mdoc_oid4vp: Response object JWE claims apu and apv are not base64 encoded

[nicklaswj]

Edit: I confused myself and it seems that the apv is indeed base64 encoded (sorry about that). However the rest is still valid.

Hi.
The two claims apu and apv in the JWE containing the response object for a mdoc oid4vp request, are currently encoded as raw strings. However both ISO 18013-7 and RFC 7518 (section 4.6.1.2 and 4.6.1.3) specifies that both claims should be base64-url-encoded-no-padding.

Strictly speaking the bug doesn't live in this repository but in https://github.com/spruceid/isomdl-18013-7. However since I stumbled upon it here and this repository doesn't use the main branch of https://github.com/spruceid/isomdl-18013-7, I thought it would be more relevant to post the issue here. The specific lines that sets the claims are here

[nicklaswj]

I also just realized that the value of apv is not following the newest version of 18013-7. Currently the value is SKReader. However the newest version of 18013-7 specifies:
"The mdoc shall set the apv JWT (JWE) header parameter to the base64url-encoded-with-no-padding
value of the nonce Authorization Request parameter from the Authorization Request Object."

[cobward]

Hi @nicklaswj, thanks for opening the issue. We haven't yet implemented support for the latest version of ISO 18013-7, so there may be other small issues too. I can't guarantee we will be able to resolve this immediately, so if you are able to submit a fix yourself I would highly encourage it!