-
It would be worth discussing whether we should remove the `cwt` proof type for the following reasons:
- The encoding of `cwt` proofs is not fully specified. I guess it is supposed to be base64url of …
awoie updated
1 month ago
-
The non-normative example in section 6.1 uses HTTP Basic authentication for client authentication. I'd recommend using a stronger client authentication mechanism in the example.
-
Is there anything being planned for supporting the issuance of credentials to wallets that don't have a pre-registered OAuth Client on the issuer's AS?
Q1: I presume that in open and low assurance …
-
When `client_id_scheme` is used, there can be multiple client_ids in the same ecosystem that belong to different clients. One of those clients could be malicious, compromised or the client_id scheme c…
-
[This profile](https://openid.net/specs/openid4vc-high-assurance-interoperability-profile-sd-jwt-vc-1_0.html) requires [credential requests](https://openid.net/specs/openid4vc-high-assurance-interoper…
-
The OpenID4VP, OpenID4VCI and OAuth2 client calls use `auth.timeout`, which has no default (`0`) meaning no time-out. This is a security risk, as the caller can control which endpoint will be called (…
-
Dear team,
State is currently generated inside `AuthorizeIssuanceImpl` and can not be extracted or stored after calling `AuthorizeIssuance.prepareAuthorizationRequest()` without parsing resulting `…
-
I was wondering how to interpret the definition of [Credential Issuer Metadata](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-credential-issuer-metadata-6):
Specifi…
-
This POST
https://github.com/ForkbombEu/wallet/blob/main/src/lib/openId4vci/index.ts#L54-L57
Should be done in Slangroom. The .ts code should ONLY store/read states between parts of the flow
-
In the RFC001, specifically in section 3.5, authorization request, it is defined that we are using PKCE. The example, including the description, defines it in a way that makes it seem that PKCE is man…