Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
# ignore markdown2rfc output
*.html
*.xml
.DS_Store
33 changes: 32 additions & 1 deletion 1.0/openid-4-verifiable-presentations-1_0.md
Original file line number Diff line number Diff line change
Expand Up @@ -1144,6 +1144,17 @@ Additional, more complex examples can be found in (#more_dcql_query_examples).

A VP Token is only returned if the corresponding Authorization Request contained a `dcql_query` parameter or a `scope` parameter representing a DCQL Query (as defined in #vp_token_request).

The Wallet MUST return a VP Token only if the set of Presentations returned in
the VP Token satisfies the requirements of the DCQL query according to
(#dcql_query_lang_processing_rules). If the Wallet does not return any
Presentation, for example, because the End-User did not give consent, the
requested Credentials are not available, or the DCQL query can be satisfied
without returning any Presentation (i.e., all Credential Queries that cannot
be fulfilled are optional), the Wallet MUST NOT return a VP Token; if the
Wallet returns a response, it MUST be an error response as defined in
(#error-response). In particular, an empty VP Token (a JSON object without
any entries) MUST NOT be used to signify an error.

A VP Token can be returned in the Authorization Response or the Token Response depending on the Response Type used. See (#response_type_vp_token) for more details.

If the Response Type value is `vp_token`, the VP Token is returned in the Authorization Response. When the Response Type value is `vp_token id_token` and the `scope` parameter contains `openid`, the VP Token is returned in the Authorization Response alongside a Self-Issued ID Token as defined in [@!SIOPv2].
Expand All @@ -1166,7 +1177,25 @@ The behavior with respect to the VP Token is unspecified for any other individua
When a VP Token is returned, the respective response includes the following parameters:

`vp_token`:
: REQUIRED. This is a JSON-encoded object containing entries where the key is the `id` value used for a Credential Query in the DCQL query and the value is an array of one or more Presentations that match the respective Credential Query. When `multiple` is omitted, or set to `false`, the array MUST contain only one Presentation. There MUST NOT be any entry in the JSON-encoded object for optional Credential Queries when there are no matching Credentials for the respective Credential Query. Each Presentation is represented as a string or object, depending on the format as defined in (#format_specific_parameters). The same rules as above apply for encoding the Presentations.
: REQUIRED. A JSON-encoded object subject to the following requirements:

* Each key MUST be the `id` of a Credential Query in the DCQL query.

* Each value MUST be an array containing one or more Presentations matching
the corresponding Credential Query.

* When `multiple` is omitted or set to `false`, the array MUST contain exactly
one Presentation.

* The object MUST NOT contain an entry for an optional Credential Query when
there are no matching Credentials for that Credential Query.

* Each Presentation MUST be encoded as a string or object according to
(#format_specific_parameters).

* The object MUST NOT be empty: it MUST contain at least one entry. If there
is no Presentation to return and the Wallet returns a response, it MUST be
an error response as defined in (#error-response) instead of a VP Token.

Other parameters, such as `code` (from [@!RFC6749]), or `id_token` (from [@!OpenID.Core]), and `iss` (from [@RFC9207]) can be included in the response as defined in the respective specifications.

Expand Down Expand Up @@ -3598,6 +3627,8 @@ The technology described in this specification was made available from contribut
* Updated origin examples to remove trailing slash
* Clarify that `aud` corresponds to `issuer` Wallet Metadata paremeter if Dynamic Discovery is used
* Clarified that request_uri_method is a case-sensitive string
* Clarify that a VP Token cannot be empty and that empty objects in VP Tokens cannot be used to signify an error response; an error response is returned instead
* Editorial improvement of the `vp_token` section

-final

Expand Down
33 changes: 32 additions & 1 deletion 1.1/openid-4-verifiable-presentations-1_1.md
Original file line number Diff line number Diff line change
Expand Up @@ -1140,6 +1140,17 @@ Additional, more complex examples can be found in (#more_dcql_query_examples).

A VP Token is only returned if the corresponding Authorization Request contained a `dcql_query` parameter or a `scope` parameter representing a DCQL Query (as defined in #vp_token_request).

The Wallet MUST return a VP Token only if the set of Presentations returned in
the VP Token satisfies the requirements of the DCQL query according to
(#dcql_query_lang_processing_rules). If the Wallet does not return any
Presentation, for example, because the End-User did not give consent, the
requested Credentials are not available, or the DCQL query can be satisfied
without returning any Presentation (i.e., all Credential Queries that cannot
be fulfilled are optional), the Wallet MUST NOT return a VP Token; if the
Wallet returns a response, it MUST be an error response as defined in
(#error-response). In particular, an empty VP Token (a JSON object without
any entries) MUST NOT be used to signify an error.

A VP Token can be returned in the Authorization Response or the Token Response depending on the Response Type used. See (#response_type_vp_token) for more details.

If the Response Type value is `vp_token`, the VP Token is returned in the Authorization Response. When the Response Type value is `vp_token id_token` and the `scope` parameter contains `openid`, the VP Token is returned in the Authorization Response alongside a Self-Issued ID Token as defined in [@!SIOPv2].
Expand All @@ -1162,7 +1173,25 @@ The behavior with respect to the VP Token is unspecified for any other individua
When a VP Token is returned, the respective response includes the following parameters:

`vp_token`:
: REQUIRED. This is a JSON-encoded object containing entries where the key is the `id` value used for a Credential Query in the DCQL query and the value is an array of one or more Presentations that match the respective Credential Query. When `multiple` is omitted, or set to `false`, the array MUST contain only one Presentation. There MUST NOT be any entry in the JSON-encoded object for optional Credential Queries when there are no matching Credentials for the respective Credential Query. Each Presentation is represented as a string or object, depending on the format as defined in (#format_specific_parameters). The same rules as above apply for encoding the Presentations.
: REQUIRED. A JSON-encoded object subject to the following requirements:

* Each key MUST be the `id` of a Credential Query in the DCQL query.

@paulbastian paulbastian Jul 2, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we usually don't use empty lines in enumerations

@awoie awoie Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But we do also in this spec doc and if I remember correctly, this won't render nicely if it was removed.

* Each value MUST be an array containing one or more Presentations matching
the corresponding Credential Query.

* When `multiple` is omitted or set to `false`, the array MUST contain exactly
one Presentation.

* The object MUST NOT contain an entry for an optional Credential Query when
there are no matching Credentials for that Credential Query.
Comment on lines +1186 to +1187

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is hard to understand for me, is this repeating things from DCQL rules? Why "optional"?

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this line is rather confusing and repeating DCQL rules

@awoie awoie Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know that but it was there previously. Happy to remove it but on the WG call on July 2, we decided to keep it.


* Each Presentation MUST be encoded as a string or object according to
(#format_specific_parameters).

* The object MUST NOT be empty: it MUST contain at least one entry. If there
is no Presentation to return and the Wallet returns a response, it MUST be
an error response as defined in (#error-response) instead of a VP Token.

Other parameters, such as `code` (from [@!RFC6749]), or `id_token` (from [@!OpenID.Core]), and `iss` (from [@RFC9207]) can be included in the response as defined in the respective specifications.

Expand Down Expand Up @@ -3665,3 +3694,5 @@ The technology described in this specification was made available from contribut
* Clarified that Multi-RP-sig section means Verifier Info instead of attestations
* Updated origin examples to remove trailing slash
* Clarified that request_uri_method is a case-sensitive string
* Clarify that a VP Token cannot be empty and that empty objects in VP Tokens cannot be used to signify an error response; an error response is returned instead
* Editorial improvement of the `vp_token` section
Loading