From 1269e77a7370468e75159b19c6cfb8acafbddd7e Mon Sep 17 00:00:00 2001 From: Joseph Heenan Date: Fri, 27 Sep 2024 17:42:50 +0100 Subject: [PATCH 1/2] Clarify that direct_post endpoint response is JSON. For completeness also clarify that unknown parameters must be ignored as we've recently done elsewhere. closes #272 --- openid-4-verifiable-presentations-1_0.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/openid-4-verifiable-presentations-1_0.md b/openid-4-verifiable-presentations-1_0.md index c7c6afb..4ccd824 100644 --- a/openid-4-verifiable-presentations-1_0.md +++ b/openid-4-verifiable-presentations-1_0.md @@ -638,7 +638,7 @@ It has been defined to address the following use cases: The Response Mode is defined in accordance with [@!OAuth.Responses] as follows: `direct_post`: -: In this mode, the Authorization Response is sent to the Verifier using an HTTP POST request to an endpoint controlled by the Verifier. The Authorization Response parameters are encoded in the body using the `application/x-www-form-urlencoded` content type. The names and values in the body MUST be encoded using UTF-8. The flow can end with an HTTP POST request from the Wallet to the Verifier, or it can end with a redirect that follows the HTTP POST request, if the Verifier responds with a redirect URI to the Wallet. +: In this mode, the Authorization Response is sent to the Verifier using an HTTP POST request to an endpoint controlled by the Verifier. The Authorization Response parameters are encoded in the body using the `application/x-www-form-urlencoded` content type. The names and values in the body MUST be encoded using UTF-8. The response from the Verifier is a JSON object as defined below. The flow can end with an HTTP POST request from the Wallet to the Verifier, or it can end with a redirect that follows the HTTP POST request, if the Verifier responds with a redirect URI to the Wallet. The following new Authorization Request parameter is defined to be used in conjunction with Response Mode `direct_post`: @@ -699,13 +699,15 @@ Content-Type: application/x-www-form-urlencoded state=eyJhb...6-sVA ``` -If the Response URI has successfully processed the Authorization Response or Authorization Error Response, it MUST respond with HTTP status code 200. +If the Response URI has successfully processed the Authorization Response or Authorization Error Response, it MUST respond with HTTP status code 200 and a JSON object. -The following new parameter is defined for use in the response from the Response Endpoint to the Wallet: +The following new parameter is defined for use in the JSON object returned from the Response Endpoint to the Wallet: `redirect_uri`: : OPTIONAL. String containing a URI. When this parameter is present the Wallet MUST redirect the user agent to this URI. This allows the Verifier to continue the interaction with the End-User on the device where the Wallet resides after the Wallet has sent the Authorization Response to the Response URI. It can be used by the Verifier to prevent session fixation ((#session_fixation)) attacks. The Response URI MAY return the `redirect_uri` parameter in response to successful Authorization Responses or for Error Responses. +Additional response parameters MAY be defined and used. The Wallet MUST ignore any unrecognized parameters. + Note: Response Mode `direct_post` without the `redirect_uri` could be less secure than Response Modes with redirects. For details, see ((#session_fixation)). The value of the redirect URI is an absolute URI as defined by [@!RFC3986] Section 4.3 and is chosen by the Verifier. The Verifier MUST include a fresh, cryptographically random value in the URL. This value is used to ensure only the receiver of the redirect can fetch and process the Authorization Response. The value can be added as a path component, as a fragment or as a parameter to the URL. It is RECOMMENDED to use a cryptographic random value of 128 bits or more. For implementation considerations see (#implementation_considerations_direct_post). From b5f25e4209c41a73ad2d659907a10f0f345565b7 Mon Sep 17 00:00:00 2001 From: Joseph Heenan Date: Tue, 8 Oct 2024 10:08:59 +0100 Subject: [PATCH 2/2] Attempt to address Tobias's feedback --- openid-4-verifiable-presentations-1_0.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openid-4-verifiable-presentations-1_0.md b/openid-4-verifiable-presentations-1_0.md index 4ccd824..be8a165 100644 --- a/openid-4-verifiable-presentations-1_0.md +++ b/openid-4-verifiable-presentations-1_0.md @@ -638,7 +638,7 @@ It has been defined to address the following use cases: The Response Mode is defined in accordance with [@!OAuth.Responses] as follows: `direct_post`: -: In this mode, the Authorization Response is sent to the Verifier using an HTTP POST request to an endpoint controlled by the Verifier. The Authorization Response parameters are encoded in the body using the `application/x-www-form-urlencoded` content type. The names and values in the body MUST be encoded using UTF-8. The response from the Verifier is a JSON object as defined below. The flow can end with an HTTP POST request from the Wallet to the Verifier, or it can end with a redirect that follows the HTTP POST request, if the Verifier responds with a redirect URI to the Wallet. +: In this mode, the Authorization Response is sent to the Verifier using an HTTP POST request to an endpoint controlled by the Verifier. The Authorization Response MUST be encoded in the request body using the format defined by the `application/x-www-form-urlencoded` HTTP content type. The parameters in the request body MUST all be encoded using UTF-8. The verifier can request that the wallet redirects the user to the verifier using the response as defined below. The following new Authorization Request parameter is defined to be used in conjunction with Response Mode `direct_post`: @@ -699,7 +699,7 @@ Content-Type: application/x-www-form-urlencoded state=eyJhb...6-sVA ``` -If the Response URI has successfully processed the Authorization Response or Authorization Error Response, it MUST respond with HTTP status code 200 and a JSON object. +If the Response URI has successfully processed the Authorization Response or Authorization Error Response, it MUST respond with an HTTP status code of 200 with `Content-Type` of `application/json` and a JSON object in the response body. The following new parameter is defined for use in the JSON object returned from the Response Endpoint to the Wallet: