-
Notifications
You must be signed in to change notification settings - Fork 45
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] Conflict between VC Data Model specification and JwtCredentialPayload
#136
Comments
I think I partially narrowed down where the confusion arises from:
However, the conflict between VC JWT specification and the implementation still exists as evidenced by the second example. |
This lib currently implements vc1.1 spec, which describes a mapping between jwt properties and the rest of the VC data model. The spec does not mandate duplication of data, and for efficiency reasons, this library prefers to avoid duplication where possible. There is still some ambiguity, though. See also #64 |
It's also worth noting that the JWT example in https://www.w3.org/TR/vc-data-model/#issuer contradicts the JWT spec which requires the iss property to be a string |
We added the |
@mirceanis Thanks for that look-through. My thoughts:
Potential solutionCurrent behaviourThe behaviour of {
"@context": [
"https://www.w3.org/2018/credentials/v1"
],
"credentialSubject": {
...
},
"iss": "did:cheqd:testnet:553a68d3-e16d-4ea1-8f4b-ee17a317acd3",
"issuanceDate": "2023-05-31T13:29:40.815Z",
"issuer": {
"id": "did:cheqd:testnet:553a68d3-e16d-4ea1-8f4b-ee17a317acd3"
},
"nbf": 1685539780,
"sub": "did:vda:testnet:0x0D0BB3a44A37Da9C9ec6B49938375492c4c36323",
"type": [
"VerifiableCredential"
],
"vc": {
"@context": [
"https://www.w3.org/2018/credentials/v1",
...
],
"credentialSubject": {
...
},
"type": [
"VerifiableCredential"
]
}
} You'll see the encoded JWT itself contains things like This kind of encoding in the payload seems to be not referenced in any of the specifications: in VC Data Model TR v1.1, VC Data Model v2.0, or in VC JWT. Proposed behaviourInstead, the {
"iss": "did:cheqd:testnet:553a68d3-e16d-4ea1-8f4b-ee17a317acd3",
"nbf": 1685539780,
"sub": "did:vda:testnet:0x0D0BB3a44A37Da9C9ec6B49938375492c4c36323",
"vc": {
"@context": [
"https://www.w3.org/2018/credentials/v1",
...
],
"issuer": {
"id": "did:cheqd:testnet:553a68d3-e16d-4ea1-8f4b-ee17a317acd3"
},
"issuanceDate": "2023-05-31T13:29:40.815Z",
"credentialSubject": {
...
},
"type": [
"VerifiableCredential"
]
}
} Instead of duplicating the VC body twice, one at top-context and again under If the value was {
"iss": "did:cheqd:testnet:553a68d3-e16d-4ea1-8f4b-ee17a317acd3",
"nbf": 1685539780,
"sub": "did:vda:testnet:0x0D0BB3a44A37Da9C9ec6B49938375492c4c36323",
"vc": {
"@context": [
"https://www.w3.org/2018/credentials/v1",
...
],
"credentialSubject": {
...
},
"type": [
"VerifiableCredential"
]
}
} Here, the |
I agree that the implementation is correct. The spec example states for the JWT vc this:
That is one of the 2 options you have. Copy the respective JWT fields to the Also the VCDM talks quite a bit about encoding and decoding, from which it become clear that you sort of should create in internal VCDM compliant representation from the JWT |
@nklomp Sounds like it the current implementation of |
There's definitely something that can be improved here. The problem stems from the assumptions made early on by this library, which were that it can be used as a semi-drop-in-replacement for If the accepted payloads were strictly VCDM and not JWT, the logic should be this:
Things get more complicated when accepting JWT payloads as well, but I think we could have a heuristic to determine if the input is already a JWT payload (for example, by looking for a The way the code looks like now, it is treating both these cases in the same logic block, resulting in this weird behavior when |
Is the use case of being just passed the payload section of JWT common? Your logic might work if JWT payloads always nest the values under Wouldn't a better way be to always normalise top-level/final output like so regardless of whether
BTW, a tangible example of where the VCDM fields as well as their replication in |
(On a related note, I raised this issue on the VC JWT specification w3c/vc-jose-cose#100 separately because it relates to the header in VC JWTs, and I didn't want to keep that separate.) |
@OR13 Do you have any thoughts on this one? Would appreciate your advice. |
I don't think v1 was implementable for JWT, at least in a way that was interoperable. v2 essentially says , don't delete any required fields, don't use I'd start heading that direction, but it's possible the target will have moved by the time you get there. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Prerequisites
Please answer the following questions for yourself before submitting an issue.
Current Behavior
The payload section of a JWT VC as defined in
JwtCredentialPayload
only retains the following fields after normalisation:This will skip values such as
issuer
,issuanceDate
,expirationDate
etc - anything not explicitly mentioned above.Expected Behavior
According to the VC Data Model specification, Section 4.5 Issuer, these fields should be in the
vc
field and duplicated to native JWT fields such asiss
,nbf
, etc. Jump to Example 8 and switch to the "Verifiable Credential (as JWT)" tab:If you look at the JWT in that example:
...the payload decodes to:
You'll see the
iss
value is copied in, andissuer
is left intact undervc
field.The VC-JWT specification, which is a separate specification, also uses a very similar example where those fields are left intact under
vc
(Example 6 in the specification):Which decodes to:
Failure Information
N/A
Steps to Reproduce
As above. This is more of a standards vs implementation point, for anything that does create credential.
Environment Details
N/A - affects all situations and is not environment dependent.
Discussion
iss
,nbf
etc should be duplicated, but this implementation deviates from that. Which one is correct?The text was updated successfully, but these errors were encountered: