[needs-PR/discuss] credential offer - successful & error responses need to be defined
Issue #1642
resolved
The spec says:
The Issuer sends the request as a HTTP GET request or a HTTP redirect to the Issuance Initiation Endpoint URL defined in Section 11.1.¶
I can’t figure out what this means. I think the “or a HTTP redirect” means “send the user’s browser to the issuance url with the parameters in the url query”. I’m not sure what the other option (the first part of the ‘or’, “sends the request as a HTTP GET request”) is, as 6.2 seems to make it pretty clear the request is done interactively in the user’s browser with the resulting html expected to be displayed by the browser.
It might make sense to use similar language to that used in RFC6749 for the authorization endpoint, e.g.:
The Issuer directs the resource owner to the constructed URI using an
HTTP redirection response, or by other means available to it via the
user-agent.
Comments (10)
-
-
reporter
Ah, thanks Kristina. That makes sense. https://openid.bitbucket.io/connect/openid-4-verifiable-credential-issuance-1_0.html#name-issuance-initiation-respons should maybe define a response for that situation then?
-
good point… I assume 200 be enough..?
-
reporter
I’m not quite sure. If it has no content (and is successful), then 204 is probably most appropriate.
However, there’s probably also a need to define what happens in the case that the request is not valid. Possibly an error response similar to the token endpoint error response (https://datatracker.ietf.org/doc/html/rfc6749#section-5.2) could be appropriate then, but I’ve not fully thought it through.
-
reporter
- changed title to direct issuance initiation request - successful & error responses need to be defined
I’ve changed the title for this one given I now understand the situation better.
-
- changed title to [needs-PR/discuss] direct issuance initiation request - successful & error responses need to be defined
-
- changed status to open
SIOP call, Oct-6-2022, discussed this is needed
-
Oct-10-2022, Tobias suggested that GET request MUST be a treated as a redirect to allow the wallet to have a user interaction.
Mike and Kristina agreed and clarified that if no need for user interaction, would be a silent redirect.
-
- changed title to [needs-PR/discuss] credential offer - successful & error responses need to be defined
-
- changed status to resolved
Migrated to GitHub
- Log in to comment
- Assignee
- –
- Type
- Priority
- Status
- resolved
- Component
- Credential Issuance
- Milestone
- –
- Version
- –
- Votes
- 0
- Watchers
- 1
when the issuer knows the wallet’s issuance initiation endpoint it can send an issuance initiation request as an HTTP GET directly without any user interaction or user agent involvement, instead of a redirect.