feat(openid4vp): add transaction_data support across wallet, verifier2, and shared libraries

[szijpeter]

Summary

This PR adds transaction_data support for OpenID4VP flows by extending shared openid4vp-* libraries and wiring behavior through wallet + verifier2 + verifier portal flow.

Why

This implements the remaining part of transaction-data support tracked in issue #1583, following the policy-based, format-specific direction discussed there.

What this PR changes

• Shared OpenID4VP layer:
  • transaction-data decoding/validation
  • hashing/selection helpers
  • mdoc transaction-data key/index convention helpers
• Wallet flow:
  • transaction-data-aware request handling and presentation behavior
  • format-specific binding for dc+sd-jwt and mso_mdoc
• Verifier2 flow:
  • request transaction-data stored/propagated through verification session
  • format-specific VP policy execution for transaction-data checks
• Portal flow:
  • transaction-data-oriented verifier UI path for demo use case

Format scope

Implemented for the formats with concrete standards-backed transaction binding in this repo:

• dc+sd-jwt
• mso_mdoc

Known limitations

• Request-side transaction_data validation currently requires credential queries to use a supported transaction-data profile in this implementation (dc+sd-jwt, mso_mdoc); jwt_vc_json is rejected by design in this path.
• transaction data support is currently exposed only for SD-JWT + IETF SD-JWT VC (mapped to dc+sd-jwt); mdoc transaction flow is not yet selectable from that page
• In current verifier2 flow, mso_mdoc / device-auth signature verification may fail in specific end-to-end paths.
• request_uri_method=post is not universally supported across all verifier integrations.

Recordings

transaction_data_demo.mov

Scope boundary

• In scope: transaction_data implementation and wiring.
• Out of scope: broader verifier2 compatibility hardening outside transaction-data semantics.

References

• Main tracking issue: Transaction data authorization support with Verifiable Presentation #1583
• Direction comment: Transaction data authorization support with Verifiable Presentation #1583 (comment)
• Related prior PR: Annex C Extensions #1597
• OpenID4VP 1.0:
  • Core: https://openid.net/specs/openid-4-verifiable-presentations-1_0.html
  • mdoc profile: https://openid.net/specs/openid-4-verifiable-presentations-1_0.html#appendix-B.2.1
  • SD-JWT transaction hash profile: https://openid.net/specs/openid-4-verifiable-presentations-1_0.html#appendix-B.3.3

Note

Builds upon #1655

[coderabbitai]

Warning

Rate limit exceeded

@szijpeter has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 50 minutes and 36 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 50 minutes and 36 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: bba408a9-47af-48e3-a160-a2713a146a1f

📥 Commits

Reviewing files that changed from the base of the PR and between 3a0ab00 and 566d7a4.

📒 Files selected for processing (68)

