From 6d9faec1affe849bb0db5d4beab2007ddf5b63fc Mon Sep 17 00:00:00 2001
From: Miguel Ortega <miguel.ortega@seamware.com>
Date: Wed, 19 Nov 2025 15:31:16 +0100
Subject: [PATCH 1/5] feat(login): add configuration to enable Sign In using VC

---
 src/requirements.txt                          |   2 +
 src/settings.py                               |  18 +-
 src/urls.py                                   |  11 ++
 src/wirecloud/backends/vc_backend.py          |  73 ++++++++
 src/wirecloud/commons/utils/conf.py           |   1 +
 .../locale/es/LC_MESSAGES/django.po           |   8 +
 .../templates/registration/login.html         |  15 +-
 src/wirecloud/platform/context_processors.py  |  16 +-
 src/wirecloud/vc_login/exceptions.py          |  25 +++
 src/wirecloud/vc_login/vc_login.py            | 172 ++++++++++++++++++
 src/wirecloud/vc_login/vc_payload.py          |  16 ++
 src/wirecloud/vc_login/views.py               |  80 ++++++++
 12 files changed, 429 insertions(+), 8 deletions(-)
 create mode 100644 src/wirecloud/backends/vc_backend.py
 create mode 100644 src/wirecloud/vc_login/exceptions.py
 create mode 100644 src/wirecloud/vc_login/vc_login.py
 create mode 100644 src/wirecloud/vc_login/vc_payload.py
 create mode 100644 src/wirecloud/vc_login/views.py

diff --git a/src/requirements.txt b/src/requirements.txt
index 60a244ccd6..c3ff5ea653 100644
--- a/src/requirements.txt
+++ b/src/requirements.txt
@@ -1,4 +1,5 @@
 Django>=2.0,<2.3
+django-nose
 lxml>=2.3
 django_compressor>=2.0,<2.3
 rdflib>=3.2.0
@@ -15,3 +16,4 @@ pyScss>=1.3.4,<2.0
 Pygments
 pillow
 jsonpatch
+python-jose>=3.3.0
\ No newline at end of file
diff --git a/src/settings.py b/src/settings.py
index 1ece504c45..2b7ef24c90 100644
--- a/src/settings.py
+++ b/src/settings.py
@@ -1,7 +1,7 @@
 # -*- coding: utf-8 -*-
 # Django settings used as base for developing wirecloud.
 
-from os import path
+from os import path, environ
 from wirecloud.commons.utils.conf import load_default_wirecloud_conf
 from django.urls import reverse_lazy
 
@@ -116,7 +116,7 @@
 
 # Authentication
 AUTHENTICATION_BACKENDS = (
-    'django.contrib.auth.backends.ModelBackend',
+    'django.contrib.auth.backends.ModelBackend'
 )
 
 # WGT deployment dirs
@@ -169,3 +169,17 @@
 #         'CLASS': 'selenium.webdriver.Safari',
 #     },
 # }
+
+
+VC_LOGIN_CONFIG = {
+    'enabled': environ.get('VC_LOGIN_ENABLED', 'True').lower() in ('true', 'yes', 't'),
+    'verifier_host': environ.get('VC_VERIFIER_HOST', 'https://verifier.seamware.io'),
+    'verifier_qr_path': environ.get('VC_VERIFIER_QR_PATH', '/api/v2/loginQR'),
+    'verifier_token_path': environ.get('VC_VERIFIER_TOKEN_PATH', '/token'),
+    'verifier_jwks_path': environ.get('VC_VERIFIER_JWKS_PATH', '/.well-known/jwks'),
+    'client_id': environ.get('VC_CLIENT_ID', 'did:web:did-producer.seamware.io:did'),
+    'scope': environ.get('VC_SCOPE', 'openid learcredential')
+}
+
+if VC_LOGIN_CONFIG['enabled']:
+        AUTHENTICATION_BACKENDS += ('wirecloud.backends.vc_backend.VCBackend')
\ No newline at end of file
diff --git a/src/urls.py b/src/urls.py
index 5196e6bebb..64ffe09498 100644
--- a/src/urls.py
+++ b/src/urls.py
@@ -5,10 +5,16 @@
 from django.contrib import admin
 from django.contrib.auth import views as django_auth
 from django.contrib.staticfiles.urls import staticfiles_urlpatterns
+from django.conf import settings
 
 from wirecloud.commons import authentication as wc_auth
 import wirecloud.platform.urls
 
+
+vc_login_enabled = settings.VC_LOGIN_CONFIG['enabled']
+if vc_login_enabled:
+    from wirecloud.vc_login import views as vc_login_views
+
 admin.autodiscover()
 
 urlpatterns = (
@@ -23,6 +29,11 @@
     url(r'^login/?$', django_auth.LoginView.as_view(), name="login"),
     url(r'^logout/?$', wc_auth.logout, name="logout"),
     url(r'^admin/logout/?$', wc_auth.logout),
+    # VC login when enabled
+    *([
+        url(r'^vc/login/?$', vc_login_views.vc_sso_login, name='vc_sso_login'),
+        url(r'^vc/callback/?$', vc_login_views.vc_sso_callback, name='vc_sso_callback'),
+    ] if vc_login_enabled else []),
 
