SdJwt.Net.Oid4Vp 1.0.2

.NET 8.0 .NET Standard 2.1

dotnet add package SdJwt.Net.Oid4Vp --version 1.0.2

NuGet\Install-Package SdJwt.Net.Oid4Vp -Version 1.0.2

This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package.

<PackageReference Include="SdJwt.Net.Oid4Vp" Version="1.0.2" />

For projects that support PackageReference, copy this XML node into the project file to reference the package.

<PackageVersion Include="SdJwt.Net.Oid4Vp" Version="1.0.2" />
                    

                            Directory.Packages.props

<PackageReference Include="SdJwt.Net.Oid4Vp" />
                    

                            Project file

For projects that support Central Package Management (CPM), copy this XML node into the solution Directory.Packages.props file to version the package.

paket add SdJwt.Net.Oid4Vp --version 1.0.2

The NuGet Team does not provide support for this client. Please contact its maintainers for support.

#r "nuget: SdJwt.Net.Oid4Vp, 1.0.2"

#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package.

#:package SdJwt.Net.Oid4Vp@1.0.2

#:package directive can be used in C# file-based apps starting in .NET 10 preview 4. Copy this into a .cs file before any lines of code to reference the package.

#addin nuget:?package=SdJwt.Net.Oid4Vp&version=1.0.2
                    

                            Install as a Cake Addin

#tool nuget:?package=SdJwt.Net.Oid4Vp&version=1.0.2
                    

                            Install as a Cake Tool

The NuGet Team does not provide support for this client. Please contact its maintainers for support.

SdJwt.Net.Oid4Vp - OpenID for Verifiable Presentations

Implementation of OpenID4VP 1.0 specification for verifiable presentation verification. Provides complete protocol support with Presentation Exchange v2.1.1 integration and cross-device flow support.

Features

OID4VP 1.0 Final: Complete specification implementation
Presentation Exchange v2.1.1: Full DIF PE integration
Cross-Device Flow: QR code-based presentation flows
Complex Requirements: Multi-credential presentation support
Security Validation: Comprehensive validation with key binding

Installation

dotnet add package SdJwt.Net.Oid4Vp

Quick Start

Create Presentation Request

using SdJwt.Net.Oid4Vp.Models;
using SdJwt.Net.Oid4Vp.Verifier;

var presentationRequest = new AuthorizationRequest
{
    ClientId = "https://verifier.example.com",
    ResponseType = "vp_token",
    ResponseMode = "direct_post",
    ResponseUri = "https://verifier.example.com/presentations",
    Nonce = "presentation_nonce_123",
    PresentationDefinition = new PresentationDefinition
    {
        Id = "employment_verification",
        InputDescriptors = new[]
        {
            new InputDescriptor
            {
                Id = "employment_credential",
                Constraints = new Constraints
                {
                    Fields = new[]
                    {
                        new Field { Path = new[] { "$.position" } },
                        new Field { Path = new[] { "$.employment_type" } }
                    }
                }
            }
        }
    }
};

Process VP Token Response (Recommended - OID4VP Compliant)

using SdJwt.Net.Oid4Vp.Verifier;

// Create validator with SD-JWT VC validation enabled (recommended)
var validator = new VpTokenValidator(
    keyProvider: async (jwtToken) => {
        // Resolve issuer's public key based on JWT header/payload
        return await GetIssuerPublicKeyAsync(jwtToken.Issuer);
    },
    useSdJwtVcValidation: true); // Enables vct, iss, typ validation

// Use factory method for OID4VP-compliant options
var options = VpTokenValidationOptions.CreateForOid4Vp("https://verifier.example.com");

// Optional: Customize validation
options.ValidIssuers = new[] { "https://trusted-issuer.example.com" };
options.MaxKeyBindingAge = TimeSpan.FromMinutes(5); // Stricter than default

