SdJwtOrderProcessor: the case where the presented access token has no associated issuable credential.

TakahikoKawasaki · TakahikoKawasaki · commit 31ef2539161e · 2023-11-16T06:03:30.000+09:00
diff --git a/src/main/java/com/authlete/jaxrs/server/vc/SdJwtOrderProcessor.java b/src/main/java/com/authlete/jaxrs/server/vc/SdJwtOrderProcessor.java
@@ -39,6 +39,13 @@ protected void checkPermissions(
             String format, Map<String, Object> requestedCredential)
                     throws InvalidCredentialRequestException
     {
+        // If no issuable credential is associated with the access token.
+        if (issuableCredentials == null)
+        {
+            throw new InvalidCredentialRequestException(
+                    "No credential can be issued with the access token.");
+        }
+
         // As explained in https://www.authlete.com/developers/oid4vci/,
         // it is challenging to implement this step in a manner consistent
         // across all implementations due to the flaws of the OID4VCI spec.
