[Openid-specs-ab] Issue #1737: OID4VP session identification for same device flow (openid/connect)

[David W Chadwick]

New issue 1737: OID4VP session identification for same device flow
https://bitbucket.org/openid/connect/issues/1737/oid4vp-session-identification-for-same

David W Chadwick:

In the same device flow the RP sends the request for a VP to the browser which redirects it to the wallet. The request contains a redirect\_uri for the wallet to return the vp\_token to \(via the browser\). However, if the RP has several users \(wallets\) talking to it at once, the redirect location needs to know which wallet/session this response refers to. The RP can start to inspect the vp\_token and find the nonce that is embedded in it. But what if the RP uses a backend verifier service that does all the VP/VC verification work for it? The RP simply needs to know which session \(i.e. which nonce\) this response applies to without digging into the vp\_token to find it. Our implementors have suggested that the response should contain the nonce at the top level, as well as being buried in the vp\_token somewhere. Two alternatives are suggested, which are the same as the suggestions in the response mode post issue#1717. The response can either have a header authz bearer token containing the nonce, or the response can in addition contain the nonce in an additional parameter “&nonce=<nonce value>�. The RP can indicate to the wallet which of these it prefers by either including the nonce as a query parameter of the redirect\_uri \(meaning it should be a parameter of the response\) or saying nothing \(meaning that it should be in the authz header bearer token\).