Skip to content

Trusted issuers list PUT method issue #17

New issue
New issue
Open
Open
Trusted issuers list PUT method issue#17
@CarlosCIT

Description

@CarlosCIT
CarlosCIT
opened on Aug 22, 2025

Issue: TIL PUT operation duplicates credentialsType entries instead of replacing claims (v0.10.0)

Description

In version 0.10.0 of the Trusted Issuers List (TIL), the handling of claims.path has changed.

  • When executing a POST to register a new issuer, the issuer is stored correctly.
  • When later executing a PUT with the same credentialsType, instead of replacing the claims of that credentialsType, the TIL concatenates them, creating multiple objects with the same credentialsType.

This results in inconsistent behavior: the verifier arbitrarily accepts or rejects verifications, depending on which duplicated claims are evaluated.

Steps to Reproduce

  1. Execute a POST to register an issuer with a credentialsType and claims.
  2. Execute a PUT with the same credentialsType but a different set of claims.
  3. Execute a GET and observe multiple entries with the same credentialsType.

Expected Behavior

  • The PUT request should replace the claims of the specified credentialsType.
  • Each issuer should have only one object per credentialsType.

Actual Behavior

  • The PUT request concatenates the claims.
  • Multiple objects with the same credentialsType are created.

Example Requests and Result

POST request

curl -X POST "https://<til-service>/issuer" \
  -H "Content-Type: application/json" \
  -d '{
    "did": "did:key:zExampleIssuerDID123456",
    "credentials": [
      {
        "credentialsType": "LegalPersonCredential",
        "claims": [
          {
            "name": "roles",
            "path": "$.roles[*].names[*]",
            "allowedValues": [
              "SELLER",
              "SERVICE-PROVIDER",
              "ADMIN",
              "POLICYMANAGER"
            ]
          }
        ]
      }
    ]
  }'

PUT request

curl -X PUT "https://<til-service>/issuer/did:key:zExampleIssuerDID123456" \
  -H "Content-Type: application/json" \
  -d '{
    "did": "did:key:zExampleIssuerDID123456",
    "credentials": [
      {
        "credentialsType": "LegalPersonCredential",
        "claims": [
          {
            "name": "roles",
            "path": "$.roles[*].names[*]",
            "allowedValues": [
              "POLICYMANAGER",
              "SERVICE-PROVIDER",
              "OPERATOR"
            ]
          }
        ]
      }
    ]
  }'

GET result

{
  "did": "did:key:zExampleIssuerDID123456",
  "credentials": [
    {
      "credentialsType": "LegalPersonCredential",
      "claims": [
        {
          "name": "roles",
          "path": "$.roles[*].names[*]",
          "allowedValues": ["SELLER","SERVICE-PROVIDER","ADMIN","POLICYMANAGER"]
        }
      ]
    },
    {
      "credentialsType": "LegalPersonCredential",
      "claims": [
        {
          "name": "roles",
          "path": "$.roles[*].names[*]",
          "allowedValues": ["POLICYMANAGER","SERVICE-PROVIDER","OPERATOR"]
        }
      ]
    },
    {
      "credentialsType": "LegalPersonCredential",
      "claims": [
        {
          "name": "roles",
          "path": "$.roles[*].names[*]",
          "allowedValues": ["CONSUMER","DRIVER","SERVICE-PROVIDER","POLICYMANAGER"]
        }
      ]
    }
    // ... repeated multiple times with the same credentialsType
  ]
}

Impact

This duplication causes the verifier to behave unpredictably:

  • Sometimes requests are accepted,
  • Other times they are rejected,
    depending on how the duplicated claims are evaluated.

Environment

  • TIL version: 0.10.0
  • Endpoint: https://<til-service>
  • Reproduced consistently with POST → PUT → GET workflow

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions