Missing `redirect_uri` for `x509_san_dns` Identifier Scheme (see #79)

[JesusMcCloud]

The sample requests using x509_san_dns as identifier scheme are missing a redirect_url.

As per https://openid.net/specs/openid-4-verifiable-presentations-1_0.html:

When the Client Identifier Scheme is x509_san_dns, the Client Identifier MUST be a DNS name and match a dNSName Subject Alternative Name (SAN) RFC5280 entry in the leaf certificate passed with the request. The request MUST be signed with the private key corresponding to the public key in the leaf X.509 certificate of the certificate chain added to the request in the x5c JOSE header RFC7515 of the signed request object.

The Wallet MUST validate the signature and the trust chain of the X.509 certificate. All Verifier metadata other than the public key MUST be obtained from the client_metadata parameter. If the Wallet can establish trust in the Client Identifier authenticated through the certificate, e.g. because the Client Identifier is contained in a list of trusted Client Identifiers, it may allow the client to freely choose the redirect_uri value. If not, the FQDN of the redirect_uri value MUST match the Client Identifier.

The issue here is a violation of the very last requirement:

the FQDN of the redirect_uri value MUST match the Client Identifier.

However, the request does not set redirect_uri. Hence, verification fails.

Reporting this as a new issue, since, #79 is already closed.

[babisRoutis]

Hi @JesusMcCloud

Thanks for reporting this.

I believe that you must take into account that when using direct_post or direct_post.jwt there is not redirect_uri. In addition the rules for redirect_uri that you mention are applicable to the redirect_uri in this case.

A while ago, I had opened a related issue to the specification (https://github.com/openid/OpenID4VP/issues/116), about improving the description of these rules. Please take a look to authors response.

[JesusMcCloud]

Thank you very much for the explanation and the pointer! Everything's cleared up now.