Talao / Altme wallet : Open source Self Sovereign Identity wallet. Multi ecosystem support : EBSI conformant. ARF EUDI wallet implementation, DIIP and more.
The main issue is that if the c_nonce is missing in the token response it could cause problem with the issuer at the credential endpoint as the proof with no nonce (or "nonce" = null ) might be considered as invalid. This can happen quite often as the token response is managed by the AS and the credential endpoint by the Issuer.
Current behavior :
If there is no c_nonce in the token response the wallet builds a proof jwt with "nonce" = nullin the payload. The wallet sends the credential request with this proof which is sometimes rejected by the issuer with an "invalid_proof" error message. The flow ends.
New behavior :
If there is no c_nonce in the token response, wallet builds a proof jwt with no nonce attribute at all in the payload. The wallet sends the credential request with this proof. if the issuer responds with an "invalid_proof" error message there will be a new c_nonce in the response.
Example of an error reponse :
HTTP/1.1 400 Bad Request
Content-Type: application/json
Cache-Control: no-store
{
"error": "invalid_proof"
"error_description":
"Credential Issuer requires key proof to be bound to a Credential Issuer provided nonce.",
"c_nonce": "8YE9hCnyV2",
"c_nonce_expires_in": 86400
}
Then wallet must call a second time the credential endpoint with the same VC request but with a nonce value in the proof payload "nonce" = <c_nonce>
If there is a second invalid_proof , the flow ends for this VC (1).
If the c_nonce is missing in the error response, the flow ends for this VC (1)
(1) Be careful, in case of several VC issuance, wallet must call the credential endpoint for each VCs regardless of the above issue and the c_nonce is updated in the credential response for each VC as well (This is ok today).
The main issue is that if the c_nonce is missing in the token response it could cause problem with the issuer at the credential endpoint as the proof with no nonce (or "nonce" = null ) might be considered as invalid. This can happen quite often as the token response is managed by the AS and the credential endpoint by the Issuer.
Current behavior : If there is no
c_noncein the token response the wallet builds a proof jwt with"nonce" = nullin the payload. The wallet sends the credential request with this proof which is sometimes rejected by the issuer with an "invalid_proof" error message. The flow ends.New behavior : If there is no
c_noncein the token response, wallet builds a proof jwt with no nonce attribute at all in the payload. The wallet sends the credential request with this proof. if the issuer responds with an "invalid_proof" error message there will be a new c_nonce in the response.Example of an error reponse :
Then wallet must call a second time the credential endpoint with the same VC request but with a nonce value in the proof payload
"nonce" = <c_nonce>If there is a second invalid_proof , the flow ends for this VC (1). If the c_nonce is missing in the error response, the flow ends for this VC (1)(1) Be careful, in case of several VC issuance, wallet must call the credential endpoint for each VCs regardless of the above issue and the c_nonce is updated in the credential response for each VC as well (This is ok today).