Skip to content

Security considerations on untrusted input#748

Open
c2bo wants to merge 7 commits into
mainfrom
647-security-dcql-json
Open

Security considerations on untrusted input#748
c2bo wants to merge 7 commits into
mainfrom
647-security-dcql-json

Conversation

@c2bo

@c2bo c2bo commented Jun 22, 2026

Copy link
Copy Markdown
Member

Fixes the concerns raised in #647 and broadens the scope to untrusted JSON input

Should this also go in 1.0?

Comment thread 1.1/openid-4-verifiable-presentations-1_1.md Outdated

## Parsing of untrusted inputs

Wallets MUST treat all incoming requests as untrusted input. To mitigate injection and resource exhaustion attacks, Wallets MUST implement input validation on the Authorization Request and its enclosed DCQL query.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a schema definition available for the authorization request and DCQL query?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wouldn't say strict schema, but we are defining the structures in the specification of both

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Discussed this Q on today's APAC WG call. Leaving it for the larger group to discuss tomorrow:

  1. Do we think JSON schemas can be useful here?

If there are no objections:
2) Do we think it's a 1.1 or 1.2 feature?

FYI @Sakurann @brentzundel

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thu wg discussion:

  • no support to define JSON Schema: versioning, it is not standardized, security concerns for remote code execution, etc.

text below might be tweaked better but reads good to strike the balance

  • Enforce input validation: Verify that the Authorization Request and DCQL query contain no malformed properties. Unknown parameters MUST be ignored.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a schema definition available for the authorization request and DCQL query?

There's an (not officially working group endorsed, and not complete as it specialises for mdoc/sd-jwt vc) JSON schema for DCQL query available here: https://gitlab.com/openid/conformance-suite/-/tree/master/src/main/resources/json-schemas/oid4vp?ref_type=heads

Note that it's overly strict (rejects unknown properties, whereas spec requires them to be ignored) as we flag unknown properties in the conformance tests, as it tends to surface typos & misunderstandings of the spec.

Comment thread 1.1/openid-4-verifiable-presentations-1_1.md Outdated

## Parsing of untrusted inputs

Wallets MUST treat all incoming requests as untrusted input. To mitigate injection and resource exhaustion attacks, Wallets MUST implement input validation on the Authorization Request and its enclosed DCQL query.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we mention the response for direct_post requests?

Co-authored-by: Paul Bastian <paul.bastian@posteo.de>
Comment thread 1.1/openid-4-verifiable-presentations-1_1.md Outdated

@deshmukhrajvardhan deshmukhrajvardhan left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Other than the nit. The PR looks good to me

Co-authored-by: Rajvardhan S Deshmukh (he/him) <17696886+deshmukhrajvardhan@users.noreply.github.com>
@c2bo c2bo requested a review from deshmukhrajvardhan July 3, 2026 14:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

9 participants