• docker-compose/docker-compose.yaml
• docker-compose/verifier-api2/config/verifier-service.conf
• helm-charts/portal/templates/configmap.yaml
• helm-charts/portal/values.yaml
• waltid-applications/waltid-web-portal/.env.example
• waltid-applications/waltid-web-portal/components/sections/VerificationSection.tsx
• waltid-applications/waltid-web-portal/next.config.js
• waltid-applications/waltid-web-portal/pages/api/env.ts
• waltid-applications/waltid-web-portal/pages/success/[sessionId].tsx
• waltid-applications/waltid-web-portal/pages/verify/index.tsx
• waltid-applications/waltid-web-portal/utils/transactionData.ts
• waltid-applications/waltid-web-wallet/apps/waltid-demo-wallet/src/components/CredentialDisclosure.vue
• waltid-applications/waltid-web-wallet/apps/waltid-demo-wallet/src/pages/api/siop/initiatePresentation.vue
• waltid-applications/waltid-web-wallet/apps/waltid-demo-wallet/src/pages/wallet/[wallet]/exchange/presentation.vue
• waltid-applications/waltid-web-wallet/apps/waltid-dev-wallet/src/pages/api/siop/initiatePresentation.vue
• waltid-applications/waltid-web-wallet/apps/waltid-dev-wallet/src/pages/wallet/[wallet]/exchange/presentation.vue
• waltid-applications/waltid-web-wallet/libs/composables/presentation.ts
• waltid-applications/waltid-web-wallet/libs/utils/jwt.ts
• waltid-libraries/credentials/waltid-digital-credentials/src/commonMain/kotlin/id/walt/credentials/presentations/PresentationValidationExceptions.kt
• waltid-libraries/credentials/waltid-digital-credentials/src/commonMain/kotlin/id/walt/credentials/presentations/formats/DcSdJwtPresentation.kt
• waltid-libraries/credentials/waltid-digital-credentials/src/jvmTest/kotlin/id/walt/credentials/PresentationTest.kt
• waltid-libraries/credentials/waltid-verification-policies2-vp/src/commonMain/kotlin/id/walt/policies2/vp/policies/VPVerificationContext.kt
• waltid-libraries/credentials/waltid-verification-policies2-vp/src/commonMain/kotlin/id/walt/policies2/vp/policies/VPVerificationPolicyManager.kt
• waltid-libraries/credentials/waltid-verification-policies2-vp/src/commonMain/kotlin/id/walt/policies2/vp/policies/dc_sd_jwt/TransactionDataHashCheckSdJwtVPPolicy.kt
• waltid-libraries/credentials/waltid-verification-policies2-vp/src/commonMain/kotlin/id/walt/policies2/vp/policies/mso_mdoc/TransactionDataMdocVpPolicy.kt
• waltid-libraries/credentials/waltid-verification-policies2-vp/src/jvmTest/kotlin/id/walt/policies2/vp/policies/dc_sd_jwt/TransactionDataHashCheckSdJwtVPPolicyTest.kt
• waltid-libraries/credentials/waltid-verification-policies2-vp/src/jvmTest/kotlin/id/walt/policies2/vp/policies/mso_mdoc/IssuerSignedDataMdocVpPolicyTest.kt
• waltid-libraries/credentials/waltid-verification-policies2-vp/src/jvmTest/kotlin/id/walt/policies2/vp/policies/mso_mdoc/TransactionDataMdocVpPolicyTest.kt
• waltid-libraries/credentials/waltid-verification-policies2-vp/src/jvmTest/resources/fixtures/dc_sd_jwt/presentation.jwt
• waltid-libraries/protocols/waltid-openid4vp-verifier/README.md
• waltid-libraries/protocols/waltid-openid4vp-verifier/src/commonMain/kotlin/id/walt/verifier2/handlers/vpresponse/Verifier2SessionPresentationValidation.kt
• waltid-libraries/protocols/waltid-openid4vp-verifier/src/commonMain/kotlin/id/walt/verifier2/verification2/PresentationVerificationEngine.kt
• waltid-libraries/protocols/waltid-openid4vp-verifier/src/jvmMain/kotlin/id/walt/verifier2/handlers/sessioncreation/VerificationSessionCreator.kt
• waltid-libraries/protocols/waltid-openid4vp-wallet/src/commonMain/kotlin/id/waltid/openid4vp/wallet/WalletPresentFunctionality2.kt
• waltid-libraries/protocols/waltid-openid4vp-wallet/src/commonMain/kotlin/id/waltid/openid4vp/wallet/presentation/MdocPresenter.kt
• waltid-libraries/protocols/waltid-openid4vp-wallet/src/commonMain/kotlin/id/waltid/openid4vp/wallet/presentation/SdJwtVcPresenter.kt
• waltid-libraries/protocols/waltid-openid4vp-wallet/src/commonMain/kotlin/id/waltid/openid4vp/wallet/presentation/W3CPresenter.kt
• waltid-libraries/protocols/waltid-openid4vp-wallet/src/commonMain/kotlin/id/waltid/openid4vp/wallet/request/AuthorizationRequestParameterCodec.kt
• waltid-libraries/protocols/waltid-openid4vp-wallet/src/commonMain/kotlin/id/waltid/openid4vp/wallet/request/AuthorizationRequestResolver.kt
• waltid-libraries/protocols/waltid-openid4vp-wallet/src/commonMain/kotlin/id/waltid/openid4vp/wallet/request/ResolvedAuthorizationRequest.kt
• waltid-libraries/protocols/waltid-openid4vp/README.md
• waltid-libraries/protocols/waltid-openid4vp/build.gradle.kts
• waltid-libraries/protocols/waltid-openid4vp/src/commonMain/kotlin/id/walt/verifier/openid/models/authorization/TransactionDataItem.kt
• waltid-libraries/protocols/waltid-openid4vp/src/commonMain/kotlin/id/walt/verifier/openid/transactiondata/MdocTransactionDataConvention.kt
• waltid-libraries/protocols/waltid-openid4vp/src/commonMain/kotlin/id/walt/verifier/openid/transactiondata/TransactionDataConstants.kt
• waltid-libraries/protocols/waltid-openid4vp/src/commonMain/kotlin/id/walt/verifier/openid/transactiondata/TransactionDataDecoding.kt
• waltid-libraries/protocols/waltid-openid4vp/src/commonMain/kotlin/id/walt/verifier/openid/transactiondata/TransactionDataHashing.kt
• waltid-libraries/protocols/waltid-openid4vp/src/commonMain/kotlin/id/walt/verifier/openid/transactiondata/TransactionDataRequestValidator.kt
• waltid-libraries/protocols/waltid-openid4vp/src/commonMain/kotlin/id/walt/verifier/openid/transactiondata/TransactionDataSelection.kt
• waltid-libraries/protocols/waltid-openid4vp/src/commonMain/kotlin/id/walt/verifier/openid/transactiondata/readme.md
• waltid-libraries/protocols/waltid-openid4vp/src/commonTest/kotlin/id/walt/verifier/openid/transactiondata/MdocTransactionDataConventionTest.kt
• waltid-libraries/protocols/waltid-openid4vp/src/commonTest/kotlin/id/walt/verifier/openid/transactiondata/TransactionDataHashingTest.kt
• waltid-libraries/protocols/waltid-openid4vp/src/commonTest/kotlin/id/walt/verifier/openid/transactiondata/TransactionDataRequestValidatorTest.kt
• waltid-libraries/protocols/waltid-openid4vp/src/commonTest/kotlin/id/walt/verifier/openid/transactiondata/TransactionDataSelectionTest.kt
• waltid-libraries/protocols/waltid-openid4vp/src/commonTest/kotlin/id/walt/verifier/openid/transactiondata/TransactionDataTestFixtures.kt
• waltid-services/waltid-issuer-api/src/main/kotlin/id/walt/issuer/issuance/CIProvider.kt
• waltid-services/waltid-verifier-api2/src/test/kotlin/id/walt/verifier2/mdocs/PidBirthDateIssuerSignedIntegrityReproTest.kt
• waltid-services/waltid-wallet-api/README.md
• waltid-services/waltid-wallet-api/build.gradle.kts
• waltid-services/waltid-wallet-api/src/main/kotlin/id/walt/webwallet/service/SSIKit2WalletService.kt
• waltid-services/waltid-wallet-api/src/main/kotlin/id/walt/webwallet/service/WalletService.kt
• waltid-services/waltid-wallet-api/src/main/kotlin/id/walt/webwallet/service/exchange/OpenId4VpPresentationService.kt
• waltid-services/waltid-wallet-api/src/main/kotlin/id/walt/webwallet/usecase/event/EventLogUseCase.kt
• waltid-services/waltid-wallet-api/src/main/kotlin/id/walt/webwallet/utils/UuidSerializer.kt
• waltid-services/waltid-wallet-api/src/main/kotlin/id/walt/webwallet/web/controllers/auth/AuthController.kt
• waltid-services/waltid-wallet-api/src/main/kotlin/id/walt/webwallet/web/controllers/exchange/ExchangeController.kt
• waltid-services/waltid-wallet-api/src/main/kotlin/id/walt/webwallet/web/controllers/exchange/openapi/ExchangeDocs.kt
• waltid-services/waltid-wallet-api/src/test/kotlin/id/walt/webwallet/service/exchange/OpenId4VpPresentationServiceTest.kt

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
2.1% Duplication on New Code

See analysis details on SonarQube Cloud