[OpenID4VP] JAR vs OIDC request object
Issue #1874
resolved
There are two places in 4VP that talk about the request object saying “as defined in Section 6.1 of [OpenID.Core] or [RFC9101]”
Due to historical reasons, the two are subtly different and RFC9101 (JAR) has better security and hopefully interoperability. And I think it is generally the preferred/agreed on way these days.
For simplicity and interoperability, I’d suggest only referencing JAR. Maybe like, “as defined in JWT-Secured Authorization Request (JAR) [RFC9101].”
Comments (3)
-
-
-
- changed status to resolved
PR merged
- Log in to comment
I agree.