Skip to content

Clarify an empty object in a VP Token cannot be used to signify an error response #745

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
awoie wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Clarify an empty object in a VP Token cannot be used to signify an error response #745

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Binary file added .DS_Store
View file
Open in desktop
Binary file not shown.
26 changes: 25 additions & 1 deletion 1.1/openid-4-verifiable-presentations-1_1.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1140,6 +1140,9 @@ Additional, more complex examples can be found in (#more_dcql_query_examples).

A VP Token is only returned if the corresponding Authorization Request contained a `dcql_query` parameter or a `scope` parameter representing a DCQL Query (as defined in #vp_token_request).

The Wallet MUST return a VP Token only if the set of Presentations represented
by the VP Token satisfies the requirements of the DCQL query according to (#dcql_query_lang_processing_rules).

A VP Token can be returned in the Authorization Response or the Token Response depending on the Response Type used. See (#response_type_vp_token) for more details.

If the Response Type value is `vp_token`, the VP Token is returned in the Authorization Response. When the Response Type value is `vp_token id_token` and the `scope` parameter contains `openid`, the VP Token is returned in the Authorization Response alongside a Self-Issued ID Token as defined in [@!SIOPv2].
Expand All @@ -1161,8 +1164,27 @@ The behavior with respect to the VP Token is unspecified for any other individua

When a VP Token is returned, the respective response includes the following parameters:


`vp_token`:
: REQUIRED. This is a JSON-encoded object containing entries where the key is the `id` value used for a Credential Query in the DCQL query and the value is an array of one or more Presentations that match the respective Credential Query. When `multiple` is omitted, or set to `false`, the array MUST contain only one Presentation. There MUST NOT be any entry in the JSON-encoded object for optional Credential Queries when there are no matching Credentials for the respective Credential Query. Each Presentation is represented as a string or object, depending on the format as defined in (#format_specific_parameters). The same rules as above apply for encoding the Presentations.
: REQUIRED. A JSON-encoded object subject to the following requirements:

* Each key MUST be the `id` of a Credential Query in the DCQL query.

* Each value MUST be an array containing one or more Presentations matching
the corresponding Credential Query.

* When `multiple` is omitted or set to `false`, the array MUST contain exactly
one Presentation.

* The object MUST NOT contain an entry for an optional Credential Query when
there are no matching Credentials for that Credential Query.
Comment on lines +1179 to +1180

@paulbastian paulbastian Jun 22, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is hard to understand for me, is this repeating things from DCQL rules? Why "optional"?

@paulbastian paulbastian Jun 22, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this line is rather confusing and repeating DCQL rules


* Each Presentation MUST be encoded as a string or object according to
(#format_specific_parameters).

* The object MAY be empty only if the DCQL query can be satisfied without

@c2bo c2bo Jun 22, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Something like this might make it more clear imho?

Suggested change
* The object MAY be empty only if the DCQL query can be satisfied without
* The object MUST NOT be empty unless the DCQL query can be satisfied without

returning any Presentation according to
(#dcql_query_lang_processing_rules).

Other parameters, such as `code` (from [@!RFC6749]), or `id_token` (from [@!OpenID.Core]), and `iss` (from [@RFC9207]) can be included in the response as defined in the respective specifications.

Expand Down Expand Up @@ -3665,3 +3687,5 @@ The technology described in this specification was made available from contribut
* Clarified that Multi-RP-sig section means Verifier Info instead of attestations
* Updated origin examples to remove trailing slash
* Clarified that request_uri_method is a case-sensitive string
* Clarify that empty objects in VP Tokens cannot be used to signify an error response
* Editorial improvement of the `vp_token` section
Loading