nonce missing for verifiable presentations submission

[linasi]

Hello,

Seems like Sphereon SSI Wallet is ignoring nonce attribute when it is present inside the presentation request.
I would expect nonce to be added to the vp_token as per OIDC4VP spec example or here.

Is it a bug or is there any other reasons for such behaviour?

I have also looked a bit into the SSI SDK if there is a way to provide one to #createVerifiablePresentation function but I just couldn't find it.

[nklomp]

You are correct. The low-level SIOPv2/OID4VP library being used by the SSI-SDK is still version 11. In that version the nonce was bound to the ID-token if memory serves me correctly. It isn't used in creating the VP. The SIOP library has options to pass in domain (client_id) and challenge (nonce) values. These are however not mapped onto client_id and nonce for JWT VPs currently. The change to make that work should be trivial, but I am a bit reluctant to do that given we will be refactoring the lib next few sprints anyway.

As mentioned the next few weeks we will be refactoring the SIOPv2/OID4VP lib to support the latest spec. This will also include some changes to the SDK and wallet.

Question I guess is, do you need it "now" or could you wait 4-5 weeks until the latest updates land in the wallet?

[linasi]

Thank you for the reply @nklomp. Yes, seems like id_token does have nonce included into the token payload.

Sounds good, I can wait for the update.