[OpenID4VP] JAR vs OIDC request object

There are two places in 4VP that talk about the request object saying “as defined in Section 6.1 of [OpenID.Core] or [RFC9101]”

Due to historical reasons, the two are subtly different and RFC9101 (JAR) has better security and hopefully interoperability. And I think it is generally the preferred/agreed on way these days.

For simplicity and interoperability, I’d suggest only referencing JAR. Maybe like, “as defined in JWT-Secured Authorization Request (JAR) [RFC9101].”

‌

Comments (3)