Open nanderstabel opened 7 months ago
The version in VP is more recent (and was deliberately changed to add things like returned redirect_uri
so probably that one is the one to follow.
It's clearly bad to have both specifications claiming to define the direct_post
response_mode
as that's something that should only be defined once, that will need to be resolved at some point.
Ok that makes sense, thanks for clarifying!
The Cross-Device SIOPv2 Request as described here is pretty straightforward:
response_mode
must bedirect_post
(side note: this example still usespost
instead ofdirect_post
)redirect_uri
.However, in OID4VP the flow is slightly different:
response_mode
must bedirect_post
response_uri
. Andredirect_uri
MUST not even be present in the authorization request.redirect_uri
.I wonder if there is a specific reason for why this flow is different between these two specs. Would it make sense to add the flow as described in OID4VP to the SIOPv2 spec as well?