOfferAuthCodeTest.java
index 9a43b51ab77..5d76859c69e 100644
--- a/tests/base/src/test/java/org/keycloak/tests/oid4vc/OID4VCAuthCodeOfferTest.java
+++ b/tests/base/src/test/java/org/keycloak/tests/oid4vc/OID4VCredentialOfferAuthCodeTest.java
@@ -10,7 +10,6 @@ import org.keycloak.protocol.oid4vc.model.CredentialsOffer;
 import org.keycloak.protocol.oid4vc.model.OID4VCAuthorizationDetail;
 import org.keycloak.protocol.oid4vc.model.VerifiableCredential;
 import org.keycloak.representations.JsonWebToken;
-import org.keycloak.representations.idm.RealmRepresentation;
 import org.keycloak.sdjwt.IssuerSignedJWT;
 import org.keycloak.sdjwt.vp.SdJwtVP;
 import org.keycloak.testframework.annotations.KeycloakIntegrationTest;
@@ -48,7 +47,7 @@ import static org.junit.jupiter.api.Assertions.assertTrue;
  * +----------+----------+---------+------------------------------------------------------+
  */
 @KeycloakIntegrationTest(config = VCTestServerConfig.class)
-public class OID4VCAuthCodeOfferTest extends OID4VCIssuerTestBase {
+public class OID4VCredentialOfferAuthCodeTest extends OID4VCIssuerTestBase {
 
     OID4VCBasicWallet wallet;
 
@@ -63,14 +62,7 @@ public class OID4VCAuthCodeOfferTest extends OID4VCIssuerTestBase {
     }
 
     @Test
-    public void testRealmSetup() {
-        RealmRepresentation realmRep = testRealm.admin().toRepresentation();
-        assertEquals(shouldEnableOid4vci(realmRep), realmRep.isVerifiableCredentialsEnabled());
-        assertEquals(shouldEnableOid4vci(client), isOid4vciEnabled(client));
-    }
-
-    @Test
-    public void testWithoutOffer_Scope() throws Exception {
+    public void testNoOffer_Scope() throws Exception {
 
         var ctx = new OID4VCTestContext(client, jwtTypeCredentialScope);
 
@@ -102,7 +94,7 @@ public class OID4VCAuthCodeOfferTest extends OID4VCIssuerTestBase {
     }
 
     @Test
-    public void testWithoutOffer_Scope_AuthDetails() throws Exception {
+    public void testNoOffer_Scope_AuthDetails() throws Exception {
 
         var ctx = new OID4VCTestContext(client, jwtTypeCredentialScope);
 
diff --git a/tests/base/src/test/java/org/keycloak/tests/oid4vc/OID4VCActionPreAuthTest.java b/tests/base/src/test/java/org/keycloak/tests/oid4vc/preauth/OID4VCActionPreAuthTest.java
similarity index 97%
rename from tests/base/src/test/java/org/keycloak/tests/oid4vc/OID4VCActionPreAuthTest.java
rename to tests/base/src/test/java/org/keycloak/tests/oid4vc/preauth/OID4VCActionPreAuthTest.java
index c6265b15266..d418307ece2 100644
--- a/tests/base/src/test/java/org/keycloak/tests/oid4vc/OID4VCActionPreAuthTest.java
+++ b/tests/base/src/test/java/org/keycloak/tests/oid4vc/preauth/OID4VCActionPreAuthTest.java
@@ -1,4 +1,4 @@
-package org.keycloak.tests.oid4vc;
+package org.keycloak.tests.oid4vc.preauth;
 
 
 import org.keycloak.events.Details;
@@ -12,6 +12,9 @@ import org.keycloak.testframework.realm.ManagedUser;
 import org.keycloak.testframework.ui.annotations.InjectPage;
 import org.keycloak.testframework.ui.page.OID4VCCredentialOfferPage;
 import org.keycloak.tests.common.TestRealmUserConfig;
+import org.keycloak.tests.oid4vc.OID4VCBasicWallet;
+import org.keycloak.tests.oid4vc.OID4VCIssuerTestBase;
+import org.keycloak.tests.oid4vc.OID4VCTestContext;
 import org.keycloak.testsuite.util.oauth.AccessTokenResponse;
 import org.keycloak.testsuite.util.oauth.oid4vc.CredentialOfferResponse;
 
diff --git a/tests/base/src/test/java/org/keycloak/tests/oid4vc/OID4VCJWTIssuerEndpointPreAuthTest.java b/tests/base/src/test/java/org/keycloak/tests/oid4vc/preauth/OID4VCJWTIssuerEndpointPreAuthTest.java
similarity index 98%
rename from tests/base/src/test/java/org/keycloak/tests/oid4vc/OID4VCJWTIssuerEndpointPreAuthTest.java
rename to tests/base/src/test/java/org/keycloak/tests/oid4vc/preauth/OID4VCJWTIssuerEndpointPreAuthTest.java
index dfc6e95b0de..ef127b52276 100644
--- a/tests/base/src/test/java/org/keycloak/tests/oid4vc/OID4VCJWTIssuerEndpointPreAuthTest.java
+++ b/tests/base/src/test/java/org/keycloak/tests/oid4vc/preauth/OID4VCJWTIssuerEndpointPreAuthTest.java
@@ -14,7 +14,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package org.keycloak.tests.oid4vc;
+package org.keycloak.tests.oid4vc.preauth;
 
 import java.io.IOException;
 import java.util.List;
@@ -30,6 +30,8 @@ import org.keycloak.protocol.oidc.representations.OIDCConfigurationRepresentatio
 import org.keycloak.testframework.annotations.KeycloakIntegrationTest;
 import org.keycloak.testframework.remote.runonserver.InjectRunOnServer;
 import org.keycloak.testframework.remote.runonserver.RunOnServerClient;
+import org.keycloak.tests.oid4vc.OID4VCIssuerEndpointTest;
+import org.keycloak.tests.oid4vc.OID4VCIssuerTestBase;
 import org.keycloak.testsuite.util.AccountHelper;
 import org.keycloak.testsuite.util.oauth.AccessTokenResponse;
 import org.keycloak.testsuite.util.oauth.oid4vc.CredentialOfferResponse;
diff --git a/tests/base/src/test/java/org/keycloak/tests/oid4vc/OID4VCPreAuthorizedCodeOfferTest.java b/tests/base/src/test/java/org/keycloak/tests/oid4vc/preauth/OID4VCredentialOfferPreAuthTest.java
similarity index 93%
rename from tests/base/src/test/java/org/keycloak/tests/oid4vc/OID4VCPreAuthorizedCodeOfferTest.java
rename to tests/base/src/test/java/org/keycloak/tests/oid4vc/preauth/OID4VCredentialOfferPreAuthTest.java
index eeff9f39a8b..9fd72f382c4 100644
--- a/tests/base/src/test/java/org/keycloak/tests/oid4vc/OID4VCPreAuthorizedCodeOfferTest.java
+++ b/tests/base/src/test/java/org/keycloak/tests/oid4vc/preauth/OID4VCredentialOfferPreAuthTest.java
@@ -1,4 +1,4 @@
-package org.keycloak.tests.oid4vc;
+package org.keycloak.tests.oid4vc.preauth;
 
 import java.net.URI;
 import java.util.List;
@@ -9,9 +9,11 @@ import org.keycloak.protocol.oid4vc.model.CredentialResponse;
 import org.keycloak.protocol.oid4vc.model.CredentialsOffer;
 import org.keycloak.protocol.oid4vc.model.VerifiableCredential;
 import org.keycloak.representations.JsonWebToken;
-import org.keycloak.representations.idm.RealmRepresentation;
 import org.keycloak.representations.idm.UserRepresentation;
 import org.keycloak.testframework.annotations.KeycloakIntegrationTest;
+import org.keycloak.tests.oid4vc.OID4VCBasicWallet;
+import org.keycloak.tests.oid4vc.OID4VCIssuerTestBase;
+import org.keycloak.tests.oid4vc.OID4VCTestContext;
 import org.keycloak.testsuite.util.oauth.AccessTokenResponse;
 import org.keycloak.util.JsonSerialization;
 
@@ -37,7 +39,7 @@ import static org.junit.jupiter.api.Assertions.assertTrue;
  * +----------+----------+---------+------------------------------------------------------+
  */
 @KeycloakIntegrationTest(config = OID4VCIssuerTestBase.VCTestServerWithPreAuthCodeEnabled.class)
-public class OID4VCPreAuthorizedCodeOfferTest extends OID4VCIssuerTestBase {
+public class OID4VCredentialOfferPreAuthTest extends OID4VCIssuerTestBase {
 
     OID4VCBasicWallet wallet;
 
@@ -47,13 +49,6 @@ public class OID4VCPreAuthorizedCodeOfferTest extends OID4VCIssuerTestBase {
         wallet.logout();
     }
 
-    @Test
-    public void testRealmSetup() {
-        RealmRepresentation realmRep = testRealm.admin().toRepresentation();
-        assertEquals(shouldEnableOid4vci(realmRep), realmRep.isVerifiableCredentialsEnabled());
-        assertEquals(shouldEnableOid4vci(client), isOid4vciEnabled(client));
-    }
-
     @Test
     public void testPreAuthOffer_DisabledUser() {