Closed jogu closed 3 months ago
awoie
commented
9 months ago The only text we have that would cover this is:
The response_uri value MUST be a value that the client would be permitted to use as redirect_uri when following the rules defined in Section 5.7.
I agree that this is not very clear but according to the text above I'd assume it can be omitted.
Sakurann
commented
9 months ago we should add a general sentence that when direct_post is used, all restrictions other response modes have on redirect_uri, apply on response_uri request parameter. Feels better than patching each instance.
javereec
commented
9 months ago I think the following also relates to this clause which I find confusing (Section 5.7)
redirect_uri: This value indicates that the Verifier's redirect URI is also the value of the Client Identifier. In this case, the Authorization Request MUST NOT be signed, the Verifier MAY omit the redirect_uri Authorization Request parameter, and all Verifier metadata parameters MUST be passed using the client_metadata or client_metadata_uri parameter defined in Section 5.
In case of Response Mode direct_post the Client Identifier should be equal to response_uri
My first idea would be to change the wording slightly to clarify
redirect_uri: This value indicates that the Verifier's redirect URI or response URI is also the value of the Client Identifier. In this case, the Authorization Request MUST NOT be signed, the Verifier MAY omit the redirect_uri Authorization Request parameter, and all Verifier metadata parameters MUST be passed using the client_metadata or client_metadata_uri parameter defined in Section 5.
Sakurann
commented
9 months ago @javereec yes, I think the text you point out is one of the places that need to be changed
Sakurann
commented
7 months ago It would be logical to assume that when using direct_post + client_id_scheme=redirect_uri you can also omit response_uri, however I think the current text is not clear. We should probably be explicit.
@jogu I re-read the text and I think it is clear that the sentence you point out applies to any response mode. i mean, response mode is orthogonal to client_id_schemes. I think we can keep the text as-is?
When using
client_id_scheme=redirect_uri, you can omit redirect uri as per https://openid.github.io/OpenID4VP/openid-4-verifiable-presentations-wg-draft.html#client_metadata_management :It would be logical to assume that when using
direct_post+client_id_scheme=redirect_uriyou can also omitresponse_uri, however I think the current text is not clear. We should probably be explicit.