From 0daaeccbc29a9ce417b48e204871da4f0a246bb1 Mon Sep 17 00:00:00 2001
From: Oliver Terbu <oliver.terbu@mattr.global>
Date: Thu, 18 Jun 2026 18:20:04 +0100
Subject: [PATCH] fix: fixes #743

---
 .DS_Store                                    | Bin 0 -> 8196 bytes
 1.1/openid-4-verifiable-presentations-1_1.md |  26 ++++++++++++++++++-
 2 files changed, 25 insertions(+), 1 deletion(-)
 create mode 100644 .DS_Store

diff --git a/.DS_Store b/.DS_Store
new file mode 100644
index 0000000000000000000000000000000000000000..feab560ac2801dee5afe3fb1bacfff1789527783
GIT binary patch
literal 8196
zcmeHMZEO@p7@l`qU{+kZ{QwFqu=E5$3S3Jo-{#sYgo3oSSLn3`j@`QzR`zzw?cN;%
zl^Tta;76j-82tDp@hjn%AD}VOpwS;{3|5Tsk6$q{{xH$_@dJ$S?Cc>NHZjH+8+VeO
zcjldWXXbt9d3JB+2qDm(&omKIPY9v-Fey*P>`xMFXU|nh2sD)_0qu!9tXqzbwKMwg
zRlP$+7=bVXVFbbmgb@fM@Lz}kezRGk<9zpdYnX=-2qW;ni~xH-sQ54$3*;!5{;LBs
z{|JDR9Rd7=WtkOFs)39Ja+FJK!35kCB{zlOhymOj^=i;B7RXU9xjBL0@BzWh5S&oJ
zpB=|n{q6)}T!wiVfiMDBM}X0%f;5rkq)9Jcetx%1*NaBagHTa9Y4Q|0g-)fr68oHD
z!qdFG+pgt?Sgp@-EWK3L^c|*AOv!a|$M!VSHgdj!nK7`-&VJL*IK_4+Z)aTJHo+UH
zNX3*q>+s>`RnbOu<?7avM)h!0b4zoh+Oo2BWJILXBP-VRruJJ|+d0lXfZ#1aq%x20
z`@<c}EyVeCM1`&ob9X)~xg%aP^;&6~k{n154oSOGa!mnO-aYJ@j_vL+axTi0T;-yN
zooUDJ$r-G@KkZogtnH@c>a=F1^OoirZI+cV4;k*DcCgPl=&>?0Oy?ZS>Tz6?jX03>
z#%oFrx=zlE`{Sl$Iqw?11`cZ$j1C;!O`1468?&y=PY_R4)vF7aEMK{LL))e;UA<#+
zbxm#EbV(Y-sM?-+t7+u67tM^fZ$NX?hMh6(z5NB#HFeAAv$d>I4UM8WHf#1AS(&TM
zFEy2$P&q=AdEGpaH@(}(YO8BxsX@6;lwYDdGq}KQPKM2t@mrJzWih2gOdrn~m~*wX
zR9Pm<8trq@4?aXxY8GWz?Awo!;HIt8Dk^8h?Utq+7FVs6)>C<_*k9n=!Ijgc7!{Lg
zC!0klU9O8O8>##*-OVPxS#!PaVZ$yhDXw%<I_U1xaz=L%0a>!xMybEQsAnb{Gp6U{
zcr+T6TPPi1gSBNcIF3Af&a6bAqTu$JcELpW<Cbz3$mb}fk=PA<b0VcZioBuk@ymXo
z#Yij~v`{jiw2)1ti|8avj*@%H338I0CU25+<RkJW`HuWdF2H1%2DLB)W<otIfF-a3
z*1%d=4;x?;bVCpHLIU=H3Ae$1D8eY*33tKWa10)Thv5-;6ds4C;Uqi*&%!Bq1x~}O
z@EV+j_uzf_06u}w;S2Z*zJ?#+0$haO1W~9FYK1ysk+4FD3QfW~p+o2w282OjNZ2VD
zf-Mw<Bf<#xKq&EUci>SVgnO_Myhf0B!8M@p`Z&B(H+OE{vQ^qP5qbA%6=&Lvne_`6
zEseIWxvBjU9yxqVh`pQ%KKQSoj1PVvAmzYCPAYTfN$PfFhjFl+ktL?eQy7CO!>rN}
zkyLpS@`qQiUyRks$Q@p7T&AkBfRyFcre;-=E0B;r`;{A)VHJYP+I5m7S0XjVF$G~S
z&6C<hQ6~N*@eUk@5$zv@{5Rx#@)NlTB0_!+sIU-P5aw~{M2HW;E`+%TI>I~)4h+Kq
zI0Q%F4mgUSKL*F)es};Lgva0nJONL_QwaIz;CXlfUWAts_Gb|IXW=b)8{UBr;T(*?
z$8g>!z_;)N`~tt0LAt99(hTYWqzj3hZ8`Q{)RYKtW#@@mtKiG7XXpQo<KO>JOy|N?
zhY<)P@RuS0l^uzWcI-Od%Z;72Rebi~!xHN^%B63D*%cQ7Sikg#A(mC_%4}kR9OV)<
anEv&P0RJcX-~Zhme*eSozYp9Ap8XDoJAVWK

literal 0
HcmV?d00001

diff --git a/1.1/openid-4-verifiable-presentations-1_1.md b/1.1/openid-4-verifiable-presentations-1_1.md
index 198af1b2..c977cd96 100644
--- a/1.1/openid-4-verifiable-presentations-1_1.md
+++ b/1.1/openid-4-verifiable-presentations-1_1.md
@@ -1140,6 +1140,9 @@ Additional, more complex examples can be found in (#more_dcql_query_examples).
 
 A VP Token is only returned if the corresponding Authorization Request contained a `dcql_query` parameter or a `scope` parameter representing a DCQL Query (as defined in #vp_token_request).
 
+The Wallet MUST return a VP Token only if the set of Presentations represented
+by the VP Token satisfies the requirements of the DCQL query according to (#dcql_query_lang_processing_rules).
+
 A VP Token can be returned in the Authorization Response or the Token Response depending on the Response Type used. See (#response_type_vp_token) for more details.
 
 If the Response Type value is `vp_token`, the VP Token is returned in the Authorization Response. When the Response Type value is `vp_token id_token` and the `scope` parameter contains `openid`, the VP Token is returned in the Authorization Response alongside a Self-Issued ID Token as defined in [@!SIOPv2].
@@ -1161,8 +1164,27 @@ The behavior with respect to the VP Token is unspecified for any other individua
 
 When a VP Token is returned, the respective response includes the following parameters:
 
+
 `vp_token`:
-: REQUIRED. This is a JSON-encoded object containing entries where the key is the `id` value used for a Credential Query in the DCQL query and the value is an array of one or more Presentations that match the respective Credential Query. When `multiple` is omitted, or set to `false`, the array MUST contain only one Presentation. There MUST NOT be any entry in the JSON-encoded object for optional Credential Queries when there are no matching Credentials for the respective Credential Query. Each Presentation is represented as a string or object, depending on the format as defined in (#format_specific_parameters). The same rules as above apply for encoding the Presentations.
+: REQUIRED. A JSON-encoded object subject to the following requirements:
+
+  * Each key MUST be the `id` of a Credential Query in the DCQL query.
+
+  * Each value MUST be an array containing one or more Presentations matching
+    the corresponding Credential Query.
+
+  * When `multiple` is omitted or set to `false`, the array MUST contain exactly
+    one Presentation.
+
+  * The object MUST NOT contain an entry for an optional Credential Query when
+    there are no matching Credentials for that Credential Query.
+
+  * Each Presentation MUST be encoded as a string or object according to
+    (#format_specific_parameters).
+
+  * The object MAY be empty only if the DCQL query can be satisfied without
+    returning any Presentation according to
+    (#dcql_query_lang_processing_rules).
 
 Other parameters, such as `code` (from [@!RFC6749]), or `id_token` (from [@!OpenID.Core]), and `iss` (from [@RFC9207]) can be included in the response as defined in the respective specifications.
 
@@ -3665,3 +3687,5 @@ The technology described in this specification was made available from contribut
    * Clarified that Multi-RP-sig section means Verifier Info instead of attestations
    * Updated origin examples to remove trailing slash
    * Clarified that request_uri_method is a case-sensitive string
+   * Clarify that empty objects in VP Tokens cannot be used to signify an error response
+   * Editorial improvement of the `vp_token` section