// Validate VP token
var result = await validator.ValidateAsync(
    vpTokenResponse,
    expectedNonce: "presentation_nonce_123",
    options);

if (result.IsValid)
{
    foreach (var tokenResult in result.ValidatedTokens)
    {
        var vctClaim = tokenResult.Claims["vct"];
        var issuer = tokenResult.Claims["iss"];
        // Use verified claims safely
    }
}

Security Features

This library provides comprehensive security validation per OID4VP 1.0:

Nonce Validation (OID4VP Section 14.1)

// Nonce validation is AUTOMATIC when you provide expectedNonce
var result = await validator.ValidateAsync(response, expectedNonce, options);

// The validator ensures:
// - KB-JWT contains 'nonce' claim
// - Nonce matches the expected value from authorization request
// - Prevents replay attacks

Audience Validation (OID4VP Section 8.6)

// Enabled by default for security
var options = VpTokenValidationOptions.CreateForOid4Vp("https://verifier.example.com");

// The validator ensures:
// - KB-JWT 'aud' claim matches your client_id
// - Prevents token reuse across different verifiers
// - Can be customized or disabled if needed:
options.ValidateKeyBindingAudience = false; // Not recommended

Freshness Validation (OID4VP Section 14.1)

// Enabled by default to prevent replay attacks
var options = VpTokenValidationOptions.CreateForOid4Vp("https://verifier.example.com");
options.MaxKeyBindingAge = TimeSpan.FromMinutes(10); // Default

// The validator ensures:
// - KB-JWT 'iat' claim is present
// - KB-JWT was issued recently (within MaxKeyBindingAge)
// - Includes clock skew tolerance (default: 5 minutes)

SD-JWT VC Format Validation (draft-ietf-oauth-sd-jwt-vc)

// Enabled by default when using VpTokenValidator
var validator = new VpTokenValidator(keyProvider, useSdJwtVcValidation: true);

// The validator ensures:
// - 'vct' claim is present and valid
// - 'iss' claim is present
// - 'typ' header is 'dc+sd-jwt'
// - Collision-resistant names are validated

Testing/Development Mode

For testing or development, use relaxed validation:

var validator = new VpTokenValidator(keyProvider, useSdJwtVcValidation: false);
var options = VpTokenValidationOptions.CreateForTesting();

// This disables strict OID4VP validations:
// - No issuer validation
// - No audience validation
// - No freshness validation
// - Extended time windows

Migration from v1.0

If you're upgrading from v1.0, note these changes:

// OLD (v1.0):
var options = new VpTokenValidationOptions
{
    ValidateKeyBindingAudience = false, // Was default
    ValidateKeyBindingFreshness = false, // Not available
};

// NEW (v1.1) - RECOMMENDED:
var options = VpTokenValidationOptions.CreateForOid4Vp("https://verifier.example.com");

// NEW (v1.1) - If you need old behavior:
var options = new VpTokenValidationOptions
{
    ValidateKeyBindingAudience = false,
    ValidateKeyBindingFreshness = false
};

Use Cases

Employment Verification: Bank loan applications requiring job verification
Age Verification: Privacy-preserving age proof for restricted services
Cross-Device Flows: QR code scanning from mobile to desktop
Complex Requirements: Multi-credential presentations for compliance

Documentation

For comprehensive examples and protocol implementation patterns, see the main repository.

License

Licensed under the Apache License 2.0.

Product	Compatible and additional computed target framework versions.
.NET	net5.0 was computed. net5.0-windows was computed. net6.0 was computed. net6.0-android was computed. net6.0-ios was computed. net6.0-maccatalyst was computed. net6.0-macos was computed. net6.0-tvos was computed. net6.0-windows was computed. net7.0 was computed. net7.0-android was computed. net7.0-ios was computed. net7.0-maccatalyst was computed. net7.0-macos was computed. net7.0-tvos was computed. net7.0-windows was computed. net8.0 is compatible. net8.0-android was computed. net8.0-browser was computed. net8.0-ios was computed. net8.0-maccatalyst was computed. net8.0-macos was computed. net8.0-tvos was computed. net8.0-windows was computed. net9.0 is compatible. net9.0-android was computed. net9.0-browser was computed. net9.0-ios was computed. net9.0-maccatalyst was computed. net9.0-macos was computed. net9.0-tvos was computed. net9.0-windows was computed. net10.0 is compatible. net10.0-android was computed. net10.0-browser was computed. net10.0-ios was computed. net10.0-maccatalyst was computed. net10.0-macos was computed. net10.0-tvos was computed. net10.0-windows was computed.
.NET Core	netcoreapp3.0 was computed. netcoreapp3.1 was computed.
.NET Standard	netstandard2.1 is compatible.
MonoAndroid	monoandroid was computed.
MonoMac	monomac was computed.
MonoTouch	monotouch was computed.
Tizen	tizen60 was computed.
Xamarin.iOS	xamarinios was computed.
Xamarin.Mac	xamarinmac was computed.
Xamarin.TVOS	xamarintvos was computed.
Xamarin.WatchOS	xamarinwatchos was computed.

Compatible target framework(s)

Included target framework(s) (in package)

Learn more about Target Frameworks and .NET Standard.

.NETStandard 2.1
- Microsoft.Extensions.Logging.Abstractions (>= 9.0.6)
- Microsoft.IdentityModel.Tokens (>= 8.12.1)
- SdJwt.Net (>= 1.0.2)
- SdJwt.Net.Vc (>= 1.0.2)
- System.IdentityModel.Tokens.Jwt (>= 8.12.1)
- System.Text.Json (>= 8.0.5)
net10.0
- Microsoft.Extensions.Logging.Abstractions (>= 9.0.6)
- Microsoft.IdentityModel.Tokens (>= 8.12.1)
- SdJwt.Net (>= 1.0.2)
- SdJwt.Net.Vc (>= 1.0.2)
- System.IdentityModel.Tokens.Jwt (>= 8.12.1)
net8.0
- Microsoft.Extensions.Logging.Abstractions (>= 9.0.6)
- Microsoft.IdentityModel.Tokens (>= 8.12.1)
- SdJwt.Net (>= 1.0.2)
- SdJwt.Net.Vc (>= 1.0.2)
- System.IdentityModel.Tokens.Jwt (>= 8.12.1)
net9.0
- Microsoft.Extensions.Logging.Abstractions (>= 9.0.6)
- Microsoft.IdentityModel.Tokens (>= 8.12.1)
- SdJwt.Net (>= 1.0.2)
- SdJwt.Net.Vc (>= 1.0.2)
- System.IdentityModel.Tokens.Jwt (>= 8.12.1)

NuGet packages (3)

Showing the top 3 NuGet packages that depend on SdJwt.Net.Oid4Vp:

Package	Downloads
SdJwt.Net.HAIP Implementation of OpenID4VC High Assurance Interoperability Profile (HAIP) for the SD-JWT .NET ecosystem. Provides policy-based compliance validation and enforcement for government and enterprise use cases. Ready for .NET 10.	233
SdJwt.Net.Wallet Generic, extensible identity wallet implementation for .NET, supporting SD-JWT VC and mdoc credentials. Provides credential management, key management, OpenID4VCI/VP protocol adapters, and integration with trust infrastructure. Based on EUDI Android/iOS wallet architectures.	102
SdJwt.Net.Eudiw EU Digital Identity Wallet (EUDIW) profile implementation for the SD-JWT .NET ecosystem. Provides eIDAS 2.0 compliance, ARF validation, EU Trust List integration, PID credential handling, and QEAA/EAA support for European digital identity verification.	73

GitHub repositories

This package is not used by any popular GitHub repositories.

Version	Downloads	Last Updated
1.0.2	0	3/13/2026
1.0.1	171	3/1/2026
1.0.0	122	2/28/2026

Version 1.0.0: Complete OID4VP 1.0 protocol support with
cross-device flows, Presentation Exchange v2.0.0, comprehensive security
validation, and production-ready SD-JWT integration. Ready for .NET 10.