-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Clarify JWT envelope for direct_post.jwt in error cases #135
Comments
I basically agree with your conclusions. Sending no response is okay. Sending a response but in the url query format wouldn't be entirely unexpected - certainly that kind of thing can happen when using JARM with the authorization code flow & normal redirects. |
Do you mean In this case, the wallet does not have a |
Yes, exactly. It sort of feels weird but there are legitimate cases where a JWT can't be encrypted/signed for some reason and bringing alg: none into the mix wouldn't be good. We may need to add a sentence about it I guess... |
To my understanding, when a verifier uses a Practically this means that wallet (in case of JARM) must check for a valid combination of:
and reject the request if no valid or not supported/understandable combination of the above attributes is sent. |
I would agree with this. Those parameters have to be present in the client metadata (via whatever channel it was provided to the wallet, e.g., in the request, entity statements, pre-configured etc.) to generate a error response using JARM. However, @jogu did I understand you correctly that it wouldn't be unexpected for RPs to receive such error responses without JARM, although the authorization_response parameters are present? @babisRoutis @jogu Would it be reasonable to add some language to the spec that explains this? Something like, wallets MAY send the error response without JARM envelopes if they have good reasons to do so. Or would this hurt interop too much? |
Dear @awoie I believe that not all errors are equal or reportable, if you will. Those are errors have to do with attributes that are validated taking into account the To my understanding in the bellow cases, wallet cannot convey the error to the verifier:
Bottom line, I think that spec should just state that there could be cases where the wallet cannot report back to verifier some errors. |
I think I'd be okay with that. |
@babisRoutis what do you think? Would you be ok with such a language? |
@awoie Yes. As long as there is the "MAY send" 😄 |
direct_post.jwt
requires the wallet to send a JWT to theresponse_uri
. This also applies to an error response. In this case, the error parameters are included in a JWT.What happens in the following case:
A specific OID4VP profile requires encrypting the response (using JARM) but the provided client metadata does not contain encryption keys, so the response cannot be encoded as a JWE.
Do you think we should add this to the implementation considerations? IMO, this would be useful.
The text was updated successfully, but these errors were encountered: