Skip to content

Handling credential issuance edge cases #163

New issue
New issue
Open
Bug
Open
Handling credential issuance edge cases#163
Bug
@patatoid

Description

@patatoid
patatoid
opened on Jun 12, 2025

Describe the bug
Going through testing, I discovered malformed responses at credential issuance. None of those are urgent but to be addressed to avoid impairments.

Providing valid access token and DPoP to the credential endpoint returns a bad response with the following payloads.

  • returns an error
{ proofs: null }
---
{ proofs: {} }
---
{ proofs: { jwt: null } }
---
{ proofs: { jwt: [] } }
---
{ proofs: { jwt: [null] } }
---
{ proofs: { jwt: [''] } }
---
{ proof: { jwt: [{ proof_type: 'attestation' }] } }
---
  • returns an empty 200 OK
{ proofs: { jwt: [Buffer.from('test').toString('base64url')] } }
---
{ proofs: { jwt: [Buffer.from('{}').toString('base64url')] } }
---
{ proofs: { jwt: [ Buffer.from('{}').toString('base64url') + '.' + Buffer.from('{"nonce": "test"}').toString('base64url'), ] } }
---
{ proofs: { jwt: [ Buffer.from('{"alg": "ES256"}').toString('base64url') + '.' + Buffer.from('{"nonce": "test"}').toString('base64url'), ] } }
---
{ proofs: { jwt: [ Buffer.from('{"alg": "ES256"}').toString('base64url') + '.' + Buffer.from(`{"nonce": "${valid_c_nonce}"}`).toString('base64url'), ] } }
--- without vct
{ proofs: { jwt: [valid_proof] } }

To Reproduce
Create a valid access token inspecting the requests navigating with the UI and a DPoP, definitely trickier to craft (I disabled it to perform the test). Then execute a request with the different payloads, you can perform that with cURL for example:

curl -H 'Authorization: DPoP <access token>' http://localhost:8003/openid4vci/credential -X

Expected behavior
The server respond with a 400 Bad Request and the body

{
  "error": "<message>"
}

Screenshots

  • Example of error
 ~> curl -H 'Authorization: DPoP b8a7c71a859a1dd75cc7104387acecd4' http://localhost:8003/openid4vci/credential -X 'POST' -vvv
Note: Unnecessary use of -X or --request, POST is already inferred.
*   Trying 127.0.0.1:8003...
* Connected to localhost (127.0.0.1) port 8003 (#0)
> POST /openid4vci/credential HTTP/1.1
> Host: localhost:8003
> User-Agent: curl/7.88.1
> Accept: */*
> Authorization: DPoP b8a7c71a859a1dd75cc7104387acecd4
> Content-Length: 23
> Content-Type: application/x-www-form-urlencoded
> 
* Empty reply from server
* Closing connection 0
curl: (52) Empty reply from server

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    Bug

    Projects

    wwWallet

    Status

    In Progress

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions