Missing element in credential request

[tlenz]

During testing with the latest build of the reference Wallet, we observed a potential deviation from the OpenID4VCI specification regarding the Credential Request.

According to Section 8.2 Credential Request:

• credential_identifier must be used if Authorization Details of type openid_credential were included in the token response.
• credential_configuration_id must be used only if no Authorization Details were present, because regarding https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#section-6.2 Authorization Details must include credential_identifiers

Our issuer returns Authorization Details in the Token response, for example:

{
  "access_token": "b13f248f-a726-40aa-8743-25d93c09ce24",
  "token_type": "bearer",
  "expires_in": 300,
  "authorization_details": [
{
      "type": "openid_credential",
      "credential_configuration_id": "urn:eudi:pid:1#dc+sd-jwt",
      "locations": [
        "https://wallet.a-sit.at/m7"
      ],
      "credential_identifiers": [
        "urn:eudi:pid:1#dc+sd-jwt"
      ]
    }
  ]
}

However, during testing the Wallet sends the following in the Credential Request:

{
    "credential_configuration_id": "urn:eudi:pid:1#dc+sd-jwt",
    "proofs": {
        "jwt": [
            "eyJhbGciOiJFU...."
        ]
    }
}

This appears to disregard the credential_identifier requirement and may be non-compliant with the specification.

From a brief inspection of the source code (RequestIssuanceImpl.kt#L333), an IdentifierBase request model exists but does not appear to be used.

[antonwiens]

We observed the same deviation from the specification.

[babisRoutis]

Dear @tlenz

Thank you for reporting this and making a first investigation.

Indeed, what you described as expected behavior is correct and aligns with OpenID4VCI

With regards to the VCI library, it fully supports

• Obtaining authorization details from token response
• Placing credential requests using credential identifier, instead of credential configuration id.

VCI library , though, misses a check to enforce that if credential identifiers are provided by the authorization server, they must to be used. For this reason I created a new issue eu-digital-identity-wallet/eudi-lib-jvm-openid4vci-kt#485

Returning to the present issue, this needs to be taken into account by the caller of the library which in our case it is the "core" of the wallet. For this reason, I moved the issue to the relevant repository.

[babisRoutis]

Hi @vkanellopoulos

Please check the usage of the following interface RequestIssuance

fun interface RequestIssuance {

    suspend fun AuthorizedRequest.request(
        requestPayload: IssuanceRequestPayload,
        proofsSpecification: ProofsSpecification,
    ): Result<AuthorizedRequestAnd<SubmissionOutcome>>
}

If the AuthorizedRequest contains a non empty credentialIdentifiers map, then the requestPayload parameter must be of type
IssuanceRequestPayload.IdentifierBased