OpenIDVPs: register vp_token response type
No description provided.
Comments (9)
-
-
reporter The verifier requests credential presentation via the presentation_definition request parameter.
The new response type „vp_token“ is only needed to fulfill OAuth protocol requirements for the case where the vp token is the only artifact the AS responds. One just needs to specify something.
In all other cases, there is a pre-existing response type, like „id_token“ or „code“ and the vp token is returned with the id token or the access token. So no need to register other response types and require verifiers to use them, it would just duplicate information.
Note: retuning access tokens in the front channel is discouraged by the OAuth Security BCP. Another reason not to do it.
-
Take
id_token vp_token
as an example (a use case would be OpenID4VP over SIOP).
This expects to be returned two tokens. Also, there are probably request parametersscope
andcredential_definition
.By the logic above, we do not need to include
vp_token
in the response type, since we have a parameter calledcredential_definition
.
But by the same logic, we could instead also omitid_token
, since we check foropenid
in thescope
parameter.Applying the same logic to both seems more consistent.
-
reporter It would. However, OAuth (https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1) requires a response type to be present. That’s the reason why we need “vp_token”.
-
I believe we decided on the last SIOP call to not register all the combinatorial possibilities of
vp_token
with other response types - justvp_token
by itself. I believe that https://bitbucket.org/openid/connect/pull-requests/237/clarify-how-response-type-vp_token-is-used is being updated to do just that. -
+1 to Mike’s comment. we should not enable a whole list of combinations other than
vp_token
andvp_token id_token
and only those two should be registered. -
- changed status to open
-
Justin Richer knows how to do registry in IANA without an RFC. finding out more.
-
- changed status to resolved
there is an IANA registry for vp_token. let's open a separate issue once we are closer to final and are ready to actually register with IANA
- Log in to comment
Since OpenID4VP is an “addon” to OAuth and OIDC, we probably also want the following:
code vp_token
id_token vp_token
token vp_token
code id_token vp_token
code token vp_token
id_token token vp_token
code id_token token vp_token
Why was this scheme chosen again? The registry currently is listing any combination of
code
,id_token
andtoken
anyway…