Cross device flow w/ and w/o authorization_endpoint
The current SIOP revision allows the RP to (1) include or (2) omit the authorization endpoint in the QR code rendered for the cross device flow.
The underlying assumption for (2) is that the authorization endpoint is not needed if the user scans the code with the wallet app. But there might be use cases where the user scans the QR code with the OS’s camera, in wich case the authorization endpoint is needed to determine the ultimate destination of the request (option (1)).
Even though I broad up option (2), I’m not sure whether omitting he authorization endpoint is a good idea. It might serve the purpose of distinguishing request types in a wallet app. We at least need to have clear guidance what shall be done in what use case.
Comments (4)
-
-
- changed status to open
Discussed on the 31-Jan-22 working group call.
-
I think when the QR code for pre-authorized code flow is targeted at issuance_initiation_endpoint of the wallet, not the authorization endpoint, so the concern in the second paragraph goes away.
Suggest we close this issue.
-
- changed status to closed
closing since has been pending close for over a month
- Log in to comment
parked until we resolve
#1401