[Openid-specs-ab] Issue #2052: [OpenID4VP] direct post: nonce and state are required in the response (openid/connect)
peppelinux
issues-reply at bitbucket.org
Wed Aug 30 09:21:05 UTC 2023
New issue 2052: [OpenID4VP] direct post: nonce and state are required in the response
https://bitbucket.org/openid/connect/issues/2052/openid4vp-direct-post-nonce-and-state-are
Giuseppe De Marco:
In “[6.3.1. ](https://openid.bitbucket.io/connect/openid-4-verifiable-presentations-1_0.html#section-6.3.1)[Response Mode "direct\_post.jwt"](https://openid.bitbucket.io/connect/openid-4-verifiable-presentations-1_0.html#name-response-mode-direct_postjw)“ we should have `state` as optional and `nonce`as required because the response is related to a specific request.
even if one or more vp token contained within the claim `vp_token` has the nonce parameter within it, the entire response, that envelopes them, must be related to a specific request and then containing at least the nonce.
the implementers that are forced to get the content of the single vp tokens to link them to a previous request are raising concerns about how to deal with a response that may contain multiple VP with different nonces, this raises security and implementation concerns.
This issue wants to raise the requirement to have both state and nonce as parameters of the direct post response JWT.
More information about the Openid-specs-ab
mailing list