Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Should dcql_query and presentation_definition be a string when using JAR? #378

Open
TimoGlastra opened this issue Jan 6, 2025 · 2 comments
Milestone

Comments

@TimoGlastra
Copy link
Member

When using JAR, the authorization request is encoded as JSON in a JWT. What I've seen most implementations do with presentation_definition field is to keep it as JSON when using JAR, and not encode the JSON object as a string even though the spec mentions "A string containing a Presentation Definition JSON object". We addressed this in our implementation by allowing both string and json.

For DCQL we ran into the same issue again. We encode it as string now, but when doing interop testing with @markuskreusch for DCQL it was encoded as JSON object. We hadn't applied the same fix yet to also allow JSON (we currently always expect string for DCQL).

Encoding the JSON as string is required when using query parameters, but not when using JAR, and it seems to lead to ambiquity. In my opinion it makes sense to allow JSON for JAR (as it's more natural to keep JSON as JSON when putting it in a JSON object). I think most important is to maybe add something in the spec about what to do when using JAR:

  • keep requirements same, but mention that when using JAR it should also still be a JSON string, not the JSON object
  • make an exception for JAR, and allow/require it to be encoded as JSON instead of string.
@bc-pi
Copy link
Member

bc-pi commented Jan 6, 2025

JAR really should have been more clear about this but I believe the internet has always been that parameters with JSON values remain just JSON when in other JSON.

@jogu
Copy link
Collaborator

jogu commented Jan 6, 2025

I agree the spec currently defines both presentation_definition and dcql_query to be strings which is unhelpful:

https://github.com/openid/OpenID4VP/blob/main/openid-4-verifiable-presentations-1_0.md?plain=1#L277

The conformance tests send presentation_definition as JSON in the request object, so technically aren't currently compliant with the specification...

The only example that uses DCQL vaguely suggests it's a JSON object: https://openid.net/specs/openid-4-verifiable-presentations-1_0-ID3.html#appendix-A.2

The presentation_definition examples are mixed with one showing a string and most others showing an object.

As was as JAR, this affects the Digital Credentials API too.

ISO 18013 part 7 defines presentation_definition as a JSON object and shows it as that in the example request object.

I think we should fix things to make clear that both are intended to be JSON objects, encoded into strings where necessary - we perhaps need similar text to what RAR has for authorization_details: https://datatracker.ietf.org/doc/html/rfc9396#section-3

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants