Skip to content

Clarification on Request URI response #756

Description

@KiruthikaJeyashankar

Description

Requesting clarification on whether the request_uri response can be an unsigned JWS or if it is required to be signed.

Use Case

For clients using the redirect_uri prefix, signed requests are not supported. In this scenario, is reference mode using request_uri achievable with an unsigned request_uri response?

Example JWT header:

{
  "alg": "none"
}

Example JWS:

eyJhbGciOiJub25lIn0./*Payload in B64 encoded form*/.

References

The following references indicate that the request_uri response is expected to be signed:

OpenID4VP — Request URI Response

The Request URI response MUST be an HTTP response with the content type application/oauth-authz-req+jwt and the body being a signed, optionally encrypted ([OpenID4VP ref](https://openid.net/specs/openid-4-verifiable-presentations-1_0.html#section-5.10.1-1)).

RFC 9101 — Authorization Request Object

The Authorization Request Object MUST be one of the following:
(a) JWS signed
(b) JWS signed and JWE encrypted
([RFC 9101 ref](https://www.rfc-editor.org/info/rfc9101/#section-5-7))

Based on these requirements, clarification is requested on whether an unsigned request_uri response is permitted or if signing is mandatory.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions