- changed status to new
Is the Acceptance Token One-Time Use?
It is not clear to me from the Credential Issuance spec whether the acceptance_token
is one-time use or not. I would guess that it should be used only once to obtain the previously requested credential, but I think this is not explicitly mentioned in the specification. I think this might lead to developers forgetting to invalidate a used acceptance_token
. Any thoughts on this?
Comments (8)
-
-
My assumption was that
transaction_id
(acceptance_token
was renamed totransaction_id
) is one-time use. because a newtransaction_id
is returned in each credential response/deferred credential response.Assuming access token is valid to issue three credentials from the credential endpoint, the Wallet needs to make three credential requests, the wallet will receive an Nth
transaction_id
in the credential response that it can use in (N+1)th credential request -
reporter Will it be mentioned in the spec that it is one-time use, or is that not important?
-
-
the transaction id is specific to a transaction but it is not one time use. Just imagine the case when the issuer is still not able to provide the credential. The issuer would respond wit an error code “issuance_pending” (https://openid.bitbucket.io/connect/openid-4-verifiable-credential-issuance-1_0.html#name-deferred-credential-error-r) and the transaction id stays valid in that case.
-
reporter But isn't it still one-time use because if there was an error, it would not have been used to issue a credential. Once the credential is issued, it should not be reusable, right? Maybe this needs to be specified.
-
I really like David’s suggestion on the PR to say that transaction_id should be invalidated after the credential has been issued - I updated the PR accordingly, please re-review.
-
- changed status to resolved
PR merged
- Log in to comment