diff --git a/.gitignore b/.gitignore index bf1528da..aedc929f 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ # ignore markdown2rfc output *.html *.xml +.DS_Store diff --git a/1.0/openid-4-verifiable-presentations-1_0.md b/1.0/openid-4-verifiable-presentations-1_0.md index 0b1982e9..a16ba062 100644 --- a/1.0/openid-4-verifiable-presentations-1_0.md +++ b/1.0/openid-4-verifiable-presentations-1_0.md @@ -1144,6 +1144,17 @@ Additional, more complex examples can be found in (#more_dcql_query_examples). A VP Token is only returned if the corresponding Authorization Request contained a `dcql_query` parameter or a `scope` parameter representing a DCQL Query (as defined in #vp_token_request). +The Wallet MUST return a VP Token only if the set of Presentations returned in +the VP Token satisfies the requirements of the DCQL query according to +(#dcql_query_lang_processing_rules). If the Wallet does not return any +Presentation, for example, because the End-User did not give consent, the +requested Credentials are not available, or the DCQL query can be satisfied +without returning any Presentation (i.e., all Credential Queries that cannot +be fulfilled are optional), the Wallet MUST NOT return a VP Token; if the +Wallet returns a response, it MUST be an error response as defined in +(#error-response). In particular, an empty VP Token (a JSON object without +any entries) MUST NOT be used to signify an error. + A VP Token can be returned in the Authorization Response or the Token Response depending on the Response Type used. See (#response_type_vp_token) for more details. If the Response Type value is `vp_token`, the VP Token is returned in the Authorization Response. When the Response Type value is `vp_token id_token` and the `scope` parameter contains `openid`, the VP Token is returned in the Authorization Response alongside a Self-Issued ID Token as defined in [@!SIOPv2]. @@ -1166,7 +1177,25 @@ The behavior with respect to the VP Token is unspecified for any other individua When a VP Token is returned, the respective response includes the following parameters: `vp_token`: -: REQUIRED. This is a JSON-encoded object containing entries where the key is the `id` value used for a Credential Query in the DCQL query and the value is an array of one or more Presentations that match the respective Credential Query. When `multiple` is omitted, or set to `false`, the array MUST contain only one Presentation. There MUST NOT be any entry in the JSON-encoded object for optional Credential Queries when there are no matching Credentials for the respective Credential Query. Each Presentation is represented as a string or object, depending on the format as defined in (#format_specific_parameters). The same rules as above apply for encoding the Presentations. +: REQUIRED. A JSON-encoded object subject to the following requirements: + + * Each key MUST be the `id` of a Credential Query in the DCQL query. + + * Each value MUST be an array containing one or more Presentations matching + the corresponding Credential Query. + + * When `multiple` is omitted or set to `false`, the array MUST contain exactly + one Presentation. + + * The object MUST NOT contain an entry for an optional Credential Query when + there are no matching Credentials for that Credential Query. + + * Each Presentation MUST be encoded as a string or object according to + (#format_specific_parameters). + + * The object MUST NOT be empty: it MUST contain at least one entry. If there + is no Presentation to return and the Wallet returns a response, it MUST be + an error response as defined in (#error-response) instead of a VP Token. Other parameters, such as `code` (from [@!RFC6749]), or `id_token` (from [@!OpenID.Core]), and `iss` (from [@RFC9207]) can be included in the response as defined in the respective specifications. @@ -3598,6 +3627,8 @@ The technology described in this specification was made available from contribut * Updated origin examples to remove trailing slash * Clarify that `aud` corresponds to `issuer` Wallet Metadata paremeter if Dynamic Discovery is used * Clarified that request_uri_method is a case-sensitive string + * Clarify that a VP Token cannot be empty and that empty objects in VP Tokens cannot be used to signify an error response; an error response is returned instead + * Editorial improvement of the `vp_token` section -final diff --git a/1.1/openid-4-verifiable-presentations-1_1.md b/1.1/openid-4-verifiable-presentations-1_1.md index 198af1b2..d2eb1377 100644 --- a/1.1/openid-4-verifiable-presentations-1_1.md +++ b/1.1/openid-4-verifiable-presentations-1_1.md @@ -1140,6 +1140,17 @@ Additional, more complex examples can be found in (#more_dcql_query_examples). A VP Token is only returned if the corresponding Authorization Request contained a `dcql_query` parameter or a `scope` parameter representing a DCQL Query (as defined in #vp_token_request). +The Wallet MUST return a VP Token only if the set of Presentations returned in +the VP Token satisfies the requirements of the DCQL query according to +(#dcql_query_lang_processing_rules). If the Wallet does not return any +Presentation, for example, because the End-User did not give consent, the +requested Credentials are not available, or the DCQL query can be satisfied +without returning any Presentation (i.e., all Credential Queries that cannot +be fulfilled are optional), the Wallet MUST NOT return a VP Token; if the +Wallet returns a response, it MUST be an error response as defined in +(#error-response). In particular, an empty VP Token (a JSON object without +any entries) MUST NOT be used to signify an error. + A VP Token can be returned in the Authorization Response or the Token Response depending on the Response Type used. See (#response_type_vp_token) for more details. If the Response Type value is `vp_token`, the VP Token is returned in the Authorization Response. When the Response Type value is `vp_token id_token` and the `scope` parameter contains `openid`, the VP Token is returned in the Authorization Response alongside a Self-Issued ID Token as defined in [@!SIOPv2]. @@ -1162,7 +1173,25 @@ The behavior with respect to the VP Token is unspecified for any other individua When a VP Token is returned, the respective response includes the following parameters: `vp_token`: -: REQUIRED. This is a JSON-encoded object containing entries where the key is the `id` value used for a Credential Query in the DCQL query and the value is an array of one or more Presentations that match the respective Credential Query. When `multiple` is omitted, or set to `false`, the array MUST contain only one Presentation. There MUST NOT be any entry in the JSON-encoded object for optional Credential Queries when there are no matching Credentials for the respective Credential Query. Each Presentation is represented as a string or object, depending on the format as defined in (#format_specific_parameters). The same rules as above apply for encoding the Presentations. +: REQUIRED. A JSON-encoded object subject to the following requirements: + + * Each key MUST be the `id` of a Credential Query in the DCQL query. + + * Each value MUST be an array containing one or more Presentations matching + the corresponding Credential Query. + + * When `multiple` is omitted or set to `false`, the array MUST contain exactly + one Presentation. + + * The object MUST NOT contain an entry for an optional Credential Query when + there are no matching Credentials for that Credential Query. + + * Each Presentation MUST be encoded as a string or object according to + (#format_specific_parameters). + + * The object MUST NOT be empty: it MUST contain at least one entry. If there + is no Presentation to return and the Wallet returns a response, it MUST be + an error response as defined in (#error-response) instead of a VP Token. Other parameters, such as `code` (from [@!RFC6749]), or `id_token` (from [@!OpenID.Core]), and `iss` (from [@RFC9207]) can be included in the response as defined in the respective specifications. @@ -3665,3 +3694,5 @@ The technology described in this specification was made available from contribut * Clarified that Multi-RP-sig section means Verifier Info instead of attestations * Updated origin examples to remove trailing slash * Clarified that request_uri_method is a case-sensitive string + * Clarify that a VP Token cannot be empty and that empty objects in VP Tokens cannot be used to signify an error response; an error response is returned instead + * Editorial improvement of the `vp_token` section