Skip to content
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Binary file added .DS_Store

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we should remove .DS_Store

Binary file not shown.
26 changes: 25 additions & 1 deletion 1.1/openid-4-verifiable-presentations-1_1.md
Original file line number Diff line number Diff line change
Expand Up @@ -1140,6 +1140,9 @@ Additional, more complex examples can be found in (#more_dcql_query_examples).

A VP Token is only returned if the corresponding Authorization Request contained a `dcql_query` parameter or a `scope` parameter representing a DCQL Query (as defined in #vp_token_request).

The Wallet MUST return a VP Token only if the set of Presentations represented
by the VP Token satisfies the requirements of the DCQL query according to (#dcql_query_lang_processing_rules).
Comment on lines +1143 to +1144

@jogu jogu Jul 2, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's a gap/ambiguity here I think. If all the requested credentials are set as optional, returning no credentials satisfies the DCQL query, so you can/must return a VP Token. But then the rules below leave no VP Token that is valid to return.


A VP Token can be returned in the Authorization Response or the Token Response depending on the Response Type used. See (#response_type_vp_token) for more details.

If the Response Type value is `vp_token`, the VP Token is returned in the Authorization Response. When the Response Type value is `vp_token id_token` and the `scope` parameter contains `openid`, the VP Token is returned in the Authorization Response alongside a Self-Issued ID Token as defined in [@!SIOPv2].
Expand All @@ -1161,8 +1164,27 @@ The behavior with respect to the VP Token is unspecified for any other individua

When a VP Token is returned, the respective response includes the following parameters:


`vp_token`:
: REQUIRED. This is a JSON-encoded object containing entries where the key is the `id` value used for a Credential Query in the DCQL query and the value is an array of one or more Presentations that match the respective Credential Query. When `multiple` is omitted, or set to `false`, the array MUST contain only one Presentation. There MUST NOT be any entry in the JSON-encoded object for optional Credential Queries when there are no matching Credentials for the respective Credential Query. Each Presentation is represented as a string or object, depending on the format as defined in (#format_specific_parameters). The same rules as above apply for encoding the Presentations.
: REQUIRED. A JSON-encoded object subject to the following requirements:

* Each key MUST be the `id` of a Credential Query in the DCQL query.

@paulbastian paulbastian Jul 2, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we usually don't use empty lines in enumerations

@awoie awoie Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But we do also in this spec doc and if I remember correctly, this won't render nicely if it was removed.

* Each value MUST be an array containing one or more Presentations matching
the corresponding Credential Query.

* When `multiple` is omitted or set to `false`, the array MUST contain exactly
one Presentation.

* The object MUST NOT contain an entry for an optional Credential Query when
there are no matching Credentials for that Credential Query.
Comment on lines +1179 to +1180

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is hard to understand for me, is this repeating things from DCQL rules? Why "optional"?

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this line is rather confusing and repeating DCQL rules

@awoie awoie Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know that but it was there previously. Happy to remove it but on the WG call on July 2, we decided to keep it.


* Each Presentation MUST be encoded as a string or object according to
(#format_specific_parameters).

* The object MUST NOT be empty
returning any Presentation according to
(#dcql_query_lang_processing_rules).
Comment on lines +1185 to +1187

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's missing words or something here. This isn't a sentence that makes sense.


Other parameters, such as `code` (from [@!RFC6749]), or `id_token` (from [@!OpenID.Core]), and `iss` (from [@RFC9207]) can be included in the response as defined in the respective specifications.

Expand Down Expand Up @@ -3665,3 +3687,5 @@ The technology described in this specification was made available from contribut
* Clarified that Multi-RP-sig section means Verifier Info instead of attestations
* Updated origin examples to remove trailing slash
* Clarified that request_uri_method is a case-sensitive string
* Clarify that empty objects in VP Tokens cannot be used to signify an error response
* Editorial improvement of the `vp_token` section
Loading