OpenID4VP icon indicating copy to clipboard operation
OpenID4VP copied to clipboard

Published 20 hours ago verified publisher icon openid

(Question) How does a wallet find response_uri and its legitimacy?

Open sakimura opened this issue 8 months ago • 2 comments

Sorry, if it was answered before but my search did not give an answer. This question came up while writing the privacy considerations.

  • How does a wallet find response_uri and its legitimacy?

Figure 3 seems to indicate that it is sent as a part of the Authorization Request. However, it does not appear in 5.1. New Parameters

Client metadata in RFC7591 of course does not have it. 11.1. Additional Verifier Metadata Parameters only specifies vp_formats.

Let me know.

sakimura avatar Apr 05 '25 09:04 sakimura

it's described as part of client identifier prefixes section. in summary:

  • when verifier is pre-registered with the wallet in OAuth style (client_id_prefix pre-registered), usual oauth 2.0 rules apply. - with client_id_prefix redirect_uri, wallet cannot establish that trust. this prefix is more for PoC implementation purposes
  • for the rest of client identifier schemes (which are what we see in almost all implementations), wallet verifies the signature on the request and thereby establishes trust in the parameters in that request
  • unsigned request over DC API is a slight deviation, since there the trust comes from origin binding - ie wallet validating that the origin in the request matches origin from the platform

it is also worth noting that vast majority of implementations use response mode direct_post, where vp token is POSTed to verifier's backchannel endpoint, and not in the redirect to the frontchannel.

Sakurann avatar Apr 05 '25 10:04 Sakurann

I guess it might be for 1.1, but the following text in 8.2 can be moved to 5.1. That will make it easier to read.

The following new Authorization Request parameter is defined to be used in conjunction with Response Mode direct_post:

response_uri: REQUIRED when the Response Mode direct_post is used. The URL to which the Wallet MUST send the Authorization Response using an HTTP POST request as defined by the Response Mode direct_post. The Response URI receives all Authorization Response parameters as defined by the respective Response Type. When the response_uri parameter is present, the redirect_uri Authorization Request parameter MUST NOT be present. If the redirect_uri Authorization Request parameter is present when the Response Mode is direct_post, the Wallet MUST return an invalid_request Authorization Response error. The response_uri value MUST be a value that the client would be permitted to use as redirect_uri when following the rules defined in Section 5.8.

Regarding the trust establishment, I guess what you described should go into the Privacy considerations as well.

sakimura avatar Apr 05 '25 18:04 sakimura