Are we sure we want the redirect_uri in cross device scenarios, too?

[Sakurann]

Response mode MUST be direct_post.jwt. The Verifier MUST return redirect_uri in response to the HTTP POST request from the Wallet, where the Wallet redirects the User to, as defined in Section 8.2 of [OIDF.OID4VP]. Implementation considerations for the response mode direct_post.jwt are given in Section 14.3 of [OIDF.OID4VP].

from https://openid.github.io/oid4vc-haip/openid4vc-high-assurance-interoperability-profile-wg-draft.html#section-5-2.3

Are we sure we want the redirect_uri in cross device scenarios, too? Otherwise, this text is to generic.

Originally posted by @tlodderstedt in #73 (comment)

[jogu]

Discussed on WG today (in particular whether cross-device without browser DC API should be allowed at all for high assurance use cases given it's inherent phishability), Daniel to think about this and answer #73 (comment) and this also depends on the definition of "high assurance" as per #189 - Daniel & Torsten to discuss and come back with proposal.

[Sakurann]

wg discussion:

• suggestion is to prohibit cross device with redirects (=vanilla openid4vp) using direct_post.jwt. would say something like as a verifier, MUST reject responses what do not include redirect_url back.
• if we prohibit cross device with redirects, that would prevent cross-device implementations for a while (until dc api matures more)

[paulbastian]

Included this in #228 as merging would have seemed complicated otherwise.

[jogu]

Discussed on this morning's WG call:

Does this prevent wallets from implementing cross-device for non-high assurance cases? That would seem like an undesirable outcome.

Also due to DC API not being widely available yet (e.g. on iOS, or for web wallets), HAIP should consider (at least in 1.0) allowing cross device flows using redirects as otherwise some use cases won't work.

[charsleysa]

Outright prohibiting implementations from supporting non-DCAPI cross-device flows is too extreme, at the very minimum they should be allowed to support these flows even if they are not considered HAIP. There needs to be support for in-person cross device use cases with high assurance identity credentials without the use of DC API as it simply has poor coverage and would impede the adoption of digital credentials if those use cases are not catered for.

[jogu]

reopening this - we removed the relevant change from #228 as it seemed like more discussion is needed.