Skip to content

Spike:Analyze and Fix Authorization Response Encryption for direct_post.jwt #2482

Description

@sanchi-singh24

Summary

Analyze and implement support for encrypted Verifiable Presentation (VP) authorization responses for OpenID4VP 1.0 conformance test suites when using:

  • response_mode=direct_post.jwt
  • response_mode=iar_post.jwt (PDI compatibility)

The current implementation generates VP responses that cannot be decrypted by the verifier, resulting in conformance test failures. The implementation must ensure that both successful and error authorization responses are encrypted according to the OpenID4VP specification whenever the selected response mode requires JWT-based encrypted responses.

Background

OpenID4VP 1.0 requires authorization responses delivered through JWT-based response modes such as direct_post.jwt to support encryption using the verifier's advertised encryption metadata and public keys.

Current testing indicates that VP responses are being encrypted incorrectly, causing verifier-side decryption failures.

Current Failure

No suitable key for decrypting this JWT was provided in the test configuration.

Current Behavior

  • VP response encryption is not interoperable with the verifier.
  • Generated JWE cannot be decrypted by the verifier.
  • Error responses are not consistently encrypted.
  • Conformance suite tests fail for encrypted response scenarios.

Expected Behavior

  • VP authorization responses should be encrypted using verifier-provided encryption metadata.
  • Generated JWE should be successfully decryptable by the verifier.
  • Both successful and error authorization responses should be encrypted when:
    • response_mode=direct_post.jwt
    • response_mode=iar_post.jwt

Objectives

Analyze OpenID4VP Authorization Response Encryption

Investigate and document:

  1. OpenID4VP 1.0 requirements for authorization response encryption.
  2. direct_post.jwt response mode requirements.
  3. iar_post.jwt response mode requirements.
  4. Verifier metadata used for encryption.
  5. JWE generation requirements.
  6. Key selection and JWKS handling.
  7. Encryption requirements for both success and error responses.

Scope of Analysis

1. Verifier Metadata Processing

Analyze support for verifier metadata fields:

{
  "authorization_encrypted_response_alg": "...",
  "authorization_encrypted_response_enc": "...",
  "jwks": {}
}

Verify:

  • Metadata parsing
  • Metadata storage
  • Metadata propagation through authorization response generation flow
  • Public key discovery from verifier JWKS
  • Algorithm negotiation

2. JWE Generation Flow

Review implementation for:

  • Recipient key selection
  • JWE header generation
  • alg handling
  • enc handling
  • kid selection
  • JWT payload encryption

Validate compliance with:

  • OpenID4VP 1.0
  • OAuth JWT Authorization Response Mode specifications
  • Existing conformance suite expectations

3. Success Response Encryption

Analyze encryption flow for successful VP submissions.

Example payload:

{
  "vp_token": "...",
  "presentation_submission": {}
}

Verify:

  • Payload generation
  • Encryption application
  • JWE serialization
  • Transmission to verifier

4. Error Response Encryption

Analyze encryption flow for authorization errors.

Example payload:

{
  "error": "access_denied"
}

Verify:

  • Error payload generation
  • Encryption requirements
  • JWE serialization
  • Compliance with specification

5. JWKS and Key Resolution

Investigate:

  • Verifier JWKS retrieval
  • Public key extraction
  • Key matching logic
  • Key selection criteria

Validate support for:

  • kid
  • alg
  • use
  • key_ops

Ensure selected encryption key matches verifier expectations.

6. Conformance Test Analysis

Identify and document failing scenarios related to:

  • direct_post.jwt
  • iar_post.jwt
  • Authorization response encryption
  • Error response encryption
  • JWE decryption failures
  • Verifier key selection failures

Capture expected behavior for each failing test case.

Technical Tasks

Task 1: Specification Review

  • Analyze OpenID4VP 1.0 authorization response encryption requirements.
  • Analyze OAuth JWT Authorization Response Mode requirements.
  • Analyze PDI-specific requirements for iar_post.jwt.
  • Document implementation expectations and gaps.

Task 2: Metadata Handling Validation

  • Verify parsing of:
    • authorization_encrypted_response_alg
    • authorization_encrypted_response_enc
    • verifier JWKS metadata
  • Validate metadata availability throughout VP response generation.

Task 3: Encryption Flow Review

  • Review current JWE generation logic.
  • Verify recipient key selection.
  • Verify encryption algorithm selection.
  • Verify JWE header construction.
  • Verify payload encryption process.

Task 4: Error Response Encryption Support

  • Review current error response handling.
  • Implement encryption for error responses where required.
  • Ensure parity with successful response encryption flow.

Task 5: Key Resolution Validation

  • Validate verifier key discovery.
  • Verify JWKS processing.
  • Verify kid matching.
  • Verify compatibility with conformance suite verifier configurations.

Task 6: Conformance Testing

  • Execute OpenID4VP conformance suite tests.
  • Validate successful verifier-side decryption.
  • Document results and evidence.

Acceptance Criteria

  • VP authorization responses generated using direct_post.jwt are successfully decrypted by the verifier.
  • VP authorization responses generated using iar_post.jwt are successfully decrypted by the verifier.
  • Success responses are encrypted when required by verifier metadata.
  • Error responses are encrypted when required by verifier metadata.
  • Correct verifier encryption keys are selected from JWKS.
  • JWE headers contain the expected encryption metadata.
  • Encryption algorithms match verifier-supported values.

Conformance

Deliverables

  1. Gap analysis between current implementation and specification requirements.

Metadata

Metadata

Labels

enhancementNew feature or requesttriageThis issue is pending confirmation and planning and should not be worked on yet

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions