fix: make VP holder property optional (#5697)

* fix(decentralized-claims): make VP holder property optional

- JwtToVerifiablePresentationTransformer now reads an explicit `holder`
  claim from the VP JWT and falls back to the `iss` (issuer) claim when
  absent, instead of always using the issuer
- VerifiableCredentialValidationServiceImpl skips HasValidSubjectIds
  validation when the presentation holder is null, allowing VPs that
  carry no holder to pass validation

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* checkstyle

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: paullatzelsperger

extensions/common/api/management-api-configuration/src/main/resources/management-api-version.json

@@ -14,7 +14,7 @@
   {
     "version": "5.0.0-beta",
     "urlPath": "/v5beta",
-    "lastUpdated": "2026-03-27T09:00:00Z",
+    "lastUpdated": "2026-04-23T09:00:00Z",
     "maturity": "beta"
   }
 ]

extensions/common/iam/decentralized-claims/decentralized-claims-transform/src/main/java/org/eclipse/edc/iam/decentralizedclaims/transform/to/JwtToVerifiablePresentationTransformer.java

@@ -32,6 +32,7 @@
 import java.text.ParseException;
 import java.util.Map;
 
+
 @SuppressWarnings("unchecked")
 public class JwtToVerifiablePresentationTransformer extends AbstractJwtTransformer<VerifiablePresentation> {
 
@@ -104,7 +105,7 @@ public JwtToVerifiablePresentationTransformer(Monitor monitor, TypeManager typeM
                 var vpToken = idClaim.substring(DATA_URL_VP_JWT.length());
                 // credentialObject should contain EnvelopedVerifiableCredentials
                 var vpClaims = SignedJWT.parse(vpToken).getJWTClaimsSet();
-                builder.holder(vpClaims.getIssuer());
+                builder.holder(vpClaims.getStringClaim("holder"));
                 builder.id(vpClaims.getJWTID());
                 // verifiable credentials as EnvelopedVerifiableCredentials
                 listOrReturn(vpClaims.getClaim(VERIFIABLE_CREDENTIAL_PROPERTY), o -> extractEnvelopedCredential(o, context)).forEach(builder::credential);

extensions/common/iam/decentralized-claims/decentralized-claims-transform/src/test/java/org/eclipse/edc/iam/decentralizedclaims/transform/TestData.java

@@ -485,6 +485,73 @@ public interface TestData {
             L07clQVAlvy-drJJ5dkmV5VTvThC0azqNfcmhQ1VRSgi0Z4gdYaM92IrW3OiRH3kIR-h7pLR3505m8CQ
             """;
 
