You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I think that should enable the possibility to obtain the presentation_definition from the metadata instead that requiring it only in the authorization request
having the presentation_definition in the metadata allows:
the provisioning of metadata signed by a trusted third party, where the RP is allowed to use a specific presentation_definition
the possibility to apply dynamic metadata policy, according to the OpenID Federation policy language
Currently in the specs we have
Presentation Definition JSON object MUST be sent using a presentation_definition parameter
and it is not explicit if the presentation_definition MUST be provided in the Authorization request or in the metadata
The text was updated successfully, but these errors were encountered:
metadata can be signed, withing a federation trust chain or by a TTP, and including a presentation_definition.
otherwise, presentation_definition_uri is a plaintext json that carries these risks:
repudiability, since it is not signed
repudiability, since it can change anytime without any verifiable proof of its past contents
dependency on external resources, relying on presentation_definition_uri means depending on an external resource just for a part of RP's capabilities, while metadata are more consistent
the only benefit I see in using presentation_definition_uri is that using HTTP GET the url should not be more long than 2048bytes, while a presentation_definition might contain a lot of information. At the same time, in the current implementation I see that request_uri is used very often ...
I think that should enable the possibility to obtain the presentation_definition from the metadata instead that requiring it only in the authorization request
having the presentation_definition in the metadata allows:
Currently in the specs we have
and it is not explicit if the presentation_definition MUST be provided in the Authorization request or in the metadata
The text was updated successfully, but these errors were encountered: