Skip to content

Clarify an empty object in a VP Token cannot be used to signify an error response#745

Open
awoie wants to merge 3 commits into
mainfrom
awoie/fix-743
Open

Clarify an empty object in a VP Token cannot be used to signify an error response#745
awoie wants to merge 3 commits into
mainfrom
awoie/fix-743

Conversation

@awoie

@awoie awoie commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

Fixes #743

  • needs errata? change 1.0?

I also improved the vp_token definition because it is a quite important part of the spec and the readability was not great.

I removed this editorially because I don't think it had any meaning anymore:

The same rules as above apply for encoding the Presentations.

@awoie awoie marked this pull request as draft June 18, 2026 17:31
@awoie

awoie commented Jun 18, 2026

Copy link
Copy Markdown
Contributor Author

We probably will need to apply this logic to DC API as well. I will need to double check if this is included with the current proposed text.

@fkj fkj left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If people don't object to the rewriting of the definition, I agree that this makes it easier to understand what we actually mean.

Comment thread 1.1/openid-4-verifiable-presentations-1_1.md Outdated
Comment on lines +1179 to +1180
* The object MUST NOT contain an entry for an optional Credential Query when
there are no matching Credentials for that Credential Query.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is hard to understand for me, is this repeating things from DCQL rules? Why "optional"?

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this line is rather confusing and repeating DCQL rules

@awoie awoie Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know that but it was there previously. Happy to remove it but on the WG call on July 2, we decided to keep it.

@Sakurann

Sakurann commented Jul 2, 2026

Copy link
Copy Markdown
Collaborator

wg discussion, should be in the errata as well.

: REQUIRED. A JSON-encoded object subject to the following requirements:

* Each key MUST be the `id` of a Credential Query in the DCQL query.

@paulbastian paulbastian Jul 2, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we usually don't use empty lines in enumerations

@awoie awoie Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But we do also in this spec doc and if I remember correctly, this won't render nicely if it was removed.

Co-authored-by: Kristina <52878547+Sakurann@users.noreply.github.com>
Comment on lines +1185 to +1187
* The object MUST NOT be empty
returning any Presentation according to
(#dcql_query_lang_processing_rules).

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's missing words or something here. This isn't a sentence that makes sense.

Comment thread .DS_Store Outdated

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we should remove .DS_Store

Comment on lines +1143 to +1144
The Wallet MUST return a VP Token only if the set of Presentations represented
by the VP Token satisfies the requirements of the DCQL query according to (#dcql_query_lang_processing_rules).

@jogu jogu Jul 2, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's a gap/ambiguity here I think. If all the requested credentials are set as optional, returning no credentials satisfies the DCQL query, so you can/must return a VP Token. But then the rules below leave no VP Token that is valid to return.

jogu added a commit to openid-certification/conformance-suite that referenced this pull request Jul 8, 2026
New test module
oid4vp-1final-wallet-negative-test-required-non-matching-credential
sends a DCQL query whose credential_sets require both the real
credential and a non-existent one. As the query as a whole cannot be
satisfied, the wallet must not return a vp_token - neither an empty
object nor a partial one containing only the real credential - as
clarified in openid/OpenID4VP#745.
The module accepts either an error response (access_denied expected;
other codes give a warning; encrypted error responses are supported in
the .jwt response modes) or the wallet rejecting the request and
displaying an error, verified via a screenshot placeholder.

AddOptionalNonMatchingCredentialToDcqlQuery is refactored into an
abstract base shared with the new required variant, and the browser API
response parsing/rejection handling in AbstractVP1FinalWalletTest is
extracted into reusable helpers.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Per WG consensus on #743, an empty VP Token (i.e., {}) MUST NOT be used, including to signify an error. When the Wallet has no Presentation to return - e.g., no consent, no matching Credentials, or a DCQL query satisfiable without any Presentation because all unfulfilled Credential Queries are optional - any response it returns MUST be an error response rather than a VP Token.

Also fixes the truncated sentence in the vp_token requirements, applies the same clarification to 1.0 as an errata set 1 change with changelog entries in both documents, and removes the accidentally committed .DS_Store.
@awoie awoie marked this pull request as ready for review July 9, 2026 10:28
@awoie awoie requested review from Sakurann, c2bo, jogu and paulbastian July 9, 2026 10:28
@awoie

awoie commented Jul 9, 2026

Copy link
Copy Markdown
Contributor Author

Please review again @jogu @paulbastian @Sakurann . @jogu Note that if my memory is correct that the WG agreed to prohibit empty vp_token's even for the case where the DCQL query has only optional queries.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Clarify error case when wallet returns empty vp_token vs error response vs no response

6 participants