[OID4VP 1_0-14] Direct POST - improving the security by defining the redirect after the direct_post

Context: In many cases size of the VP will exceed the URL char limit, so one needs to use the direct post in the same-device flow. Direct post, as described in the current specification, lowers the security;

This issue is about a potential improvement of the: OpenID for VP; same-device flow with response_mode=direct_post
Question/Comment: is there any benefit in terms of security if we, after a direct_post, receive a token as a response (from the direct_post method) and perform a 302 redirect back to the verifier?

‌

HL sequence diagram: https://www.plantuml.com/plantuml/txt/TP4nR_8m48Rt_8gRs9mWlc-AI0fYwTQKHdH1GYO-mCAntVCbWVxwEgbKbQ7R9NVF-vpEgy2Ik6jDalXOw4PxQHdUfJ7880CC3_ztIFgaaSPEdoH50P6tIf82fzN_taDH90Ci1VGvFDTr1V_c2t04hrjed49OhZk-ED91idOMjlZHOU0oCgA48OSDeMG42Rig2_fiipHD9q-rtWgZhmZQCf9iHZpA9l17LhsyrR0aL9gmuRGZK-xjnaN2igZl7dEGtXlTJFRi9ePX42T7hOYZQCSDrTvwmX21QUOGkcEhGuXb4LUPzVx0xehJHqB87TblzM8-XzWS8uhR_VFlsuZouJONPX_oB6kCZiuKRxBr1bD7vwmvFlrAdCKqnicRhD2g-6PV

The client obtains an authorisation request (to share one or more VCs) - the request contains a nonce
Wallet constructs one or more VPs (with nonce included)
Wallet makes a direct POST to the Verifier’s endpoint
Wallet receives a “code” and “state” (or access token) as a response it can use to redirect to the Verifier’s website

‌

Potential complication: how can the verifier know whether to expect a redirect or not?

Comments (3)