[Openid-specs-ab] Issue #1402: Cross device flow w/ and w/o authorization_endpoint (openid/connect)
tlodderstedt
issues-reply at bitbucket.org
Thu Jan 20 11:04:49 UTC 2022
New issue 1402: Cross device flow w/ and w/o authorization_endpoint
https://bitbucket.org/openid/connect/issues/1402/cross-device-flow-w-and-w-o
Torsten Lodderstedt:
The current SIOP revision allows the RP to \(1\) include or \(2\) omit the authorization endpoint in the QR code rendered for the cross device flow.
The underlying assumption for \(2\) is that the authorization endpoint is not needed if the user scans the code with the wallet app. But there might be use cases where the user scans the QR code with the OS’s camera, in wich case the authorization endpoint is needed to determine the ultimate destination of the request \(option \(1\)\).
Even though I broad up option \(2\), I’m not sure whether omitting he authorization endpoint is a good idea. It might serve the purpose of distinguishing request types in a wallet app. We at least need to have clear guidance what shall be done in what use case.
More information about the Openid-specs-ab
mailing list