search

decentralized-identity / presentation-exchange

Specification that codifies an inter-related pair of data formats for defining proof presentations (Presentation Definition) and subsequent proof submissions (Presentation Submission)
https://identity.foundation/presentation-exchange
Apache License 2.0
84 stars 36 forks source link

Can a single presentation definition result in a single presentation submission with multiple VPs? #462

Closed TimoGlastra closed 11 months ago

TimoGlastra commented 11 months ago

Opening this issue based on some discussions I've had with @nklomp, as well as some things we've run into when integrating PEX / OpenID4VP and SD-JWT / JWT vcs.

In OpenID4Vp a Presentation Definition is shared, and based on that a submission is created. With W3C JSON-LD credentials the behvaiour has often been you create a W3C VP, that contains one or more W3C VCs. You sign the W3C VP with one or more signatrues, depending on whether you use different credentialSubject.ids across the VCs in the VP.

With W3C JWT VPs this same behaviour won't work, as you can only put a single signature on a W3C JWT VP. So while you can include multiple VCs in an W3C JWT VP, if you want to put multiple signatures that won't work.

For the recent JFF Plugfest we wanted to submit an Authorization Response in OpenID4VP, where the Presentation Definitions had multiple inputs_descriptors. The PD could be satisfied by submitting multiple W3C JWT credentials, but each had a different credentialSubject.id. So we ended up grouping all W3C JWT VCs with the same credentialSubject.id into a W3C JWT VP, and then submitting multiple W3C JWT VPs in the vp_token from the OpenID4VP authorization response.

This has resulted in a question on my side whether it is allowed to create a single presentation submission, consisting of multiple VPs based on a single presentation definition?

@nklomp mentioned this is not allowed by the PEX specification (see discussion here: https://github.com/Sphereon-Opensource/SIOP-OID4VP/issues/62), but after reading through the spec, I wasn't confident that this is not allowed.

The same problem has now arisen for support SD-JWT VCs. As an SD-JWT presentation is just the SD-JWT VC (with optionally a KB-JWT and some disclosures omitted), to be able to handle a Presentation Definition with multiple input descriptors, you would have to create multiple VPs (multiple SD-JWT VCs).

rado0x54 commented 11 months ago

The spec allows to have multiple separate JWT VP within on presentation submission. Also compare section Processing of Submission Entries For example:

{
  "presentation_submission": {
    "id": "a30e3b91-fb77-4d22-95fa-871689c322e2",
    "definition_id": "32f54163-7166-48f1-93d8-ff217bdb0653",
    "descriptor_map": [
      {
        "id": "banking_input",
        "format": "jwt_vp",
        "path": "$.vps[0]",
        "path_nested": {
          "id": "banking_input",
          "format": "jwt_vc",
          "path": "$.vc"
        }
      },
      {
        "id": "citizenship_input",
        "format": "jwt_vp",
        "path": "$.vps[1]",
        "path_nested": {
          "id": "citizenship_input",
          "format": "jwt_vc",
          "path": "$.vc"
        }
      }
    ]
  }
}

(this example was quickly constructed and is only intended to convey the principle).

Please let us know if that resolves this issue?

TimoGlastra commented 11 months ago

Yes that solves my issue, thanks!