baseid-oid4vp

The OID4VP crate implements the OpenID for Verifiable Presentations specification, supporting both DIF Presentation Exchange and DCQL as query mechanisms for credential presentation.

Key Features

Authorization requests — builds and parses OID4VP authorization requests with direct_post, direct_post.jwt, fragment, and dc_api response modes
Presentation Exchange — full PresentationDefinition / InputDescriptor / Constraints model with JSON Schema field filters and limit_disclosure
DCQL queries — Digital Credentials Query Language support for multi-format credential requests, credential sets, claim sets, value matching, and trusted authorities
Verifier flow — Oid4vpVerifier creates requests and validates responses (definition_id and state matching)
Wallet flow — Oid4vpWallet parses requests, builds responses with PresentationSubmission, and submits via direct_post
Client ID schemes — typed ClientIdScheme enum supporting redirect_uri, decentralized_identifier, x509_san_dns, and pre-registered

Quick Start

use baseid_oid4vp::verifier::Oid4vpVerifier;
use baseid_oid4vp::definition::{
    PresentationDefinition, InputDescriptor, Constraints, Field,
};

// Verifier creates an authorization request
let verifier = Oid4vpVerifier {
    client_id: "did:web:verifier.example.com".to_string(),
    response_uri: "https://verifier.example.com/response".to_string(),
};

let definition = PresentationDefinition {
    id: "pd-1".to_string(),
    name: Some("Age Verification".to_string()),
    purpose: Some("Verify age >= 18".to_string()),
    input_descriptors: vec![InputDescriptor {
        id: "id-card".to_string(),
        name: Some("ID Card".to_string()),
        purpose: None,
        constraints: Constraints {
            fields: vec![Field {
                path: vec!["$.credentialSubject.dateOfBirth".to_string()],
                filter: None,
            }],
            limit_disclosure: None,
        },
        format: None,
    }],
};

let request = verifier.create_request(definition, "nonce-abc");
// request.response_type == "vp_token"
// request.response_mode == Some("direct_post")

Wallet-Side Flow

use baseid_oid4vp::wallet::Oid4vpWallet;
use baseid_oid4vp::response::DescriptorMap;

let wallet = Oid4vpWallet::new(&http_client);

// 1. Parse the authorization request
let request = wallet.parse_request(&request_json)?;

// 2. Build a response with matched credentials
let vp_token = serde_json::json!({"type": "VerifiablePresentation"});
let descriptor_map = vec![DescriptorMap {
    id: "id-card".to_string(),
    format: "jwt_vp".to_string(),
    path: "$".to_string(),
    path_nested: None,
}];
let response = wallet.build_response(&request, vp_token, descriptor_map);

// 3. Submit via direct_post
wallet.submit_response(response_uri, &response).await?;

DCQL Queries

DCQL is the primary query mechanism in OID4VP 1.0, supporting rich multi-format requests:

use baseid_oid4vp::DcqlQuery;

let query: DcqlQuery = serde_json::from_value(serde_json::json!({
    "credentials": [{
        "id": "my_credential",
        "format": "dc+sd-jwt",
        "meta": {
            "vct_values": ["https://credentials.example.com/identity_credential"]
        },
        "claims": [
            {"path": ["family_name"]},
            {"path": ["given_name"]},
            {"path": ["address", "street_address"]}
        ]
    }]
}))?;

Key Types

Type	Description
`AuthorizationRequest`	OID4VP request with response_type, client_id, nonce, and query
`AuthorizationResponse`	VP token + presentation submission + optional state
`PresentationDefinition`	DIF Presentation Exchange definition with input descriptors
`InputDescriptor`	Single credential requirement with constraints and format
`DcqlQuery`	DCQL query with credentials, credential sets, and claim sets
`DcqlCredential`	Single credential request with format, meta, claims, and trusted authorities
`Oid4vpVerifier`	Verifier-side: creates requests and validates responses
`Oid4vpWallet`	Wallet-side: parses requests, builds and submits responses
`ClientIdScheme`	Typed enum for client_id scheme parsing
`VpToken`	VP token wrapper supporting both single (PE) and map (DCQL) formats

baseid-oid4vci — credential issuance protocol (complementary to presentation)
baseid-verifier-core — higher-level verifier that builds OID4VP requests and runs verification pipelines
baseid-wallet-core — wallet orchestration layer that uses OID4VP for credential presentation
baseid-haip — HAIP profile constraints for OID4VP response modes and client ID schemes