     # Admin interface
     url(r'^admin/', admin.site.urls),
diff --git a/src/wirecloud/backends/vc_backend.py b/src/wirecloud/backends/vc_backend.py
new file mode 100644
index 0000000000..da0c4163be
--- /dev/null
+++ b/src/wirecloud/backends/vc_backend.py
@@ -0,0 +1,73 @@
+from django.contrib.auth.backends import ModelBackend
+from django.contrib.auth import get_user_model
+from django.db import IntegrityError
+import logging
+from wirecloud.vc_login.vc_payload import VCPayload
+# Get the active User model (handles custom user models)
+User = get_user_model()
+logger = logging.getLogger(__name__)
+
+class VCBackend(ModelBackend):
+    """
+    Custom authentication backend that provisions (creates) a new user or
+    logs in and updates an existing user based on a validated
+    Verifiable Credential (VC) payload.
+    """
+
+    def authenticate(self, request, vc_payload: VCPayload = None, **kwargs):
+        """
+        Retrieves user data from the VC payload and handles the login/creation process.
+        """
+        if vc_payload is None:
+            return None
+
+        email = vc_payload.email
+        first_name = vc_payload.first_name
+        last_name = vc_payload.last_name
+        if not email:
+            logger.error("VC Payload missing required 'email' field for authentication.")
+            return None
+
+        try:
+            user = User.objects.get(email=email)
+
+            is_updated = False
+
+            if user.first_name != first_name:
+                user.first_name = first_name
+                is_updated = True
+            if user.last_name != last_name:
+                user.last_name = last_name
+                is_updated = True
+            if is_updated:
+                user.save()
+
+            logger.info(f"Existing user logged in successfully: {email}")
+            return user
+
+        except User.DoesNotExist:
+            try:
+                logger.info(f"User not found. Creating new user: {email}")
+                user = User.objects.create_user(
+                    username=email,
+                    email=email,
+                    first_name=first_name,
+                    last_name=last_name
+                )
+                logger.info(f"New user provisioned: {user.username}")
+                return user
+
+            except IntegrityError:
+                logger.warning(f"Integrity conflict during user creation for {email}.")
+                return None
+            except Exception as e:
+                logger.error(f"Unexpected error during user creation: {e}")
+                return None
+
+
+    def get_user(self, user_id):
+        """Required method for Django session management."""
+        try:
+            return User.objects.get(pk=user_id)
+        except User.DoesNotExist:
+            return None
\ No newline at end of file
diff --git a/src/wirecloud/commons/utils/conf.py b/src/wirecloud/commons/utils/conf.py
index 53d3bec5c1..82a3a325af 100644
--- a/src/wirecloud/commons/utils/conf.py
+++ b/src/wirecloud/commons/utils/conf.py
@@ -106,6 +106,7 @@ def load_default_wirecloud_conf(settings, instance_type='platform'):
                     'django.contrib.messages.context_processors.messages',
                     'wirecloud.platform.context_processors.plugins',
                     'wirecloud.platform.context_processors.active_theme',
+                    'wirecloud.platform.context_processors.vc_login_context',
                 ),
                 'debug': settings['DEBUG'],
                 'loaders': (
diff --git a/src/wirecloud/defaulttheme/locale/es/LC_MESSAGES/django.po b/src/wirecloud/defaulttheme/locale/es/LC_MESSAGES/django.po
index 601805e01b..2fa5cefbc3 100644
--- a/src/wirecloud/defaulttheme/locale/es/LC_MESSAGES/django.po
+++ b/src/wirecloud/defaulttheme/locale/es/LC_MESSAGES/django.po
@@ -389,3 +389,11 @@ msgstr ""
 "                <li>Instalar otra versión del widget y usar la opción "
 "<em>Actualizar/Desactualizar</em></li>\n"
 "            </ul>"
+
+#: templates/registration/login.html:54
+msgid "Use your digital wallet to authenticate with SSO"
+msgstr "Usa tu wallet digital para autenticarte con SSO"
+
+#: templates/registration/login.html:55
+msgid "Sign In with Verificable Credentials"
+msgstr "Iniciar sesión con Credenciales verificables"
\ No newline at end of file
diff --git a/src/wirecloud/defaulttheme/templates/registration/login.html b/src/wirecloud/defaulttheme/templates/registration/login.html
index ed1b8b110a..01513cb308 100644
--- a/src/wirecloud/defaulttheme/templates/registration/login.html
+++ b/src/wirecloud/defaulttheme/templates/registration/login.html
@@ -19,7 +19,6 @@
 
 <body>
     <div style="text-align:center;">
-
         {% with wc_logo_id="123456"|make_list|random %}{% with wc_logo="images/logos/wc"|add:wc_logo_id|add:".png" %}
         <img style="vertical-align: middle; heigth: 250px; width: 416px;" src="{% theme_static wc_logo %}" />
         {% endwith %}{% endwith %}
@@ -42,17 +41,23 @@ <h4>{% trans "Your browser seems to lack some required features" %}</h4>
 
                 {% csrf_token %}
                 <input type="hidden" name="next" value="{{ next }}" />
-                <input type="text" class="se-text-field" style="margin: 3px 0; width: 100%;" name="username" autocapitalize="off" autofocus="autofocus" placeholder="{% trans "Username" %}"/>
+                <input type="text" class="se-text-field" style="margin: 3px 0; width: 100%;" name="username" autocapitalize="off" autofocus="autofocus" placeholder="{% trans 'Username' %}"/>
                 <div style="display: table-row;">
-                    <div style="display: table-cell; width: 100%; padding: 3px 3px 3px 0px;"><input type="password" class="se-password-field" style="width: 100%; margin: 0;" name="password" placeholder="{% trans "Password" %}"/></div>
+                    <div style="display: table-cell; width: 100%; padding: 3px 3px 3px 0px;"><input type="password" class="se-password-field" style="width: 100%; margin: 0;" name="password" placeholder="{% trans 'Password' %}"/></div>
                     <div style="display: table-cell; padding: 3px 0px 3px 3px;"><input class="se-btn btn-primary" style="margin: 0;" type="submit" value="{% trans 'Sign in' %}" /></div>
                 </div>
             </div>
         </div>
         </form>
-
+        <div class="vc-sso-login">
+        {% if VC_LOGIN_ENABLED %}
+            <a href="{{ VC_LOGIN_PATH }}" class="se-btn btn-primary" data-bs-toggle="tooltip" data-bs-placement="top" title="{% trans 'Use your digital wallet to authenticate with SSO' %}">
+                <i class="fas fa-wallet"></i>
+                {% trans 'Sign In with Verificable Credentials' %}
+            </a>
+            </div>
         </div>
-
+        {% endif %}
     </div>
 