+    @NotNull String EXAMPLE_ENVELOPED_PRESENTATION_WITH_HOLDER = """
+            eyJhbGciOiJFUzI1NiJ9.eyJpZCI6ImRhdGE6YXBwbGljYXRpb24vdnArand0LGV5SmhiR2NpT2lK
+            RlV6STFOaUo5LmV5Sm9iMnhrWlhJaU9pSmthV1E2ZDJWaU9tVjRZVzF3YkdVNmFHOXNaR1Z5SWl3a
+            WRIbHdaU0k2SWxabGNtbG1hV0ZpYkdWUWNtVnpaVzUwWVhScGIyNGlMQ0pBWTI5dWRHVjRkQ0k2V3
+            lKb2RIUndjem92TDNkM2R5NTNNeTV2Y21jdmJuTXZZM0psWkdWdWRHbGhiSE12ZGpJaUxDSm9kSFJ
+            3Y3pvdkwzZDNkeTUzTXk1dmNtY3Zibk12WTNKbFpHVnVkR2xoYkhNdlpYaGhiWEJzWlhNdmRqSWlY
+            U3dpZG1WeWFXWnBZV0pzWlVOeVpXUmxiblJwWVd3aU9sdDdJa0JqYjI1MFpYaDBJam9pYUhSMGNIT
+            TZMeTkzZDNjdWR6TXViM0puTDI1ekwyTnlaV1JsYm5ScFlXeHpMM1l5SWl3aWFXUWlPaUprWVhSaE
+            9tRndjR3hwWTJGMGFXOXVMM1pqSzJwM2RDeGxlVXB5WVZkUmFVOXBTakpaZVRGNllWZGtkVWxwZDJ
+            sWlYzaHVTV3B2YVZKV1RYbE9WRmxwWmxFdVpYbEthbU50Vm10YVZ6VXdZVmRHYzFVeVRtOWFWekZv
+            U1dwd1ltVjVTbkJhUTBrMlNXMW9NR1JJUW5wUGFUaDJXbGhvYUdKWVFuTmFVelYyWTIxamRscFlhR
+            2hpV0VKeldsaE5kbHBIVm01amJWWnNURzF3ZW1JeU5HbE1RMG93WlZoQ2JFbHFiMmxUYms1MllteE
+            9hbUZIVm5SWlUwbzVURWh6YVdGWFVXbFBhVXB2WkVoU2QyTjZiM1pNTWxZMFdWY3hkMkpIVlhWaU0
+            wcHVUREpXTkZsWE1YZGlSMVo2VERKR2MyUlhNWFZoVXpWeFl6STVkVWxwZDJsa1NHeDNXbE5KTmts
+            cmNIcGlNalZVV1RKb2JHSlhSV2xtVmpCelNXMU9lVnBYVW14aWJsSndXVmQ0VkdSWFNuRmFWMDR3U
+            1dwd04wbHRiR3RKYW05cFdrZHNhMDl0VmpSWlZ6RjNZa2RWTmxwWFNtMWFWMGw0V21wamVFMXRWbW
+            xaZWxwdFRWZE5lVTU2V214TlZFcHNXWHBKZUVscGQybGFSMVp1WTIxV2JFbHFjRGRKYmxJMVkwZFZ
+            hVTlwU2tabFIwWjBZMGQ0YkZGdFJtcGhSMVp6WWpOS1JWcFhaSGxhVjFWcFRFTktkVmxYTVd4SmFt
+            OXBVVzFHYW1GSFZuTmlNMGxuWWpKWloxVXlUbkJhVnpWcVdsTkNhR0p0VVdkUldFb3dZM2xLT1V4R
+            FNtaGlTRlowWW0xc1VGcHBTVFpsZVVwMVdWY3hiRWxxYjJsU1dHaG9ZbGhDYzFwVFFsWmliV3d5V2
+            xoS2VtRllValZKYmpFNVRFTktjRnBEU1RaSmJXZ3daRWhCTmt4NU9URmliV3d5V2xoS2VtRllValZ
+            NYlZZMFdWY3hkMkpIVlhaWk0wcHNXa2RXZFdSSGJHaGlTRTEyVFhwamVrMXBTWE5KYmxwb1lrZHNh
+            MUp1U25aaVUwazJTV3BKZDAxVVFYUk5SRVYwVFVSR1ZVMVVhelpOYWswMlRXcFNZVWxwZDJsa1NHe
