Skip to content

Add a security consideration not to use VP Token as Access Token. #702

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Sakurann merged 5 commits into from
Mar 12, 2026
+7 −1
Merged

Add a security consideration not to use VP Token as Access Token. #702

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
2914b00
Add a security consideration not to use VP Token as Access Token.
Vanderkast Feb 25, 2026
458dcac
Add RFC6749 Resource Server term reference
Vanderkast Feb 26, 2026
54adfd6
Merge branch 'main' into vp-token-as-authz-material-security-consider…
Vanderkast Feb 26, 2026
22f430b
Update 1.1/openid-4-verifiable-presentations-1_1.md
Vanderkast Mar 9, 2026
a6970cb
* Remove Resource Server reference;
Vanderkast Mar 9, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 7 additions & 1 deletion 1.1/openid-4-verifiable-presentations-1_1.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1882,6 +1882,10 @@ Implementations of this specification MUST have security mechanisms in place to

Clients intending to authenticate the End-User utilizing a claim in a Credential MUST ensure this claim is stable for the End-User as well as locally unique and never reassigned within the Credential Issuer to another End-User. Such a claim MUST also only be used in combination with the Credential Issuer identifier to ensure global uniqueness and to prevent attacks where an attacker obtains the same claim from a different Credential Issuer and tries to impersonate the legitimate End-User.

## VP Token abuse {#vp-token-abuse}

Ecosystems MUST NOT use the VP Token as an Access Token. The way to produce Access Tokens based on Credential presentations is out of scope of this specification.

## Encrypting an Unsigned Response {#encrypting_unsigned_response}

Because an encrypted Authorization Response has no additional integrity protection, an attacker might be able to alter Authorization Response parameters and generate a new encrypted Authorization Response for the Verifier, as encryption is performed using the public key of the Verifier (which is likely to be widely known when not ephemeral to the request/response). Note this includes injecting a new VP Token. Since the contents of the VP Token are integrity protected, tampering with the VP Token is detectable by the Verifier. For details, see (#preventing-replay).
Expand Down Expand Up @@ -2544,6 +2548,7 @@ The following security considerations from OpenID4VP apply:

* Preventing Replay of Verifiable Presentations as described in (#preventing-replay), with the difference that the origin is used instead of the Client Identifier to bind the response to the Client.
* End-User Authentication using Credentials as described in (#end-user-authentication-using-credentials).
* VP Token abuse (#vp-token-abuse).
* Encrypting an Unsigned Response as described in (#encrypting_unsigned_response).
* TLS Requirements as described in (#tls-requirements).
* Always Use the Full Client Identifier as described in (#full-client-identifier) for signed requests.
Expand Down Expand Up @@ -3562,4 +3567,5 @@ The technology described in this specification was made available from contribut

-01

* Clarify that `encrypted_response_enc_values_supported` applies only if JWE content encryption algorithm is used; e.g., it does not apply to JOSE HPKE
* Add security consideration not to use VP Token as Access Token
* Clarify that `encrypted_response_enc_values_supported` applies only if JWE content encryption algorithm is used; e.g., it does not apply to JOSE HPKE