[Openid-specs-ab] Issue #1717: OID4VP - Protecting response mode post (openid/connect)
David W Chadwick
issues-reply at bitbucket.org
Wed Nov 9 16:55:17 UTC 2022
New issue 1717: OID4VP - Protecting response mode post
https://bitbucket.org/openid/connect/issues/1717/oid4vp-protecting-response-mode-post
David W Chadwick:
The current text says
`When HTTP "POST" method is used to send VP Token, there is no session for the Verifier to validate whether the Response is sent by the same Wallet that has received the Authorization Request. It is RECOMMENDED for the Verifiers to implement mechanisms to strengthen such binding.`
This issue has been created to allow us to discuss possible mechanisms for strengthening this binding so that we can add some guidelines to our specification.
Here is the first proposal. The redirect URL that is sent from the RP to the AS is a dynamic URL containing a secret such as [https://example.com/secret=32bit](https://example.com/secret=32bit)-OTP. The AS should post the response to this URL and the RP should keep a record of the OTPs it has sent so that it can reject any incoming calls that do not quote an outstanding OTP, and each OTP should only be used once.
More information about the Openid-specs-ab
mailing list