VC Presentation Request Configuration could rather be an OAuth2 Pushed Authorization Request

[jbman]

In the current protocol the OP is required to provide an unspecified endpoint for managing request configurations (see https://github.com/bcgov/vc-authn-oidc/blob/master/docs/README.md#vc-presentation-request-configuration). This could be refined based on Pushed Authorization Requests so that management of this request configuration is well-defined.

[esune]

Thank you for the links. I see the spec is still in draft, so it might be wise to wait until it is formalized to implement it, but it looks like a good path moving forward. Currently, the endpoint is well defined, but having an arbitrary pres_req_conf_id in the query parameters is definitely not ideal from a security standpoint - this is why the system requesting authentication MUST check for a matching pres_req_conf_id value in the JWT received in the response (see here).

If you have time to put together a PR we would be happy to review and evaluate it 🙂

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[esune]

Pinning issue for re-assessment.