fix: ClaimsExtractor DCQL response type to map[string][]string#387
Merged
masv3971 merged 2 commits intoMay 18, 2026
Merged
Conversation
OID4VP §6.3 DCQL vp_token values are arrays of presentations, not single strings. The extractClaimsFromDCQLResponse function used map[string]string which caused json.Unmarshal to fail with: cannot unmarshal array into Go value of type string Change dcqlResponse to map[string][]string and iterate over all tokens per credential query ID. Add empty-array guard and tests. Fixes the claims extraction path used by OIDC and OpenID4VP direct-post handlers that pass raw DCQL JSON to ExtractClaimsFromVPToken.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR fixes DCQL vp_token claim extraction to support the spec-compliant JSON shape where each credential query ID maps to an array of one or more VP tokens, avoiding json.Unmarshal failures when wallets return arrays.
Changes:
- Change DCQL response parsing from
map[string]stringtomap[string][]string. - Iterate over all VP tokens per credential query ID and guard against empty arrays.
- Add unit tests validating acceptance of the array format and rejection of invalid/empty DCQL payloads.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| pkg/openid4vp/claims_extractor.go | Updates DCQL vp_token unmarshalling to map[string][]string and processes multiple tokens per credential query ID. |
| pkg/openid4vp/claims_extractor_test.go | Adds tests covering DCQL array parsing, rejection of old/non-array values, and empty payload guards. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Update doc comment to accurately describe array structure per OID4VP §6.3 - Improve error message to specify expected map[string][]string type - Sort credential query IDs before merging for deterministic output
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
ClaimsExtractor.extractClaimsFromDCQLResponseusesmap[string]stringto unmarshal the DCQLvp_tokenJSON, but OID4VP §6.3 requires values to be arrays of presentations (map[string][]string). When a spec-compliant wallet sends array values,json.Unmarshalfails with:Changes
dcqlResponsefrommap[string]stringtomap[string][]stringAffected code paths
The OIDC handler (
handler_oidc.go) and OpenID4VP direct-post handler (handler_openid4vp.go) both pass raw DCQL JSON toextractAndMapClaims→ExtractClaimsFromVPToken→extractClaimsFromDCQLResponse, hitting this bug.Companion to sirosfoundation#6 (targeting
release/sirosid/v0.5.0).