Open jbman opened 2 years ago
Thank you for the links. I see the spec is still in draft, so it might be wise to wait until it is formalized to implement it, but it looks like a good path moving forward. Currently, the endpoint is well defined, but having an arbitrary pres_req_conf_id
in the query parameters is definitely not ideal from a security standpoint - this is why the system requesting authentication MUST check for a matching pres_req_conf_id
value in the JWT received in the response (see here).
If you have time to put together a PR we would be happy to review and evaluate it 🙂
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Pinning issue for re-assessment.
In the current protocol the OP is required to provide an unspecified endpoint for managing request configurations (see https://github.com/bcgov/vc-authn-oidc/blob/master/docs/README.md#vc-presentation-request-configuration). This could be refined based on Pushed Authorization Requests so that management of this request configuration is well-defined.