OpenID4VP: Replace redirect_uri with response_uri for Response Mode direct_post

[cryptphil]

The HAIP specifies in Section 5 for OpenID4VP that:

Response mode MUST be direct_post with redirect_uri as defined in Section 6.2 of OID4VP.

However, redirect_uri must not be present when the Response Mode is direct_post as described in the OpenID4VP specs in Section 6.2-7.2:

If the redirect_uri Authorization Request parameter is present when the Response Mode is direct_post, the Wallet MUST return an invalid_request Authorization Response error.

Therefore, I assume that the HAIP should use response_uri instead of redirect_uri which would align with the OpenID4VP specs.

[paulbastian]

I think you are correct. To complicate things, the 200 Response to this may again include a redirect_uri see: https://openid.github.io/OpenID4VP/openid-4-verifiable-presentations-wg-draft.html#section-6.2-18.2

[c2bo]

I think you are correct. To complicate things, the 200 Response to this may again include a redirect_uri see: https://openid.github.io/OpenID4VP/openid-4-verifiable-presentations-wg-draft.html#section-6.2-18.2

Stumbled over this today as well - is my understanding correct that this is necessary to prevent the session fixation attack described in 12.2. If so should we add this as a recommended/required step in this profile (mandating a redirect_uri as a response to the direct_post flow)?

[paulbastian]

If we mandate redirect, we mandate the same device flow, correct? So I'm unsure

[Sakurann]

OID4VP currently does not limit the usage of redirects after direct_post to only same-device flows. even though the security benefit that this redirect gives for the same-device does not apply for cross-device flows. before we make any clarifications on this topic in HAIP, we should probably make it clearer in oid4vp itself. here is the issue :) https://github.com/openid/OpenID4VP/issues/25