support returning multiple presentations for a single dcql credential query when requested using multiple (#398)

charsleysa · web-flow · commit 4a6aaa9273cd · 2025-02-27T02:15:16.000-08:00
6 approvals. open for more than a week.
diff --git a/openid-4-verifiable-presentations-1_0.md b/openid-4-verifiable-presentations-1_0.md
@@ -669,8 +669,8 @@ unknown properties.
 
 ## Credential Query {#credential_query}
 
-A Credential Query is an object representing a request for a presentation of one
-Credential.
+A Credential Query is an object representing a request for a presentation of one or more matching
+Credentials.
 
 Each entry in `credentials` MUST be an object with the following properties:
 
@@ -686,6 +686,9 @@ be present more than once.
 Verifiable Credential. Valid Credential Format Identifier values are defined in
 (#format_specific_parameters).
 
+`multiple`:
+: OPTIONAL. A boolean which indicates whether multiple Credentials can be returned for this Credential Query. If omitted, the default value is `false`.
+
 `meta`: 
 : OPTIONAL. An object defining additional properties requested by the Verifier that
 apply to the metadata and validity data of the Credential. The properties of
@@ -985,7 +988,7 @@ When a VP Token is returned, the respective response includes the following para
 
 `vp_token`:
 : REQUIRED. The structure of this parameter depends on the query language used to request the presentations in the Authorization Request:
- * If DCQL was used, this is a JSON-encoded object; the keys are the `id` values used for the Credential Queries in the DCQL query, and the values are the Verifiable Presentations that match the respective Credential Query. The Verifiable Presentations are represented as strings or objects depending on the format as defined in (#format_specific_parameters). The same rules as above apply for encoding the Verifiable Presentations.
+ * If DCQL was used, this is a JSON-encoded object containing entries where: the key is the `id` value used for a Credential Query in the DCQL query; and the value is an array of one or more Verifiable Presentations that match the respective Credential Query. When `multiple` is  omitted, or set to `false`, the array MUST contain only one Verifiable Presentation. There MUST NOT be any entry in the JSON-encoded object for optional Credential Queries when there are no matching Credentials for the respective Credential Query. Each Verifiable Presentation is represented as a string or object, depending on the format as defined in (#format_specific_parameters). The same rules as above apply for encoding the Verifiable Presentations.
  * In case [@!DIF.PresentationExchange] was used, it is a string or JSON object that MUST contain a single Verifiable Presentation or an array of strings and JSON objects each of them containing a Verifiable Presentation. Each Verifiable Presentation MUST be represented as a string (that is a base64url-encoded value) or a JSON object depending on a format as defined in (#format_specific_parameters).  When a single Verifiable Presentation is returned, the array syntax MUST NOT be used.  If (#format_specific_parameters) defines a rule for encoding the respective Credential format in the Credential Response, this rules MUST also be followed when encoding Credentials of this format in the `vp_token` response parameter. Otherwise, this specification does not require any additional encoding when a Credential format is already represented as a JSON object or a string.
 
 `presentation_submission`:
@@ -1019,7 +1022,17 @@ brevity):
 
 ```json
 {
-  "my_credential": "eyJhbGci...QMA"
+  "my_credential": ["eyJhbGci...QMA"]
+}
+```
+
+The following is a non-normative example of the contents of a VP Token
+containing multiple Verifiable Presentations in the SD-JWT VC format when the
+Credential Query has `multiple` set to `true` (shortened for brevity):
+
+```json
+{
+  "my_credential": ["eyJhbGci...QMA", "eyJhbGci...QMA", ...]
 }
 ```
 
@@ -2283,7 +2296,7 @@ An example DCQL query using the mdoc format is shown in (#more_dcql_query_exampl
 
 ```json
 {
-  "my_credential": "<base64url-encoded DeviceResponse>"
+  "my_credential": ["<base64url-encoded DeviceResponse>"]
 }
 ```
 
@@ -2823,6 +2836,7 @@ The technology described in this specification was made available from contribut
    * add language on client ID and nonce binding for ISO mdocs and W3C VCs
    * clarify the behavior is not to sign when authorization_signed_response_alg is omitted
    * add a note on the use of apu/apv in the JWE header of encrypted responses
+   * support returning multiple presentations for a single dcql credential query when requested using `multiple`
 
    -24
 
