require support for same device flow for redirect-based OpenID4VP #293
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sakurann
approved these changes
Sep 30, 2025
Sakurann
reviewed
Sep 30, 2025
jogu
changed the title
Co-authored-by: Kristina <[email protected]>
jogu
reviewed
Oct 1, 2025
Contributor
|
I still think there needs to be consideration for in-person cross device flows, e.g. age assurance at a retail store. Being unable to use digital IDs in the real world or having poor user experience will be a hindrance to adoption of digital IDs, especially in jurisdictions where showing the digital ID on your device is forbidden to be accepted by the retail staff under trust framework rules. |
Co-authored-by: Joseph Heenan <[email protected]>
paulbastian
commented
Oct 7, 2025
jogu
approved these changes
Oct 7, 2025
awoie
reviewed
Oct 7, 2025
Co-authored-by: Oliver Terbu <[email protected]>
Co-authored-by: Paul Bastian <[email protected]>
Contributor
|
suggestion projecting inner @tlodderstedt :
|
Contributor
|
Discussed on today's WG call, consensus that: There are some scenarios where cross-device flows have other mechanisms in place that mean phishing resistance is not required (e.g. in-person). Add a "MUST support Same-Device". "unless the Verifier does not require phishing resistance," should be reframed as "for scenarios where phishing resistance can be achieved in alternative ways". Paul to update the PR and we'll hopefully merge on Thursday's WG call before starting public review. |
Sakurann
reviewed
Oct 7, 2025
| * Signed Authorization Requests MUST be used by utilizing JWT-Secured Authorization Request (JAR) [@!RFC9101] with the `request_uri` parameter. | ||
| * Response encryption MUST be used by utilizing response mode `direct_post.jwt`, as defined in Section 8.3 of [@!OIDF.OID4VP]. Security Considerations in Section 14.3 of [@!OIDF.OID4VP] MUST be applied. | ||
| * Response encryption MUST be used by utilizing response mode `direct_post.jwt`, as defined in Section 8.3 of [@!OIDF.OID4VP]. Security considerations in Section 14.3 of [@!OIDF.OID4VP] MUST be applied. | ||
| * The Verifier MUST reject flows that are non "Same-Device". It MUST do this by including `redirect_uri` in the HTTP response to the Wallet's HTTP POST to the `response_uri`, as defined in Section 8.2 of [@!OIDF.OID4VP]. Wallets MUST follow the redirect to `redirect_uri`. Verifiers MUST reject presentations if Wallets do not follow the redirect back or the redirect back arrives in a different user session to the one the request was initiated in. Implementation considerations can be found in Section 13.3 of [@!OIDF.OID4VP] and security considerations in Section 14.2 of [@!OIDF.OID4VP]. |
Contributor
There was a problem hiding this comment.
Suggested change
| * The Verifier MUST reject flows that are non "Same-Device". It MUST do this by including `redirect_uri` in the HTTP response to the Wallet's HTTP POST to the `response_uri`, as defined in Section 8.2 of [@!OIDF.OID4VP]. Wallets MUST follow the redirect to `redirect_uri`. Verifiers MUST reject presentations if Wallets do not follow the redirect back or the redirect back arrives in a different user session to the one the request was initiated in. Implementation considerations can be found in Section 13.3 of [@!OIDF.OID4VP] and security considerations in Section 14.2 of [@!OIDF.OID4VP]. | |
| * The Wallet and the Verifier MUST support "Same-Device" flow: | |
| * Verifiers MUST include `redirect_uri` in the HTTP response to the Wallet's HTTP POST to the `response_uri`, as defined in Section 8.2 of [@!OIDF.OID4VP]. | |
| * Wallets MUST follow the redirect to `redirect_uri`. | |
| * Verifiers MUST reject presentations if Wallets do not follow the redirect back or the redirect back arrives in a different user session to the one the request was initiated in. | |
| * Implementation considerations can be found in Section 13.3 of [@!OIDF.OID4VP] and security considerations in Section 14.2 of [@!OIDF.OID4VP]. | |
| * Non "Same-Device" flows can be acceptable in the scenarios where phishing resistance can be achieved in alternative ways. e.g. it is an in-person presentation using OpenID4VP via redirects. When doing so, ecosystems and implementations are advised to make this decision based on a risk analysis. |
dastoikov
approved these changes
Oct 8, 2025
tlodderstedt
reviewed
Oct 9, 2025
Co-authored-by: Torsten Lodderstedt <[email protected]>
Sakurann
reviewed
Oct 9, 2025
Co-authored-by: Torsten Lodderstedt <[email protected]>
Sakurann
reviewed
Oct 9, 2025
Sakurann
reviewed
Oct 9, 2025
Sakurann
reviewed
Oct 9, 2025
Vanderkast
approved these changes
Oct 9, 2025
awoie
reviewed
Oct 9, 2025
Co-authored-by: Oliver Terbu <[email protected]>
Vanderkast
reviewed
Oct 9, 2025
jogu
changed the title
Co-authored-by: Valentine Mazurov <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Closes #98