Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Optional attributes when presenting a credential with DCQL #440

Open
grausof opened this issue Feb 27, 2025 · 4 comments
Open

Optional attributes when presenting a credential with DCQL #440

grausof opened this issue Feb 27, 2025 · 4 comments

Comments

@grausof
Copy link

grausof commented Feb 27, 2025

Moved from openid/OpenID4VCI#465

Reading the paragraph on DCQL it seems that a RP can request a series of credentials, some optional and some mandatory, indicating which attributes are necessary for the presentation, but it seems that it is NOT POSSIBLE to indicate from a single credential which attributes are mandatory and which are optional. Does it make sense to you that a RP cannot indicate optional attributes but only optional credentials?

For example, assume that an RP requires the user to present an identity credential (identity_credential) with the following mandatory attributes: last_name and first_name. This can be done using the following non-normative example:

{
  "credentials": [
    {
      "id": "my_credential",
      "format": "dc+sd-jwt",
      "meta": {
        "vct_values": [ "https://credentials.example.com/identity_credential" ]
      },
      "claims": [
          {"path": ["last_name"]},
          {"path": ["first_name"]}
      ]
    }
  ]
}

But if the RP in addition to first_name and last_name also wants to ask for an optional attribute such as street_address to offer an extra service to the user, this is not possible via DCQL.

An example could be:

{
  "credentials": [
    {
      "id": "my_credential",
      "format": "dc+sd-jwt",
      "meta": {
        "vct_values": [ "https://credentials.example.com/identity_credential" ]
      },
      "claims": [
          {"path": ["last_name"]},
          {"path": ["first_name"]},
          {"path": ["street_address"]}
      ]
    }
  ]
}

but this makes the street_address attribute mandatory and therefore, if not presented by the user, access to the service will not be given.

In fact, only the following attributes are defined for claims:

Each entry in claims MUST be an object with the following properties:

id:
REQUIRED if claim_sets is present in the Credential Query; OPTIONAL otherwise. A string identifying the particular claim. The value MUST be a non-empty string consisting of alphanumeric, underscore (_) or hyphen (-) characters. Within the particular claims array, the same id MUST NOT be present more than once.
path:
REQUIRED The value MUST be a non-empty array representing a claims path pointer that specifies the path to a claim within the Verifiable Credential, as defined in Section 7.
values:
OPTIONAL. An array of strings, integers or boolean values that specifies the expected values of the claim. If the values property is present, the Wallet SHOULD return the claim only if the type and value of the claim both match for at least one of the elements in the array. Details of the processing rules are defined in Section 6.3.1.1.

You might consider introducing an optional attribute that can have a boolean value to solve the problem. What do you think? Is my interpretation correct?
This was referenced Feb 27, 2025
Closed
Closed
@c2bo
Copy link
Member

c2bo commented Feb 27, 2025

There was a lengthy discussion about that and the decision was made to not support optionality on the claim level (for user choice).

See #266 (comment) and some of the other comments in that PR.

@danielfett
Copy link
Contributor

Also, please note that optional claims can still be expressed - but you need to define multiple credentials elements for it with corresponding credential_sets.

@grausof
Copy link
Author

grausof commented Feb 28, 2025
edited
Loading

Ok thanks @c2bo.

@danielfett ok, so an example could be:

{
  "credentials": [
    {
      "id": "pid",
      "format": "dc+sd-jwt",
      "meta": {
        "vct_values": ["https://credentials.example.com/identity_credential"]
      },
      "claims": [
        {"path": ["given_name"]},
        {"path": ["family_name"]}
      ]
    },
    {
      "id": "pid_with_address",
      "format": "dc+sd-jwt",
      "meta": {
        "vct_values": ["https://credentials.example.com/identity_credential"]
      },
      "claims": [
        {"path": ["given_name"]},
        {"path": ["family_name"]},
        {"path": ["address", "street_address"]}
      ]
    }
  ],
  "credential_sets": [
    {
      "purpose": "Identification",
      "options": [
        [ "pid" ]
      ]
    },
    {
      "purpose": "Identification with address",
      "required": false,
      "options": [
        [ "pid_with_address" ]
      ]
    }
  ]
}

even if in this way the wallet instance should show the user the request for two credentials but which in reality are the same

@c2bo
Copy link
Member

c2bo commented Feb 28, 2025

One of the advantages that were discussed to not have optionality at claim level but only at higher level was to have a clear binding to purpose. Otherwise the request is somewhat ambiguous.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@danielfett @grausof @c2bo