Closed Sakurann closed 1 year ago
bifurcation
commented
1 year ago (Do you mean OpenID4VCI instead of OpenID4VP?)
My thinking here was to extend OpenID Connect so that we could benefit from (a) UserInfo and (b) Discovery. And because the natural deployment model here is OIDC-based SSO providers implementing it. OpenID Connect provides an ID Token, so we inherit it, even if we might not use it.
PieterKas
commented
1 year ago Perhaps just call out that the ID Token MAY be returned by the OP and that the client should proceed even if it is not present?
bifurcation
commented
1 year ago Really, the requirement is just whatever OIDC says; this spec isn't changing anything. I can take a look at what OIDC says, and note that here.
Sakurann
commented
1 year ago that's my point. OpenID4VCI is based on OAuth. anyone can use it with OIDC and with ID Token - and we can add a note to this extent, but mandating ID Token blurs the focus of this profile on issuing a VC.
Is it a requirement to return an ID Token? OpenID4VP is based on OAuth and ID Token is optional. I have not found a reason to mandate ID Token in this document but I migh tbe missing something. I suggest removing ID Token from the overview.