+            DNXbE5KTmxkNVNsZGFXRXB3V20xc2FGbHRlR3hSTTBwc1drZFdkV1JIYkdoaVEwbHpTV3RXTkZsWE
+            1YZGlSMVpGV2xka2VWcFhWa1JqYlZacldsYzFNR0ZYUm5OSmFYZHBVbGhvYUdKWVFuTmFWa0pzWTI
+            1T2RtSnJUbmxhVjFKc1ltNVNjRmxYZDJsWVUzZHBVVWRPZG1KdVVteGxTRkZwVDJ4emFXRklVakJq
+            U0UwMlRIazVNMlF6WTNWa2VrMTFZak5LYmt3eU5YcE1NazU1V2xkU2JHSnVVbkJaVjNoNlRETlplV
+            WxwZDJsaFNGSXdZMGhOTmt4NU9UTmtNMk4xWkhwTmRXSXpTbTVNTWpWNlRESk9lVnBYVW14aWJsSn
+            dXVmQ0ZWt3eVZqUlpWekYzWWtkV2Vrd3pXWGxKYkRCelNXMXNlbU16Vm14amFVazJTVzFvTUdSSVF
+            ucFBhVGgyWkZjMWNHUnRWbmxqTW13d1pWTTFiR1ZIUm5SalIzaHNUREpzZW1NelZteGpiazEyVFZS
+            UmFXWlJMbWRUY2xWT05XMVBNR3RzTVVKaFUzZGFlRVJpYjE5UVNFNUhNWGR0WmpGdGRYUXlkRlJJU
+            Ws1WlNWcGxWMUJpVGw5NlgwZ3RPV1JyVHpKa1ptTlFPVE5YU25kNVJUVmxiMG8xYTNGZmFreDZVMk
+            p2Vm5wbklpd2lkSGx3WlNJNklrVnVkbVZzYjNCbFpGWmxjbWxtYVdGaWJHVkRjbVZrWlc1MGFXRnN
+            JbjBzZXlKQVkyOXVkR1Y0ZENJNkltaDBkSEJ6T2k4dmQzZDNMbmN6TG05eVp5OXVjeTlqY21Wa1pX
+            NTBhV0ZzY3k5Mk1pSXNJbWxrSWpvaVpHRjBZVHBoY0hCc2FXTmhkR2x2Ymk5Mll5dHFkM1FzWlhsS
+            2NtRlhVV2xQYVVveVdYa3hlbUZYWkhWSmFYZHBXVmQ0YmtscWIybFNWazE1VGxSWmFXWlJMbVY1U2
+            1wamJWWnJXbGMxTUdGWFJuTlZNazV2V2xjeGFFbHFjR0psZVVwd1drTkpOa2x0YURCa1NFSjZUMms
+            0ZGxwWWFHaGlXRUp6V2xNMWRtTnRZM1phV0dob1lsaENjMXBZVFhaYVIxWnVZMjFXYkV4dGNIcGlN
+            alJwVEVOS01HVllRbXhKYW05cFUyNU9kbUpzVG1waFIxWjBXVk5LT1V4SWMybGhWMUZwVDJsS2IyU
+            klVbmRqZW05MlRESldORmxYTVhkaVIxVjFZak5LYmt3eVZqUlpWekYzWWtkV2Vrd3lSbk5rVnpGMV
+            lWTTFjV015T1hWSmFYZHBaRWhzZDFwVFNUWkphM0I2WWpJMVZGa3lhR3hpVjBWcFpsWXdjMGx0VG5
+            sYVYxSnNZbTVTY0ZsWGVGUmtWMHB4V2xkT01FbHFjRGRKYld4clNXcHZhVnBIYkd0UGJWWTBXVmN4
+            ZDJKSFZUWmFWMHB0V2xkSmVGcHFZM2hOYlZacFdYcGFiVTFYVFhsT2VscHNUVlJLYkZsNlNYaEphW
+            GRwV2tkV2JtTnRWbXhKYW5BM1NXNVNOV05IVldsUGFVcEdaVWRHZEdOSGVHeFJiVVpxWVVkV2MySX
+            pTa1ZhVjJSNVdsZFZhVXhEU25WWlZ6RnNTV3B2YVZGdFJtcGhSMVp6WWpOSloySXlXV2RWTWs1d1d
