[Openid-specs-digital-credentials-protocols] OpenID4VP: Proposal to remove client_metadata_uri authorization parameter
Joseph Heenan
joseph at authlete.com
Thu Jul 4 16:16:25 UTC 2024
Hi all
As discussed on both working group calls this week, I started a proposal to remove the client_metadata_uri authorization parameter from the OpenID for Verifiable Credentials specification:
There are undocumented & unsolved security issues around client_metadata_uri ( https://github.com/openid/OpenID4VP/issues/14 ) and further concerns that it's not clear what client metadata parameters can actually be used in it ( https://github.com/openid/OpenID4VP/issues/17 ).
There's a further suggestion to decide an alternative way of fetching client metadata from a .well-known location ( #82 ).
This is being tracked on:
https://github.com/openid/OpenID4VP/issues/202
There already seems to be quite good support for removing this on the issue (please add a comment/thumbs up if you support removing it).
If anyone has use cases that require this parameter can you please add a comment on the issue or reply to this emai with the detailsl? If not we will proceed to a PR a week from today.
Many thanks
Joseph
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-digital-credentials-protocols/attachments/20240704/8f47c23e/attachment.html>
More information about the Openid-specs-digital-credentials-protocols
mailing list