     <script type="text/javascript">
diff --git a/src/wirecloud/platform/context_processors.py b/src/wirecloud/platform/context_processors.py
index d1a39b2ad1..bba8e73ad7 100644
--- a/src/wirecloud/platform/context_processors.py
+++ b/src/wirecloud/platform/context_processors.py
@@ -19,7 +19,8 @@
 
 from wirecloud.platform.plugins import get_plugins
 from wirecloud.platform.themes import get_active_theme_name
-
+from django.conf import settings
+from django.urls import reverse
 
 def active_theme(request):
     return {'THEME_ACTIVE': get_active_theme_name()}
@@ -33,3 +34,16 @@ def plugins(request):
         context.update(plugin.get_django_template_context_processors())
 
     return context
+
+def vc_login_context(request):
+
+    vc_enabled = settings.VC_LOGIN_CONFIG['enabled']
+    vc_login_path = ''
+    if vc_enabled:
+        vc_login_path = request.build_absolute_uri(reverse('vc_sso_login'))
+
+    return {
+        'VC_LOGIN_ENABLED': vc_enabled,
+        'VC_LOGIN_PATH': vc_login_path
+
+    }
\ No newline at end of file
diff --git a/src/wirecloud/vc_login/exceptions.py b/src/wirecloud/vc_login/exceptions.py
new file mode 100644
index 0000000000..867304a864
--- /dev/null
+++ b/src/wirecloud/vc_login/exceptions.py
@@ -0,0 +1,25 @@
+class AccessTokenError(Exception):
+    """
+    Exception raised when the access token retrieval or exchange fails
+    (e.g., connection error, HTTP 4xx/5xx error from the verifier server).
+    """
+    def __init__(self, message, status_code=500):
+        super().__init__(message)
+        self.status_code = status_code
+        self.message = message
+
+    def __str__(self):
+        return f"AccessTokenError [{self.status_code}]: {self.message}"
+
+
+class TokenVerificationError(Exception):
+    """
+    Exception raised when the token (JWT) is invalid or cannot be verified
+    (e.g., invalid signature, token expiration, incorrect format).
+    """
+    def __init__(self, message):
+        super().__init__(message)
+        self.message = message
+
+    def __str__(self):
+        return f"TokenVerificationError: {self.message}"
\ No newline at end of file
diff --git a/src/wirecloud/vc_login/vc_login.py b/src/wirecloud/vc_login/vc_login.py
new file mode 100644
index 0000000000..2a49673c9a
--- /dev/null
+++ b/src/wirecloud/vc_login/vc_login.py
@@ -0,0 +1,172 @@
+import logging
+import requests
+from django.conf import settings
+from jose import jwt, exceptions
+from .exceptions import AccessTokenError, TokenVerificationError
+from .vc_payload import VCPayload
+
+class VCLogin:
+    """
+    Utility class for the Verifiable Credential (VC) login flow.
+    Reads configuration directly from django.conf.settings.
+    """
+
+    # --- Internal Utility Function to get Configuration ---
+    @staticmethod
+    def _get_config():
+        """Reads and returns the VC login settings dictionary from Django settings."""
+        return settings.VC_LOGIN_CONFIG
+
+    # --- Auxiliary Static Methods ---
+
+    @staticmethod
+    def _verify_jwk(token, jwks_data):
+        """
+        Verifies the signature and validity of a JWT token using a JWKS dictionary.
+        Raises TokenVerificationError on failure.
+        """
+        try:
+            payload = jwt.decode(
+                token,
+                key=jwks_data,
+                options={
+                    "verify_aud": False
+                }
+            )
+            return payload
+
+        except exceptions.ExpiredSignatureError:
+            logging.error("Token expired")
+            raise TokenVerificationError("Token expired")
+        except exceptions.JWTError as e:
+            logging.error(f"Invalid token: {e}")
+            raise TokenVerificationError("Invalid token")
+
+    @staticmethod
+    def _make_token_request(params):
+        """Performs the POST request to exchange the authorization code for tokens."""
+        logging.info('Making token request to verifier')
+        config = VCLogin._get_config()
+
+        try:
+            # Construct the token endpoint URL
+            url = f"{config['verifier_host']}{config['verifier_token_path']}"
+            logging.info(f"Getting token from {url}")
+            response = requests.post(url, data=params)
+
+            # Raises an exception for 4xx or 5xx status codes
+            response.raise_for_status()
+
+            logging.info(f"Token response: {response.status_code}")
+            data = response.json()
+
+            access_token = data.get('access_token')
+            # Fallback to access_token if refresh_token is missing
+            refresh_token = data.get('refresh_token') or access_token
+
+            logging.info('Token info successfully parsed')
+            return {
+                "access_token": access_token,
+                "refresh_token": refresh_token
+            }
+
+        except requests.exceptions.HTTPError as err:
+            # Catch HTTP errors (4xx, 5xx)
+            status_code = err.response.status_code
+            reason = err.response.json()
+            print(f"Error getting access token from the verifier (Status: {status_code}\n Message: {reason})")
+            raise AccessTokenError('Failed to obtain access token', status_code)
+
+        except requests.exceptions.RequestException as err:
+            # Catch connection errors (DNS, timeouts, etc.)
+            print(err)
+            raise AccessTokenError('Failed to obtain access token (Connection Error)', 500)
+
+
+    # --- Public Static Methods ---
+
+    @staticmethod
+    def _verify_token(access_token):
+        """Verifies the JWT signature and returns the payload if valid."""
+        config = VCLogin._get_config()
+
+        logging.info(f"Verify access token: {access_token[:10]}...")
+        try:
+            # 1. Get JWKS endpoint URL and fetch keys
+            url = f"{config['verifier_host']}{config['verifier_jwks_path']}"
+            logging.debug(f"Requesting JWKS from '{url}'")
+            response = requests.get(url)
+            response.raise_for_status()
+
+            jwks = response.json()
+
+            try:
+                # 2. Verify token using JWKS
+                payload = VCLogin._verify_jwk(access_token, jwks)
+
+                logging.info('Token verified')
+                return payload
+
+            except TokenVerificationError as err:
+                # Catch specific JOSE errors handled by _verify_jwk
+                logging.error(f'Token verification failed: {err}')
+                return None
+
+        except requests.exceptions.HTTPError as err:
+            status_code = err.response.status_code
+            print(f'Error Accessing JWSK endpoint (Status: {status_code})')
+            return None
+
+        except requests.exceptions.RequestException as err:
+            print('Exception Accessing JWSK endpoint')
+            print(err)
+            return None
+
+        except Exception as err:
+            print('General exception during verification')
+            print(err)
+            return None
+
+
+    @staticmethod
+
+    def login(code, redirect_uri) -> VCPayload:
+        logging.info("Requesting a new token using provided code")
+        params = {
+            'code': code,
+            'grant_type': 'authorization_code',
+            'redirect_uri': redirect_uri
+        }
+        token_info = VCLogin._make_token_request(params)
+
+        return VCLogin._load_user_profile(token_info['access_token'], token_info['refresh_token'])
+
+    @staticmethod
+    def _load_user_profile(access_token, refresh_token) -> VCPayload:
+        """Loads the user profile data from the verified Verifiable Credential payload."""
+
+        # Call static method to verify and get payload
+        payload = VCLogin._verify_token(access_token)
+
+        if payload is None:
+            logging.error("Payload is empty or verification failed")
+            return VCPayload(None, refresh_token=refresh_token)
+
+        vc = payload.get('verifiableCredential')
+        if not vc:
+            logging.warning("Payload is not a verifiableCredential type")
+            return VCPayload(None, refresh_token=refresh_token)
+
+        # Check for specific credential type and extract fields
+        if vc['type'] == 'LegalPersonCredential':
+            logging.info("VC is type LegalPersonCredential. Extracting subject claims.")
+            subject = vc['credentialSubject']
+            return VCPayload(
+                subject.get('email'),
+                first_name=subject.get('firstName', ''),
+                last_name=subject.get('lastName', ''),
+                type=vc['type'],
+                roles=subject.get('roles'))
+        else:
+            logging.warning(f"Not supported VC type: {vc['type']}")
+            return VCPayload(None, refresh_token=refresh_token)
\ No newline at end of file
diff --git a/src/wirecloud/vc_login/vc_payload.py b/src/wirecloud/vc_login/vc_payload.py
new file mode 100644
index 0000000000..004f0722e4
--- /dev/null
+++ b/src/wirecloud/vc_login/vc_payload.py
@@ -0,0 +1,16 @@
+class VCPayload:
+
+    def __init__(
+            self, email,
+            first_name='',
+            last_name='',
+            refresh_token='',
+            roles=[],
+            type=''):
+
+        self.email = email
+        self.first_name = first_name
+        self.last_name = last_name
+        self.refresh_token=refresh_token
+        self.roles = roles
+        self.type = type
diff --git a/src/wirecloud/vc_login/views.py b/src/wirecloud/vc_login/views.py
new file mode 100644
index 0000000000..601018cc23
--- /dev/null
+++ b/src/wirecloud/vc_login/views.py
@@ -0,0 +1,80 @@
+import uuid
+from urllib.parse import quote
+
+from django.shortcuts import redirect
+from django.contrib.auth import authenticate, login
+from django.http import HttpResponse
+from django.views.decorators.http import require_http_methods
+from django.urls import reverse
+from django.conf import settings
+
+from .vc_login import VCLogin
+from .exceptions import AccessTokenError, TokenVerificationError
+
+@require_http_methods(["GET"])
+def vc_sso_login(request):
+
+    try:
+        redirect_uri = request.build_absolute_uri(reverse('vc_sso_callback'))
+        state = str(uuid.uuid4())
+        nonce = str(uuid.uuid4())
+        scope = quote(settings.VC_LOGIN_CONFIG['scope'])
+        url = f"{settings.VC_LOGIN_CONFIG['verifier_host']}{settings.VC_LOGIN_CONFIG['verifier_qr_path']}"
+        sso_url = (
+            f"{url}?"
+            f"client_id={settings.VC_LOGIN_CONFIG['client_id']}&"
+            f"redirect_uri={redirect_uri}&"
+            f"scope={scope}&"
+            f"state={state}&"
+            f"nonce={nonce}&"
+            "response_type=code"
+        )
+
+        return redirect(sso_url)
+
+    except Exception as e:
+        return HttpResponse(f"Error al iniciar el flujo de login: {e}", status=500)
+
+@require_http_methods(["GET"])
+def vc_sso_callback(request):
+    """
+    Step 2: Receives the request from the VC provider, validates the code/token,
+            and starts the Django session.
+    """
+    code = request.GET.get('code')
+
+    if not code:
+        error = request.GET.get('error', 'Code not received.')
+        return HttpResponse(f"SSO Error: {error}", status=400)
+
+    try:
+        redirect_uri = request.build_absolute_uri(reverse('vc_sso_callback'))
+        vc_payload = VCLogin.login(code, redirect_uri)
+
+        if not vc_payload:
+            return HttpResponse("VC Validation failed: Empty Payload.", status=403)
+
+        # Authenticate using the Custom Django Backend
+        # The backend (VerifiableCredentialBackend) uses 'vc_payload' to find,
+        # update, or create the User object.
+        user = authenticate(request, vc_payload=vc_payload)
+
+        if user is not None:
+            login(request, user)
+            # TODO must be reviewed
+            return redirect('/')
+        else:
+            # If authenticate returned None, user provisioning or identification failed.
+            return HttpResponse("Authentication failed: User not found or created.", status=403)
+
+    except AccessTokenError as e:
+        # Catch errors related to network failures or server-side token rejection
+        return HttpResponse(f"Token exchange failed: {e.message}", status=e.status_code)
+
+    except TokenVerificationError as e:
+        # Catch errors related to signature failure, token expiration, etc.
+        return HttpResponse(f"Token verification failed: {e.message}", status=403)
+
+    except Exception as e:
+        # Catch unexpected errors during the process
+        return HttpResponse(f"Error in the callback process: {e}", status=500)
\ No newline at end of file