+            sYzFhbHBUUW1oaWJWRm5VVmhLTUdONVNqbE1RMHBvWWtoV2RHSnRiRkJhYVVrMlpYbEtkVmxYTVd4
+            SmFtOXBVbGhvYUdKWVFuTmFVMEpXWW0xc01scFlTbnBoV0ZJMVNXNHhPVXhEU25CYVEwazJTVzFvT
+            UdSSVFUWk1lVGt4WW0xc01scFlTbnBoV0ZJMVRHMVdORmxYTVhkaVIxVjJXVE5LYkZwSFZuVmtSMn
+            hvWWtoTmRrMTZZM3BOYVVselNXNWFhR0pIYkd0U2JrcDJZbE5KTmtscVNYZE5WRUYwVFVSRmRFMUV
+            SbFZOVkdzMlRXcE5OazFxVW1GSmFYZHBaRWhzZDFwVFNUWlhlVXBYV2xoS2NGcHRiR2haYlhoc1VU
+            TktiRnBIVm5Wa1IyeG9Za05KYzBsclZqUlpWekYzWWtkV1JWcFhaSGxhVjFaRVkyMVdhMXBYTlRCa
+            FYwWnpTV2wzYVZKWWFHaGlXRUp6V2xaQ2JHTnVUblppYTA1NVdsZFNiR0p1VW5CWlYzZHBXRk4zYV
+            ZGSFRuWmlibEpzWlVoUmFVOXNjMmxoU0ZJd1kwaE5Oa3g1T1ROa00yTjFaSHBOZFdJelNtNU1NalY
+            2VERKT2VWcFhVbXhpYmxKd1dWZDRla3d6V1hsSmFYZHBZVWhTTUdOSVRUWk1lVGt6WkROamRXUjZU
+            WFZpTTBwdVRESTFla3d5VG5sYVYxSnNZbTVTY0ZsWGVIcE1NbFkwV1ZjeGQySkhWbnBNTTFsNVNXd
+            3djMGx0Ykhwak0xWnNZMmxKTmtsdGFEQmtTRUo2VDJrNGRtUlhOWEJrYlZaNVl6SnNNR1ZUTld4bF
+            IwWjBZMGQ0YkV3eWJIcGpNMVpzWTI1TmRrMVVVV2xtVVM1blUzSlZUalZ0VHpCcmJERkNZVk4zV25
+            oRVltOWZVRWhPUnpGM2JXWXhiWFYwTW5SVVNFSk9XVWxhWlZkUVlrNWZlbDlJTFRsa2EwOHlaR1pq
+            VURrelYwcDNlVVUxWlc5S05XdHhYMnBNZWxOaWIxWjZaeUlzSW5SNWNHVWlPaUpGYm5abGJHOXdaV
+            1JXWlhKcFptbGhZbXhsUTNKbFpHVnVkR2xoYkNKOVhYMC5OcTB5aklUN2hPZGwzOURhb3p2c0pnMz
+            d2OGFUdlU2cy1TQjVmXzNOLUZSc1dwY21xMkZkY0YxT2diWlh0UWhOS3h0TnhxaWpjMTIyTWhONHh
+            uRWU2QSIsInR5cGUiOiJFbnZlbG9wZWRWZXJpZmlhYmxlUHJlc2VudGF0aW9uIiwiQGNvbnRleHQi
+            OlsiaHR0cHM6Ly93d3cudzMub3JnL25zL2NyZWRlbnRpYWxzL2V4YW1wbGVzL3YyIiwiaHR0cHM6L
+            y93d3cudzMub3JnL25zL2NyZWRlbnRpYWxzL3YyIl19.a65dZ3g-AXgKTex3yIV26LVD7GPp1WKPS
+            dzjCqWI7QaURTHL3NjlBCELregYFtcdINMiFG9MJBEuk88MPUqBpw
+            """;
+
     @NotNull String EXAMPLE_JWT_VC_2_0 = """
             eyJraWQiOiJFeEhrQk1XOWZtYmt2VjI2Nm1ScHVQMnNVWV9OX0VXSU4xbGFwVXpPOHJvIiwiYWxnI
             joiRVMyNTYifQ .eyJAY29udGV4dCI6WyJodHRwczovL3d3dy53My5vcmcvbnMvY3JlZGVudGlhbH

extensions/common/iam/decentralized-claims/decentralized-claims-transform/src/test/java/org/eclipse/edc/iam/decentralizedclaims/transform/to/JwtToVerifiablePresentationTransformerTest.java

@@ -149,12 +149,31 @@ void transform_inputIsNotValidJwt() {
 
     @DisplayName("VP is an EnvelopedVerifiablePresentation")
     @Test
-    void transform_envelopedPresentation() {
+    void transform_envelopedPresentation_noHolder() {
         var vp = transformer.transform(TestData.EXAMPLE_ENVELOPED_PRESENTATION, context);
         assertThat(vp).isNotNull();
+        assertThat(vp.getHolder()).isNull();
         assertThat(vp.getTypes()).containsExactlyInAnyOrder("VerifiablePresentation");
         assertThat(vp.getCredentials()).hasSize(2)
                 .allSatisfy(vc -> {
+
+                    assertThat(vc.getCredentialSubject()).isNotEmpty();
+                    assertThat(vc.getType()).containsExactlyInAnyOrder("ExampleDegreeCredential", "ExamplePersonCredential", "VerifiableCredential");
+                });
+        verify(context, never()).reportProblem(anyString());
+    }
+
+    @DisplayName("VP is an EnvelopedVerifiablePresentation with a holder property")
+    @Test
+    void transform_envelopedPresentation_withHolder() {
+
+        var vp = transformer.transform(TestData.EXAMPLE_ENVELOPED_PRESENTATION_WITH_HOLDER, context);
+        assertThat(vp).isNotNull();
+        assertThat(vp.getHolder()).isNotNull().isEqualTo("did:web:example:holder");
+        assertThat(vp.getTypes()).containsExactlyInAnyOrder("VerifiablePresentation");
+        assertThat(vp.getCredentials()).hasSize(2)
+                .allSatisfy(vc -> {
+
                     assertThat(vc.getCredentialSubject()).isNotEmpty();
                     assertThat(vc.getType()).containsExactlyInAnyOrder("ExampleDegreeCredential", "ExamplePersonCredential", "VerifiableCredential");
                 });

extensions/common/iam/decentralized-claims/lib/verifiable-credentials-lib/src/main/java/org/eclipse/edc/iam/verifiablecredentials/VerifiableCredentialValidationServiceImpl.java

@@ -29,6 +29,7 @@
 import org.eclipse.edc.iam.verifiablecredentials.spi.validation.TrustedIssuerRegistry;
 import org.eclipse.edc.spi.result.Result;
 import org.jetbrains.annotations.NotNull;
+import org.jetbrains.annotations.Nullable;
 
 import java.time.Clock;
 import java.util.ArrayList;
@@ -68,16 +69,19 @@ public Result<Void> validate(List<VerifiablePresentationContainer> presentations
     }
 
     @NotNull
-    private Result<Void> validateVerifiableCredentials(List<VerifiableCredential> credentials, String presentationHolder, Collection<? extends CredentialValidationRule> additionalRules) {
+    private Result<Void> validateVerifiableCredentials(List<VerifiableCredential> credentials, @Nullable String presentationHolder, Collection<? extends CredentialValidationRule> additionalRules) {
 
         // in addition, verify that all VCs are valid
         var filters = new ArrayList<>(List.of(
                 new IsInValidityPeriod(clock),
-                new HasValidSubjectIds(presentationHolder),
                 new IsNotRevoked(revocationServiceRegistry),
                 new HasValidIssuer(trustedIssuerRegistry),
                 new HasValidSubjectSchema(mapper)));
 
+        if (presentationHolder != null) {
+            filters.add(new HasValidSubjectIds(presentationHolder));
+        }
+
         filters.addAll(additionalRules);
 
 

extensions/common/iam/decentralized-claims/lib/verifiable-credentials-lib/src/test/java/org/eclipse/edc/iam/verifiablecredentials/VerifiableCredentialValidationServiceImplTest.java

@@ -155,6 +155,24 @@ void verify_singlePresentation_singleCredential() {
         assertThat(result).isSucceeded();
     }
 
+    @Test
+    void verify_singlePresentation_noHolderProperty_shouldSucceed() {
+        var presentation = createPresentationBuilder()
+                .holder(null) // un-set holder property
+                .type("VerifiablePresentation")
+                .credentials(List.of(createCredentialBuilder()
+                        .credentialSubjects(List.of(CredentialSubject.Builder.newInstance()
+                                .id(CONSUMER_DID)
+                                .claim("some-claim", "some-val")
+                                .build()))
+                        .build()))
+                .build();
+        var vpContainer = new VerifiablePresentationContainer("test-vp", CredentialFormat.VC1_0_LD, presentation);
+        when(verifier.verifyPresentation(any(), any())).thenReturn(success());
+        var result = validationService.validate(List.of(vpContainer), EXPECTED_AUDIENCE);
+        assertThat(result).isSucceeded();
+    }
+
     @Test
     void verify_singlePresentation_multipleCredentials() {
         var presentation = createPresentationBuilder()