Fix: Replace redirect_uri with response_uri for direct_post Response Mode #73
Conversation
Sakurann
left a comment
Sakurann
left a comment
There was a problem hiding this comment.
in response mode direct_post, after the wallet sends HTTP POST request to the verifier, there are two possibilities:
- the flow ends there
- the verifier returns redirect_uri and the wallet redirects the user to verifier front end
this sentence intends to mean option 2.
Sakurann
left a comment
Sakurann
left a comment
There was a problem hiding this comment.
made some more suggestions since the original text i suggested was pretty awkward.. approving assuming something like my current suggestions would be accepted
|
See also openid/OpenID4VP#72 |
Signed-off-by: Philipp-Florens Lehwalder <philipp.lehwalder@lissi.id>
Co-authored-by: Kristina <52878547+sakurann@users.noreply.github.com> Signed-off-by: Philipp-Florens Lehwalder <philipp.lehwalder@lissi.id>
Co-authored-by: Kristina <52878547+Sakurann@users.noreply.github.com>
Signed-off-by: Philipp-Florens Lehwalder <philipp.lehwalder@lissi.id>
cryptphil
force-pushed
the
71-response-uri-fix
branch
from
4b85b73 to
1ab7a48
Compare
| * As a way to invoke the Wallet, at least a custom URL scheme `haip://` MUST be supported. Implementations MAY support other ways to invoke the wallets as agreed by trust frameworks/ecosystems/jurisdictions, not limited to using other custom URL schemes. | ||
| * Response type MUST be `vp_token`. | ||
| * Response mode MUST be `direct_post` with `redirect_uri` as defined in Section 6.2 of [@!OIDF.OID4VP]. | ||
| * Response mode MUST be `direct_post`. The Verifier MUST return `redirect_uri` in response to the HTTP POST request from the Wallet, where the Wallet redirects the User to, as defined in Section 6.2 of [@!OIDF.OID4VP]. Implementation considerations for the response mode `direct_post` are given in Section 11.5 of [@!OIDF.OID4VP]. |
There was a problem hiding this comment.
Are we sure we want the redirect_uri in cross device scenarios, too? Otherwise, this text is to generic.
There was a problem hiding this comment.
But doesn't the session fixation attack described in 12.2 apply to cross-device flows with direct_post when the redirect_uri is not used? At least that's how I understood this attack.
There was a problem hiding this comment.
that's true - question is whether this means HAIP must be narrowed to same device or whether there are situations where this could be otherwise detected (note: this is a problem with all oob protocols)
@danielfett what do you think?
There was a problem hiding this comment.
this probably needs to be clarified in 4VP spec itself. there is an issue openid/OpenID4VP#25
but if we can go ahead and limit it in HAIP, I would not againt it, but probably out of scope for this PR.
6 participants
Closes #71.
📑 Description
The HAIP currently defines that the response mode has to be
direct_postwithredirect_uri. However, usingredirect_uriisn't allowed in the OpenID4VP spec fordirect_post. Therefore, this PR proposes to change the Authorization Request parameter toresponse_uri.