diff --git a/.DS_Store b/.DS_Store new file mode 100644 index 00000000..feab560a Binary files /dev/null and b/.DS_Store differ diff --git a/1.1/openid-4-verifiable-presentations-1_1.md b/1.1/openid-4-verifiable-presentations-1_1.md index 198af1b2..c977cd96 100644 --- a/1.1/openid-4-verifiable-presentations-1_1.md +++ b/1.1/openid-4-verifiable-presentations-1_1.md @@ -1140,6 +1140,9 @@ Additional, more complex examples can be found in (#more_dcql_query_examples). A VP Token is only returned if the corresponding Authorization Request contained a `dcql_query` parameter or a `scope` parameter representing a DCQL Query (as defined in #vp_token_request). +The Wallet MUST return a VP Token only if the set of Presentations represented +by the VP Token satisfies the requirements of the DCQL query according to (#dcql_query_lang_processing_rules). + A VP Token can be returned in the Authorization Response or the Token Response depending on the Response Type used. See (#response_type_vp_token) for more details. If the Response Type value is `vp_token`, the VP Token is returned in the Authorization Response. When the Response Type value is `vp_token id_token` and the `scope` parameter contains `openid`, the VP Token is returned in the Authorization Response alongside a Self-Issued ID Token as defined in [@!SIOPv2]. @@ -1161,8 +1164,27 @@ The behavior with respect to the VP Token is unspecified for any other individua When a VP Token is returned, the respective response includes the following parameters: + `vp_token`: -: REQUIRED. This is a JSON-encoded object containing entries where the key is the `id` value used for a Credential Query in the DCQL query and the value is an array of one or more Presentations that match the respective Credential Query. When `multiple` is omitted, or set to `false`, the array MUST contain only one Presentation. There MUST NOT be any entry in the JSON-encoded object for optional Credential Queries when there are no matching Credentials for the respective Credential Query. Each Presentation is represented as a string or object, depending on the format as defined in (#format_specific_parameters). The same rules as above apply for encoding the Presentations. +: REQUIRED. A JSON-encoded object subject to the following requirements: + + * Each key MUST be the `id` of a Credential Query in the DCQL query. + + * Each value MUST be an array containing one or more Presentations matching + the corresponding Credential Query. + + * When `multiple` is omitted or set to `false`, the array MUST contain exactly + one Presentation. + + * The object MUST NOT contain an entry for an optional Credential Query when + there are no matching Credentials for that Credential Query. + + * Each Presentation MUST be encoded as a string or object according to + (#format_specific_parameters). + + * The object MAY be empty only if the DCQL query can be satisfied without + returning any Presentation according to + (#dcql_query_lang_processing_rules). Other parameters, such as `code` (from [@!RFC6749]), or `id_token` (from [@!OpenID.Core]), and `iss` (from [@RFC9207]) can be included in the response as defined in the respective specifications. @@ -3665,3 +3687,5 @@ The technology described in this specification was made available from contribut * Clarified that Multi-RP-sig section means Verifier Info instead of attestations * Updated origin examples to remove trailing slash * Clarified that request_uri_method is a case-sensitive string + * Clarify that empty objects in VP Tokens cannot be used to signify an error response + * Editorial improvement of the `vp_token` section