From 039503e3729b8a84a13be9a65ac7658a18f07c46 Mon Sep 17 00:00:00 2001
From: Miguel Ortega <miguel.ortega@seamware.com>
Date: Mon, 19 Jan 2026 11:45:07 +0100
Subject: [PATCH 2/5] assign roles to VC user when login

---
 src/wirecloud/backends/vc_backend.py | 32 ++++++++++++++++++++++++----
 1 file changed, 28 insertions(+), 4 deletions(-)

diff --git a/src/wirecloud/backends/vc_backend.py b/src/wirecloud/backends/vc_backend.py
index da0c4163be..27d34e52fa 100644
--- a/src/wirecloud/backends/vc_backend.py
+++ b/src/wirecloud/backends/vc_backend.py
@@ -3,6 +3,9 @@
 from django.db import IntegrityError
 import logging
 from wirecloud.vc_login.vc_payload import VCPayload
+from django.contrib.auth.models import Group, AbstractUser
+from django.conf import settings
+
 # Get the active User model (handles custom user models)
 User = get_user_model()
 logger = logging.getLogger(__name__)
@@ -24,6 +27,8 @@ def authenticate(self, request, vc_payload: VCPayload = None, **kwargs):
         email = vc_payload.email
         first_name = vc_payload.first_name
         last_name = vc_payload.last_name
+        user = None
+        roles = self._get_roles(vc_payload)
         if not email:
             logger.error("VC Payload missing required 'email' field for authentication.")
             return None
@@ -43,7 +48,6 @@ def authenticate(self, request, vc_payload: VCPayload = None, **kwargs):
                 user.save()
 
             logger.info(f"Existing user logged in successfully: {email}")
-            return user
 
         except User.DoesNotExist:
             try:
@@ -55,7 +59,6 @@ def authenticate(self, request, vc_payload: VCPayload = None, **kwargs):
                     last_name=last_name
                 )
                 logger.info(f"New user provisioned: {user.username}")
-                return user
 
             except IntegrityError:
                 logger.warning(f"Integrity conflict during user creation for {email}.")
@@ -63,11 +66,32 @@ def authenticate(self, request, vc_payload: VCPayload = None, **kwargs):
             except Exception as e:
                 logger.error(f"Unexpected error during user creation: {e}")
                 return None
-
+        logger.info("User logged. Assign roles")
+        self._assign_roles(roles, user)
+        return user
 
     def get_user(self, user_id):
         """Required method for Django session management."""
         try:
             return User.objects.get(pk=user_id)
         except User.DoesNotExist:
-            return None
\ No newline at end of file
+           return None
+
+    def get_groups(self, groups):
+        return Group.objects.filter(name__in=groups)
+
+    def _assign_roles(self, user_roles, user: AbstractUser):
+        logger.info(f"User roles: {user_roles}")
+        allowed_groups = self.get_groups(user_roles)
+        if not allowed_groups:
+            logger.info("No allowed groups")
+            return
+        groups_to_add = allowed_groups.exclude(id__in=user.groups.values_list('id', flat=True))
+        if groups_to_add.exists():
+            groups = ", ".join([g.name for g in groups_to_add])
+            logger.info(f"Add user '{user.username}' to groups: {groups}")
+            user.groups.add(*groups_to_add)
+
+    def _get_roles(self, vc_payload: VCPayload):
+        client_id = settings.VC_LOGIN_CONFIG['client_id']
+        return next((role['names'] for role in vc_payload.roles if role['target'] == client_id), [])
\ No newline at end of file

From 3febd04ffab217eec9f3f5e03400513b146cd83e Mon Sep 17 00:00:00 2001
From: Miguel Ortega <miguel.ortega@seamware.com>
Date: Mon, 19 Jan 2026 11:53:34 +0100
Subject: [PATCH 3/5] add role_target and credential_type parameters

---
 docker-platform/settings.py          | 14 +++++++++++++-
 src/settings.py                      | 10 ++++++----
 src/wirecloud/backends/vc_backend.py |  2 +-
 src/wirecloud/vc_login/vc_login.py   |  5 +++--
 src/wirecloud/vc_login/views.py      |  6 ++----
 5 files changed, 25 insertions(+), 12 deletions(-)

diff --git a/docker-platform/settings.py b/docker-platform/settings.py
index 297e4f3570..0739f7e929 100644
--- a/docker-platform/settings.py
+++ b/docker-platform/settings.py
@@ -333,4 +333,16 @@
 
 from wirecloud.glogger import config as LOGGING
 
-# MIDDLEWARE = ('django.middleware.gzip.GZipMiddleware',) + MIDDLEWARE
\ No newline at end of file
+# MIDDLEWARE = ('django.middleware.gzip.GZipMiddleware',) + MIDDLEWARE
+
+VC_LOGIN_CONFIG = {
+    'enabled': os.environ.get('VC_LOGIN_ENABLED', 'False').lower() in ('true', 'yes', 't'),
+    'verifier_host': os.environ.get('VC_VERIFIER_HOST'),
+    'verifier_qr_path': os.environ.get('VC_VERIFIER_QR_PATH', '/api/v2/loginQR'),
+    'verifier_token_path': os.environ.get('VC_VERIFIER_TOKEN_PATH', '/token'),
+    'verifier_jwks_path': os.environ.get('VC_VERIFIER_JWKS_PATH', '/.well-known/jwks'),
+    'client_id': os.environ.get('VC_CLIENT_ID'),
+    'scope': os.environ.get('VC_SCOPE', 'openid learcredential'),
+    'role_target': os.environ.get('VC_ROLE_TARGET'),
+    'credential_type': os.environ.get('VC_CREDENTIAL_TYPE', 'LegalPersonCredential'),
+}
\ No newline at end of file
diff --git a/src/settings.py b/src/settings.py
index 2b7ef24c90..6a4716408e 100644
--- a/src/settings.py
+++ b/src/settings.py
@@ -172,13 +172,15 @@
 
 
 VC_LOGIN_CONFIG = {
-    'enabled': environ.get('VC_LOGIN_ENABLED', 'True').lower() in ('true', 'yes', 't'),
-    'verifier_host': environ.get('VC_VERIFIER_HOST', 'https://verifier.seamware.io'),
+    'enabled': environ.get('VC_LOGIN_ENABLED', 'False').lower() in ('true', 'yes', 't'),
+    'verifier_host': environ.get('VC_VERIFIER_HOST'),
     'verifier_qr_path': environ.get('VC_VERIFIER_QR_PATH', '/api/v2/loginQR'),
     'verifier_token_path': environ.get('VC_VERIFIER_TOKEN_PATH', '/token'),
     'verifier_jwks_path': environ.get('VC_VERIFIER_JWKS_PATH', '/.well-known/jwks'),
-    'client_id': environ.get('VC_CLIENT_ID', 'did:web:did-producer.seamware.io:did'),
-    'scope': environ.get('VC_SCOPE', 'openid learcredential')
+    'client_id': environ.get('VC_CLIENT_ID'),
+    'scope': environ.get('VC_SCOPE', 'openid learcredential'),
+    'role_target': environ.get('VC_ROLE_TARGET'),
+    'credential_type': environ.get('VC_CREDENTIAL_TYPE', 'LegalPersonCredential'),
 }
 
 if VC_LOGIN_CONFIG['enabled']:
diff --git a/src/wirecloud/backends/vc_backend.py b/src/wirecloud/backends/vc_backend.py
index 27d34e52fa..2b9724bc5a 100644
--- a/src/wirecloud/backends/vc_backend.py
+++ b/src/wirecloud/backends/vc_backend.py
@@ -93,5 +93,5 @@ def _assign_roles(self, user_roles, user: AbstractUser):
             user.groups.add(*groups_to_add)
 
     def _get_roles(self, vc_payload: VCPayload):
-        client_id = settings.VC_LOGIN_CONFIG['client_id']
+        client_id = settings.VC_LOGIN_CONFIG['role_target']
         return next((role['names'] for role in vc_payload.roles if role['target'] == client_id), [])
\ No newline at end of file
diff --git a/src/wirecloud/vc_login/vc_login.py b/src/wirecloud/vc_login/vc_login.py
index 2a49673c9a..802c07a27b 100644
--- a/src/wirecloud/vc_login/vc_login.py
+++ b/src/wirecloud/vc_login/vc_login.py
@@ -145,6 +145,7 @@ def login(code, redirect_uri) -> VCPayload:
     def _load_user_profile(access_token, refresh_token) -> VCPayload:
         """Loads the user profile data from the verified Verifiable Credential payload."""
 
+        credential_Type = settings.VC_LOGIN_CONFIG['credential_type']
         # Call static method to verify and get payload
         payload = VCLogin._verify_token(access_token)
 
@@ -158,8 +159,8 @@ def _load_user_profile(access_token, refresh_token) -> VCPayload:
             return VCPayload(None, refresh_token=refresh_token)
 
         # Check for specific credential type and extract fields
-        if vc['type'] == 'LegalPersonCredential':
-            logging.info("VC is type LegalPersonCredential. Extracting subject claims.")
+        if vc['type'] == credential_Type:
+            logging.info(f"VC is type {credential_Type}. Extracting subject claims.")
             subject = vc['credentialSubject']
             return VCPayload(
                 subject.get('email'),
diff --git a/src/wirecloud/vc_login/views.py b/src/wirecloud/vc_login/views.py
index 601018cc23..61fa1278a3 100644
--- a/src/wirecloud/vc_login/views.py
+++ b/src/wirecloud/vc_login/views.py
@@ -52,7 +52,7 @@ def vc_sso_callback(request):
         vc_payload = VCLogin.login(code, redirect_uri)
 
         if not vc_payload:
-            return HttpResponse("VC Validation failed: Empty Payload.", status=403)
+            return redirect("/login?error=403001")
 
