fix: retain Presentation layer during decoding to allow nonce extraction #115
+44
−16
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…once extraction method
Codecov Report❌ Patch coverage is
🚀 New features to boost your workflow:
|
This was referenced Jan 14, 2026
oid4vp/src/oid4vp.rs
Outdated
| }; | ||
| use crate::dcql::dcql_query::CredentialQueryId; | ||
| use crate::token::verifiable_presentation_jwt::VerifiablePresentationJwt; | ||
| // use crate::token::verifiable_presentation_jwt_builder::VerifiablePresentationJwtBuilder; |
nanderstabel
requested changes
Jan 14, 2026
| Self::InvalidEncryptionParameters => StatusCode::BAD_REQUEST, | ||
| Self::InvalidToken => StatusCode::UNAUTHORIZED, | ||
| Self::InvalidNonce => StatusCode::BAD_REQUEST, | ||
| Self::CredentialRequestDenied => StatusCode::FORBIDDEN, |
Collaborator
There was a problem hiding this comment.
Shouldn't this one also be StatusCode::BAD_REQUEST?:
Comment on lines
+53
to
+64
| pub fn nonce(&self) -> Option<String> { | ||
| // Making the assumption that all VPs in the token have the same nonce | ||
| for presentations in self.presentations.values() { | ||
| for vp in presentations { | ||
| if let Some(nonce) = vp.nonce() { | ||
| return Some(nonce.clone()); | ||
| // TODO: (Edge case)What if different VPs have different nonces? | ||
| } | ||
| } | ||
| } | ||
| None | ||
| } |
Collaborator
There was a problem hiding this comment.
Currently the function returns the first nonce, so all the other nonces are ignored. Maybe instead of this getter function you could add a validate_nonce function or something like that which takes the original nonce and validates all the presentation's nonces against it?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description of change
Previously, the
decode_authorization_responsefunction would extract only the inner VerifiableCredentialJwt level of the vp_token. This meant that the "outer" VerifiablePresentationJwt (VP) shell of the token was discarded after decoding.Because the nonce claim resides on the Presentation layer and not the Credential layer, it was impossible to perform nonce validation in our authorization_request Aggregate.
This PR changes the format of the DecodedVpToken struct to store the full VerifiablePresentationJwt wrapper. The decoding logic has been updated to:
A helper method .nonce() was also added to DecodedVpToken to allow the Aggregate in our ssi-agent to easily extract the nonce from the verified presentations.
Links to any relevant issues
Be sure to reference any related issues by adding
fixes issue #.How the change has been tested
Describe the tests that you ran to verify your changes.
Make sure to provide instructions for the maintainer as well as any relevant configurations.
Definition of Done checklist
Add an
xto the boxes that are relevant to your changes.