Returning large credentials
Issue #1685
resolved
Some credentials may be very large e.g. those with embedded images. The OIDC4VPs spec specifies the new response mode post
for the cross device flow. This will allow any size of credential to be returned. However the same device flow uses http re-directs, and this may limit the size of credential that can be returned. How might this be addressed?
One solution could be to allow the new response mode post
to be applicable to the same device flow as well.
Comments (5)
-
-
David, has this been resolved with PR #327 relaxing the language?
-
- changed status to open
-
reporter Yes thankyou. This can be closed
-
- changed status to resolved
- Log in to comment
SIOP Oct-20-2022 call
Torsten agreed to apply post to same-device.
DW said one security concern was that some endpoints have protections that allow redirects only from the Web.
Oliver mentioned credential leakage as a problem.