Clarification on allowed `request_uri_method`

[dzarras]

Currently HAIP dictates the following during presentation of VCs:

Signed Authorization Requests MUST be used by utilizing JWT-Secured Authorization Request (JAR) RFC9101 with the request_uri parameter.

Per RFC9101 the only supported HTTP Method is GET.
OpenId4VP though, has introduced support for HTTP Method POST via request_uri_method, as well.

Judging from this comment, it appears that when using HAIP, only request_uri_method get must be used.

Could you please clarify/verify the above?
Would it also be possible to add a clarification to the profile and make explicit the requirement for request_uri_method?

Kind regards

[jogu]

Discussed on today's WG call - both the verifier and the wallet are required (by VP) to support the GET mode, so in theory there's no interop problem even if either party also supports POST.

In the recent EU interop there were some issues that arose in practice though. We could potentially add some wording in an errata of HAIP that suggests that support POST is unnecessary in the HAIP case.

Joseph will also raise an issue to add checks for POST mode in the conformance suite, including that parties correctly support the GET callback.