         # Authenticate using the Custom Django Backend
         # The backend (VerifiableCredentialBackend) uses 'vc_payload' to find,
@@ -61,11 +61,9 @@ def vc_sso_callback(request):
 
         if user is not None:
             login(request, user)
-            # TODO must be reviewed
             return redirect('/')
         else:
-            # If authenticate returned None, user provisioning or identification failed.
-            return HttpResponse("Authentication failed: User not found or created.", status=403)
+            return redirect("/login?error=403002")
 
     except AccessTokenError as e:
         # Catch errors related to network failures or server-side token rejection

From b094f6ced4dbac73d082780b559c25f7ff0481e6 Mon Sep 17 00:00:00 2001
From: Miguel Ortega <miguel.ortega@seamware.com>
Date: Mon, 19 Jan 2026 11:54:42 +0100
Subject: [PATCH 4/5] allow empty roles

---
 src/wirecloud/backends/vc_backend.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/wirecloud/backends/vc_backend.py b/src/wirecloud/backends/vc_backend.py
index 2b9724bc5a..0d4a689930 100644
--- a/src/wirecloud/backends/vc_backend.py
+++ b/src/wirecloud/backends/vc_backend.py
@@ -94,4 +94,6 @@ def _assign_roles(self, user_roles, user: AbstractUser):
 
     def _get_roles(self, vc_payload: VCPayload):
         client_id = settings.VC_LOGIN_CONFIG['role_target']
+        if not vc_payload.roles:
+            return []
         return next((role['names'] for role in vc_payload.roles if role['target'] == client_id), [])
\ No newline at end of file

From 52626ff0c1eac75bd8080a2be43da6443b220435 Mon Sep 17 00:00:00 2001
From: Miguel Ortega <miguel.ortega@seamware.com>
Date: Mon, 19 Jan 2026 12:01:46 +0100
Subject: [PATCH 5/5] update login view to allow VC login

---
 .../locale/es/LC_MESSAGES/django.po           |  16 +++
 .../static/css/wirecloud_core.scss            |   2 +-
 .../templates/registration/login.html         | 105 +++++++++++-------
 3 files changed, 81 insertions(+), 42 deletions(-)

diff --git a/src/wirecloud/defaulttheme/locale/es/LC_MESSAGES/django.po b/src/wirecloud/defaulttheme/locale/es/LC_MESSAGES/django.po
index 2fa5cefbc3..1c7a0bbf8c 100644
--- a/src/wirecloud/defaulttheme/locale/es/LC_MESSAGES/django.po
+++ b/src/wirecloud/defaulttheme/locale/es/LC_MESSAGES/django.po
@@ -119,6 +119,22 @@ msgstr "Contraseña"
 msgid "Sign in"
 msgstr "Iniciar sessión"
 
+#: templates/registration/login.html:61
+msgid "Sign In with Verifiable Credentials"
+msgstr "Iniciar sesión con Credenciales Verificables"
+
+#: templates/registration/login.html:67
+msgid "Invalid Verifiable Credential"
+msgstr "Credenciales Verificables invalidas"
+
+#: templates/registration/login.html:69
+msgid "Unable to login using Verifiable Credentials"
+msgstr "No se pudo loguear usando Credenciales Verificables"
+
+#: templates/registration/login.html:71
+msgid "An unexpected error has occurred. Please try again later"
+msgstr "Error inexperado. Por favor, intentelo más tarde"
+
 #: templates/wirecloud/catalogue/main_resource_details.html:3
 msgid "Description"
 msgstr "Descripción"
diff --git a/src/wirecloud/defaulttheme/static/css/wirecloud_core.scss b/src/wirecloud/defaulttheme/static/css/wirecloud_core.scss
index cb4e40f420..cc9816c5dc 100644
--- a/src/wirecloud/defaulttheme/static/css/wirecloud_core.scss
+++ b/src/wirecloud/defaulttheme/static/css/wirecloud_core.scss
@@ -124,4 +124,4 @@ body {
     height: 20px;
     background: url("../images/logos/wc1-mini.png");
     background-size: 33px 20px;
-}
+}
\ No newline at end of file
diff --git a/src/wirecloud/defaulttheme/templates/registration/login.html b/src/wirecloud/defaulttheme/templates/registration/login.html
index 01513cb308..d4bf29a267 100644
--- a/src/wirecloud/defaulttheme/templates/registration/login.html
+++ b/src/wirecloud/defaulttheme/templates/registration/login.html
@@ -1,20 +1,18 @@
 {% load compress i18n wirecloudtags %}{% load static from staticfiles %}
 <!DOCTYPE html>
-<html xmlns="http://www.w3.org/1999/xhtml"
-      xml:lang="{{ LANGUAGE_CODE }}"
-      lang="{{ LANGUAGE_CODE }}">
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="{{ LANGUAGE_CODE }}" lang="{{ LANGUAGE_CODE }}">
 
 <head>
     <title>{% trans "WireCloud Platform - Sign in" %}</title>
     <meta http-equiv="content-type" content="text/html; charset=UTF-8" />
-    <link rel="shortcut icon" type="image/x-icon" href="{% theme_static "images/favicon.ico" %}" />
+    <link rel="shortcut icon" type="image/x-icon" href="{% theme_static " images/favicon.ico" %}" />
     {% compress css %}
     {% platform_css "index" %}
     {% endcompress %}
     <script type="text/javascript">
         var Wirecloud = {};
     </script>
-    <script type="text/javascript" src="{% static "js/wirecloud/BaseRequirements.js" %}"></script>
+    <script type="text/javascript" src="{% static " js/wirecloud/BaseRequirements.js" %}"></script>
 </head>
 
