OpenID4VP icon indicating copy to clipboard operation
OpenID4VP copied to clipboard
verified publisher icon openid

Clarification to mandatory use of client_id

Open 101Coder101 opened this issue 7 months ago • 4 comments

The client_id is said to be mandatory (section "5.2. Existing Parameters"), yet Appendix "A.2. Request" mentions it MUST be omitted in unsigned requests without giving any further information. This appears contradictory.

Section "5.9.3. Defined Client Identifier Prefixes" defines origin as an option for the client identifier prefix, yet the first bullet point in "A.5. Security Considerations" seems to hint at the client_id being removed.

This wording should be clearer to avoid confusion. One example would be to reference Appendix A directly in "5.9.3. Defined Client Identifier Prefixes" and define all DC API specifics there.

101Coder101 avatar May 13 '25 21:05 101Coder101

@101Coder101 Thanks for raising these issues! To use your suggestions we need to confirm if you've signed an OIDF contribution agreement ( https://openid.net/intellectual-property/openid-foundation-contribution-agreements/ ) - could you drop an email to chairs at openid-specs-digital-credentials-protocols-owner@lists.openid.net referencing this issue please?

jogu avatar May 14 '25 14:05 jogu

@101Coder101 Thanks for raising these issues! To use your suggestions we need to confirm if you've signed an OIDF contribution agreement ( https://openid.net/intellectual-property/openid-foundation-contribution-agreements/ ) - could you drop an email to chairs at openid-specs-digital-credentials-protocols-owner@lists.openid.net referencing this issue please?

@jogu I have just sent an email as a confirmation.

101Coder101 avatar May 16 '25 09:05 101Coder101

Great, thanks @101Coder101 - I confirmed we have a contribution agreement so we're all good.

jogu avatar May 16 '25 16:05 jogu

The client_id is said to be mandatory (section "5.2. Existing Parameters"), yet Appendix "A.2. Request" mentions it MUST be omitted in unsigned requests without giving any further information. This appears contradictory.

A.2 is separate and fully self-contained. 5.2 does not apply to A.2 unless referenced by A.2 directly which is not the case.

Section "5.9.3. Defined Client Identifier Prefixes" defines origin as an option for the client identifier prefix, yet the first bullet point in "A.5. Security Considerations" seems to hint at the client_id being removed.

See answer above.

This wording should be clearer to avoid confusion. One example would be to reference Appendix A directly in "5.9.3. Defined Client Identifier Prefixes" and define all DC API specifics there.

See answer above. We chose the other way around. We reference sections from the main part of the spec (i.e. redirect-based invocation) within Annex A.

Does this make sense?

awoie avatar May 20 '25 15:05 awoie