Response mode `direct_post` description seems inconsistent with OID4VP

[nanderstabel]

The Cross-Device SIOPv2 Request as described here is pretty straightforward:

• The response_mode must be direct_post (side note: this example still uses post instead of direct_post)
• This endpoint to which the Self-Issued OP shall deliver the authentication result is conveyed in the standard parameter redirect_uri.

However, in OID4VP the flow is slightly different:

• The response_mode must be direct_post
• Now here, the response MUST be sent to the endpoint conveyed in the response_uri. And redirect_uri MUST not even be present in the authorization request.
• The Response endpoint MAY return a redirect_uri.

I wonder if there is a specific reason for why this flow is different between these two specs. Would it make sense to add the flow as described in OID4VP to the SIOPv2 spec as well?

[jogu]

The version in VP is more recent (and was deliberately changed to add things like returned redirect_uri so probably that one is the one to follow.

It's clearly bad to have both specifications claiming to define the direct_post response_mode as that's something that should only be defined once, that will need to be resolved at some point.

[nanderstabel]

Ok that makes sense, thanks for clarifying!