Reaction on less credentials than requested in DCP Presentation Request

[lgblaumeiser]

Hello,

@arnoweiss has raised an issue in Eclipse Tractus-X EDC repository: eclipse-tractusx/tractusx-edc#2244. It is about the issue, that if the connector requests a verifiable presentation for, e.g., three credentials with a DCP Presentation Request, but only receives a VP with one credential, a check in the Identity and Trust Service returns with a 401, indicating an error with "Unauthorized: Number of requested credentials does not match the number of returned credentials". See

Connector/extensions/common/iam/identity-trust/identity-trust-service/src/main/java/org/eclipse/edc/iam/identitytrust/service/IdentityAndTrustService.java

Line 189 in 577e5df

if (requestedScopes.size() > allCreds.size()) {

Especially for a Catelog Request, where typically a Default Scope is used for the request which has a default configuration typically used, this can lead to situations in which the consumer might have less credentials than the Default Scope implies.

What I would like to discuss is, whether this check is really necessary, as missing VCs only become an issue, if they are required in an access policy for a contract definition. But this should be detected in the evaluation of the policy anyway and should lead to a catalog that does not contain a dataset for that contract definition. And if the VC is not needed in any policy, no harm is done, that it was not presented in the first place. Or do I overlook here something?

For the other DSP messages, I would assume, that a consumer would not even start a negotiation if it cannot provide all relevant VCs or that a provider again would find out easily during the usage policy evaluation, that not all conditions can be fulfilled and the contract negotiation is aborted, again no harm is done.

So my basic question is, could this check be removed, so that the handling of missing VCs is done more gracefully and with more concrete feedback on the issue, instead of the quite general reply that the numbers are not matching?

[arnoweiss]

Thanks for raising - perhaps this check was motivated by point 1 in the Presentation Validation section of the protocol. If that's the case, I think the interpretation is too narrow. If the presentations don't contain sufficient credentials, this should be handled by the business logic (for example checking if the credential satisfying the Membership constraint is actually present as requested).

The check also assumes that a scope maps to a VC, where DCP says that a scope is an alias for a VP.