Daniel Fett
Daniel Fett
> What about setting the alg=none in kb-jwt? Not allowed in SD-JWT (for good reasons, it only led to problems in the past).
Yes, partial matching is dangerous. A precise matching should be applied. Besides this, what exactly are the attacks randomization protects against?
@peppelinux But that's talking about Request URIs, not Redirect URIs. That's not what I would consider an RP endpoint.
> Even if not supported by Oauth 2.0 specification, OIDC Core 1.0 defines the use of fragments in the redirect_uri endpoint https://openid.net/specs/openid-connect-core-1_0.html#ImplicitCallback The server attaches a fragment to transfer the...
@jogu PR #263 changes the title of the section to "Client Identifier Scheme and Verifier Metadata Management"
I suspect that this can be closed since we don't have PE any longer...
Then that should be made a little bit more explicit in the text. Question C remains.
Not sure if we need to define the actual algorithm, but the text should be more normative and enforce those things listed by @marcoscaceres above, e.g.: > (...) MUST be...
@davux > If multiple languages is a bad thing, why was DCQL introduced in the first place as an alternative to PE? For many years, OpenID4VP had only PE as...
> > **... discuss the JSON examples first!** > > IMHO this would be so much easier to do if the examples were just inline with the text defining or...