Open dzarras opened 8 months ago
@dzarras Is there any reference within OpenId4VP spec for this?
If I remember correctly spec provides some non-normative examples for the happy path case.
@babisRoutis I was reading the spec again. I believe that redirect_uri
is applicable only during the happy path.
In 6.2.Response Mode "direct_post", redirect_uri
is defined as an optional property returned by the Verifier Endpoint once it has successfully processed the response provided by the Wallet.
Quoting:
If the Response Endpoint has successfully processed the request, it MUST respond with HTTPS status code 200. The following new parameter is defined for use in the response from the endpoint:
redirect_uri
: OPTIONAL. When the redirect parameter is used the Wallet MUST send the User Agent to this redirect URI. The redirect URI allows the Verifier to continue the interaction with the End-User on the device where the Wallet resides after the Wallet has sent the Authorization Response to the Response URI. It especially enables the Verifier to prevent session fixation (Section 12.2) attacks.
My initial concern still stands though. The Verifier might want to present some extra information to the User in case the response provided by the Wallet has not been successfully processed or has been rejected.
Most probably we need to open an issue/question to the spec authors.
@dzarras We can watch https://github.com/openid/OpenID4VP/issues/137
DispatchOutcome.VerifierResponse.Rejected
must be updated to a data class that contains an nullable propertyredirectUri
similar toDispatchOutcome.VerifierResponse.Accepted
.Even in the case that the user didn't give his consensus to present a credential, the verifier might want to be redirect to a certain uri to display extra information to the user.