OIDC4VP: Was 1:1 input_descriptor → VC descriptor_map mapping intended? Crash in case of wrong mapping.

[KorbinianP]

Describe the bug

After upgrading from walt.id 0.14 to 0.18, I observed a behavioral change in the OIDC4VP flow regarding how descriptor_map is built and interpreted.

Previously, I could request a presentation with an input descriptor that effectively matched 1–n credentials of the same type, e.g.:

verifier/openid4vc/verify

{
  "request_credentials": [
    { "format": "jwt_vc_json", "type": "VerifiableId" }
  ]
}

When I then called wallet-api/wallet/{wallet}/exchange/usePresentationRequest with the body

{
  "did": "did:jwk:...",
  "presentationRequest": "openid4vp://authorize?...",
  "selectedCredentials": [
    "urn:uuid:fb09ba3d-b73d-49ad-9d88-3d018878ea83",
    "urn:uuid:fb09ba3d-b73d-49ad-9d88-3d018878ea84"
  ]
}

and both were of type VerifiableId, it was working fine. Now It is crashing with a IndexOutOfBoundsException

wallet-api logs:

java.lang.IndexOutOfBoundsException: Index 1 out of bounds for length 1
	at java.base/jdk.internal.util.Preconditions.outOfBounds(Unknown Source)
	at java.base/jdk.internal.util.Preconditions.outOfBoundsCheckIndex(Unknown Source)
	at java.base/jdk.internal.util.Preconditions.checkIndex(Unknown Source)
	at java.base/java.util.Objects.checkIndex(Unknown Source)
	at java.base/java.util.ArrayList.get(Unknown Source)
	at id.walt.webwallet.service.oidc4vc.TestCredentialWallet.buildDescriptorMappingJwtVP(TestCredentialWallet.kt:474)
	at id.walt.webwallet.service.oidc4vc.TestCredentialWallet$generatePresentationForVPToken$1.invokeSuspend(TestCredentialWallet.kt:362)
...

waltid-identity/waltid-services/waltid-wallet-api/src/main/kotlin/id/walt/webwallet/service/oidc4vc/TestCredentialWallet.kt

Line 474 in 08ed607

id = presentationDefinition?.inputDescriptors?.get(index)?.id ?: getDescriptorId(

Now I need to give at least the amount of entries in the array request_credentials that I want to allow the user to present. More seem to be no Issue.

It is unclear to me that the mapping has to be precise now. Is this enforced now due to the OIDC4VP spec?

What I clearly see as an issue is that if I am only allowed to present maximum as many credentials as defined in the request_credentials array, the user can choose more and gets an Error in the Presentation, not telling the user what they did wrong.

To Reproduce

• Create two or more credentials of type VerifiableId
• Request the presentation with only one entry in the request_credentials array

{
  "request_credentials": [
    { "format": "jwt_vc_json", "type": "VerifiableId" }
  ]
}

• present two or more credentials
• Experience the crash

Expected behavior

Either a 1:n mapping is allowed, or the user can only coose the requested amount of credentials.

Actual behavior

The user gets a IndexOutOfBoundsException in the wallet-api, the wallet gui just says undefined

Environment

• os version: linux
• docker version: 28.3.2
• image tag: v0.18.0

Screenshots

Additional context

None

[linear]

WAL-812

[JakeFernandes98]

Thanks for raising this issue! We have started tracking this on our internal task board and an engineer will pick this up soon. We have taken this on lower priority, but if you have a project that relies on this please reach out to discuss options for support contracts for dedicated support via https://walt.id/contact