presentation_definition may be provided in the RP's metadata

[peppelinux]

I think that should enable the possibility to obtain the presentation_definition from the metadata instead that requiring it only in the authorization request

having the presentation_definition in the metadata allows:

1. the provisioning of metadata signed by a trusted third party, where the RP is allowed to use a specific presentation_definition
2. the possibility to apply dynamic metadata policy, according to the OpenID Federation policy language

Currently in the specs we have

Presentation Definition JSON object MUST be sent using a presentation_definition parameter

and it is not explicit if the presentation_definition MUST be provided in the Authorization request or in the metadata

[paulbastian]

What about presentation_definition_uri? Can you solve this with that or how does it relate?

[peppelinux]

metadata can be signed, withing a federation trust chain or by a TTP, and including a presentation_definition.

otherwise, presentation_definition_uri is a plaintext json that carries these risks:

• repudiability, since it is not signed
• repudiability, since it can change anytime without any verifiable proof of its past contents
• dependency on external resources, relying on presentation_definition_uri means depending on an external resource just for a part of RP's capabilities, while metadata are more consistent

the only benefit I see in using presentation_definition_uri is that using HTTP GET the url should not be more long than 2048bytes, while a presentation_definition might contain a lot of information. At the same time, in the current implementation I see that request_uri is used very often ...