Skip to content

Replace @Polymorphic with JsonElement for credentialSubject in VerifiableCredential #496

New issue
New issue
Open
Open
Replace @Polymorphic with JsonElement for credentialSubject in VerifiableCredential#496
Milestone
5.12.0
@etnafed

Description

@etnafed
etnafed
opened on Jan 26, 2026

Hello,

The current implementation of at.asitplus.wallet.lib.data.VerifiableCredential uses @Polymorphic annotation on the credentialSubject property:

@Polymorphic
@SerialName("credentialSubject")
val credentialSubject: CredentialSubject

This approach assumes that the serialization mechanism can discriminate between different CredentialSubject implementations, typically using a type field as a class discriminator. However, according to the W3C Verifiable Credentials Data Model 1.1 specification, there is no guarantee that a type field will be present in the credentialSubject object.

Problem

The polymorphic serialization strategy currently employed may fail or behave unexpectedly when:

  • The credentialSubject does not contain a type field
  • The credentialSubject structure varies significantly between different credential types
  • Interoperability with credentials from external issuers that don't follow the assumed discriminator pattern

This creates a potential incompatibility with valid W3C Verifiable Credentials that don't include the expected discriminator field.

Proposed Solution

Replace the @Polymorphic annotation and CredentialSubject type with JsonElement to handle the credentialSubject as a flexible JSON structure:

@SerialName("credentialSubject")
val credentialSubject: JsonElement

Benefits

  • Spec compliance: Aligns with W3C VC Data Model 1.1 specification
  • Flexibility: Handles any valid JSON structure for credentialSubject
  • Interoperability: Works with credentials from any compliant issuer
  • No assumptions: Doesn't require a specific discriminator field

Impact

This change would affect:

  • Any code that currently expects credentialSubject to be a specific CredentialSubject subtype
  • Serialization/deserialization logic that relies on polymorphic behavior
  • Type-safe access to credential subject properties (would require manual JSON parsing)

I've tested it locally, the openid4vci and openid4vp flows still works after those modifications. I can propose a pull request to fix this.

Best regards

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions