search

openid / OpenID4VP

56 stars 20 forks source link

Clarify how to encode Authorization Request by-reference when using redirect_uri client id scheme #292

Closed mickrau closed 3 weeks ago

mickrau commented 3 weeks ago

Note: This issue is not about enforcing using JAR (#79) or remove client id scheme = redirect_uri (#269).

Reading the spec, it is not clear to me how to use client id scheme = redirect_uri with Authorization Request by reference (with redirect_uri).

References:

OpenId4VP chapter 5:

The Verifier MAY send an Authorization Request as a Request Object either by value or by reference, as defined in the JWT-Secured Authorization Request (JAR) [RFC9101].

OpenId4VP chapter 5.10.4:

redirect_uri: This value indicates that the Client Identifier (without the prefix redirect_uri:) is the Verifier's Redirect URI (or Response URI when Response Mode direct_post is used). The Authorization Request MUST NOT be signed. ..

RFC9101 5.

The Authorization Request Object MUST be one of the following: (a) JWS signed (b) JWS signed and JWE encrypted

My proposal: I prefer option a (encode unsigned Authorization Request as plain JSON). This should be made clear in chapter 5:

The Verifier MAY send an Authorization Request as a Request Object either by value or by reference, as defined in the JWT-Secured Authorization Request (JAR) [RFC9101]. A unsigned Authorization Request MUST be encoded as a plain JSON object.

jogu commented 3 weeks ago

The way defined in the specs today is that the request_uri would need to return a JWT that is unsigned - i.e. uses "alg": "none". This is what the conformance tests do I believe.

I understand the reason for preferring plain JSON, but we're also mindful about breaking compatibility with RFC9101. There s an issue here as well: https://github.com/openid/OpenID4VP/issues/130

mickrau commented 3 weeks ago

Thanks @jogu for your response and the hint about the conformance test.