-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix: Replace redirect_uri with response_uri for direct_post Response Mode #73
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
in response mode direct_post
, after the wallet sends HTTP POST request to the verifier, there are two possibilities:
- the flow ends there
- the verifier returns redirect_uri and the wallet redirects the user to verifier front end
this sentence intends to mean option 2.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
made some more suggestions since the original text i suggested was pretty awkward.. approving assuming something like my current suggestions would be accepted
See also openid/OpenID4VP#72 |
Signed-off-by: Philipp-Florens Lehwalder <philipp.lehwalder@lissi.id>
Co-authored-by: Kristina <52878547+sakurann@users.noreply.github.com> Signed-off-by: Philipp-Florens Lehwalder <philipp.lehwalder@lissi.id>
Co-authored-by: Kristina <52878547+Sakurann@users.noreply.github.com>
Signed-off-by: Philipp-Florens Lehwalder <philipp.lehwalder@lissi.id>
4b85b73
to
1ab7a48
Compare
@@ -204,7 +204,7 @@ This is an example of a Wallet Instance Attestation: | |||
* MUST support protocol extensions for SD-JWT VC credential format profile as defined in this specification (#vc_sd_jwt_profile). | |||
* As a way to invoke the Wallet, at least a custom URL scheme `haip://` MUST be supported. Implementations MAY support other ways to invoke the wallets as agreed by trust frameworks/ecosystems/jurisdictions, not limited to using other custom URL schemes. | |||
* Response type MUST be `vp_token`. | |||
* Response mode MUST be `direct_post` with `redirect_uri` as defined in Section 6.2 of [@!OIDF.OID4VP]. | |||
* Response mode MUST be `direct_post`. The Verifier MUST return `redirect_uri` in response to the HTTP POST request from the Wallet, where the Wallet redirects the User to, as defined in Section 6.2 of [@!OIDF.OID4VP]. Implementation considerations for the response mode `direct_post` are given in Section 11.5 of [@!OIDF.OID4VP]. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are we sure we want the redirect_uri in cross device scenarios, too? Otherwise, this text is to generic.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But doesn't the session fixation attack described in 12.2 apply to cross-device flows with direct_post when the redirect_uri is not used? At least that's how I understood this attack.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
that's true - question is whether this means HAIP must be narrowed to same device or whether there are situations where this could be otherwise detected (note: this is a problem with all oob protocols)
@danielfett what do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this probably needs to be clarified in 4VP spec itself. there is an issue openid/OpenID4VP#25
but if we can go ahead and limit it in HAIP, I would not againt it, but probably out of scope for this PR.
Closes #71.
📑 Description
The HAIP currently defines that the response mode has to be
direct_post
withredirect_uri
. However, usingredirect_uri
isn't allowed in the OpenID4VP spec fordirect_post
. Therefore, this PR proposes to change the Authorization Request parameter toresponse_uri
.