 <body>
@@ -25,47 +23,72 @@
 
         <div style="display: inline-block; vertical-align:middle; margin: 4ex 10ex; width: 400px;">
 
-        <div id="unsupported-browser-msg" class="alert alert-error" style="display: none; text-align: left;">
-            <h4>{% trans "Your browser seems to lack some required features" %}</h4>
-            <p>{% blocktrans %}We recommend you to upgrade your browser to the newest version of either <a href="https://www.mozilla.org/firefox">Firefox</a> or <a href="https://www.google.com/chrome">Google Chrome</a> as these are the browsers currently supported by WireCloud.{% endblocktrans %}</p>
-        </div>
+            <div id="unsupported-browser-msg" class="alert alert-error" style="display: none; text-align: left;">
+                <h4>{% trans "Your browser seems to lack some required features" %}</h4>
+                <p>{% blocktrans %}We recommend you to upgrade your browser to the newest version of either <a
+                        href="https://www.mozilla.org/firefox">Firefox</a> or <a
+                        href="https://www.google.com/chrome">Google Chrome</a> as these are the browsers currently
+                    supported by WireCloud.{% endblocktrans %}</p>
+            </div>
 
-        <form style="text-align: left; width: 400px" id="wc-login-form" method="post">
-        <div class="panel panel-default">
+            <form style="text-align: left; width: 400px" id="wc-login-form" method="post">
+                <div class="panel panel-default">
 
-            <div class="panel-heading">
+                    <div class="panel-heading">
 
-                {% if form.errors %}
-                <div class="alert alert-danger">{% blocktrans %}<h4>Your username and password didn't match.</h4><p>Please try again.</p>{% endblocktrans %}</div>
-                {% endif %}
+                        {% if form.errors %}
+                        <div class="alert alert-danger">{% blocktrans %}<h4>Your username and password didn't match.
+                            </h4>
+                            <p>Please try again.</p>{% endblocktrans %}
+                        </div>
+                        {% endif %}
 
-                {% csrf_token %}
-                <input type="hidden" name="next" value="{{ next }}" />
-                <input type="text" class="se-text-field" style="margin: 3px 0; width: 100%;" name="username" autocapitalize="off" autofocus="autofocus" placeholder="{% trans 'Username' %}"/>
-                <div style="display: table-row;">
-                    <div style="display: table-cell; width: 100%; padding: 3px 3px 3px 0px;"><input type="password" class="se-password-field" style="width: 100%; margin: 0;" name="password" placeholder="{% trans 'Password' %}"/></div>
-                    <div style="display: table-cell; padding: 3px 0px 3px 3px;"><input class="se-btn btn-primary" style="margin: 0;" type="submit" value="{% trans 'Sign in' %}" /></div>
+                        {% csrf_token %}
+                        <input type="hidden" name="next" value="{{ next }}" />
+                        <input type="text" class="se-text-field" style="margin: 3px 0; width: 100%;" name="username"
+                            autocapitalize="off" autofocus="autofocus" placeholder="{% trans 'Username' %}" />
+                        <div style="display: table-row;">
+                            <div style="display: table-cell; width: 100%; padding: 3px 3px 3px 0px;"><input
+                                    type="password" class="se-password-field" style="width: 100%; margin: 0;"
+                                    name="password" placeholder="{% trans 'Password' %}" /></div>
+                            <div style="display: table-cell; padding: 3px 0px 3px 3px;"><input
+                                    class="se-btn btn-primary" style="margin: 0;" type="submit"
+                                    value="{% trans 'Sign in' %}" /></div>
+                        </div>
+                    </div>
                 </div>
+            </form>
+            <div class="vc-sso-login">
+                {% if VC_LOGIN_ENABLED %}
+                <hr />
+                <div class="flex items-center justify-center">
+                    <a href="{{ VC_LOGIN_PATH }}" class="se-btn btn-primary" data-bs-toggle="tooltip" data-bs-placement="top" title="{% trans 'Use your digital wallet to authenticate with SSO' %}">
+                        <i class="fas fa-wallet"></i>
+                        {% trans 'Sign In with Verificable Credentials' %}
+                    </a>
+                </div>
+                {% if request.GET.error %}
+                <div class="alert alert-danger my-3">
+                    {% if request.GET.error == "403001" %}
+                    {% trans 'Invalid Verifiable Credential' %}
+                    {% elif request.GET.error == "403002" %}
+                    {% trans 'Unable to login using Verifiable Credentials' %}
+                    {% else %}
+                    {% trans 'An unexpected error has occurred. Please try again later' %}
+                    {% endif %}
+                </div>
+                {% endif %}
+                {% endif %}
+                </form>
             </div>
-        </div>
-        </form>
-        <div class="vc-sso-login">
-        {% if VC_LOGIN_ENABLED %}
-            <a href="{{ VC_LOGIN_PATH }}" class="se-btn btn-primary" data-bs-toggle="tooltip" data-bs-placement="top" title="{% trans 'Use your digital wallet to authenticate with SSO' %}">
-                <i class="fas fa-wallet"></i>
-                {% trans 'Sign In with Verificable Credentials' %}
-            </a>
-            </div>
-        </div>
-        {% endif %}
-    </div>
 
-    <script type="text/javascript">
-        try {
-            Wirecloud.check_basic_requirements();
-        } catch (e) {
-            document.getElementById('unsupported-browser-msg').style.display = "";
-        }
-    </script>
+            <script type="text/javascript">
+                try {
+                    Wirecloud.check_basic_requirements();
+                } catch (e) {
+                    document.getElementById('unsupported-browser-msg').style.display = "";
+                }
+            </script>
 </body>
-</html>
+
+</html>
\ No newline at end of file