Open Sakurann opened 4 months ago
seems to be multiple issues:
expected_origins
need to be included in the unsigned requests? current thinking is no, because JS injection is possible.expected_origins
need to be included in the response? in the unsigned request client_id == expected_origins, so already included in the response. For signed requests, aud
is also probably sufficient -> need more text clarifying these.
Given that binding to the origin is an important security feature, it is important to give more context on how the origin is used. This means we need to cover the following items in this PR:
_Originally posted by @martijnharing in https://github.com/openid/OpenID4VP/pull/155#discussion_r1668834787_