OpenID4VP icon indicating copy to clipboard operation
OpenID4VP copied to clipboard
verified publisher icon openid

What is effective client_id in unsigned browser requests?

Open jogu opened this issue 1 year ago • 2 comments

The browser API appendix says:

The client_id and client_id_scheme MUST be omitted in unsigned requests defined in (#unsigned_request). The Wallet determines the Client Identifier from the origin as asserted by the Web Platform and/or app platform.

I'm not clear if "determines" here means "client_id is the origin". If it's not we need to say what we do mean as the the verifier needs to know what value it needs to check for in aud in the response.

jogu avatar Jul 11 '24 15:07 jogu

In the unsigned request section it says:

In this case, the Wallet will use the Verifier's origin as asserted by the Browser as the Verifer's Client Identifier

So I think we just need to update the language in the "determines" clause to make it more direct.

jogu avatar Jul 11 '24 16:07 jogu

https://github.com/openid/OpenID4VP/pull/263#discussion_r1775606935 if accepted and then the PR merged, I think, might address this issue

bc-pi avatar Sep 25 '24 16:09 bc-pi

addressed in PR #263

Sakurann avatar Oct 22 '24 19:10 Sakurann