Description
Requesting clarification on whether the request_uri response can be an unsigned JWS or if it is required to be signed.
Use Case
For clients using the redirect_uri prefix, signed requests are not supported. In this scenario, is reference mode using request_uri achievable with an unsigned request_uri response?
Example JWT header:
Example JWS:
eyJhbGciOiJub25lIn0./*Payload in B64 encoded form*/.
References
The following references indicate that the request_uri response is expected to be signed:
OpenID4VP — Request URI Response
The Request URI response MUST be an HTTP response with the content type application/oauth-authz-req+jwt and the body being a signed, optionally encrypted ([OpenID4VP ref](https://openid.net/specs/openid-4-verifiable-presentations-1_0.html#section-5.10.1-1)).
RFC 9101 — Authorization Request Object
The Authorization Request Object MUST be one of the following:
(a) JWS signed
(b) JWS signed and JWE encrypted
([RFC 9101 ref](https://www.rfc-editor.org/info/rfc9101/#section-5-7))
Based on these requirements, clarification is requested on whether an unsigned request_uri response is permitted or if signing is mandatory.
Description
Requesting clarification on whether the
request_uriresponse can be an unsigned JWS or if it is required to be signed.Use Case
For clients using the
redirect_uriprefix, signed requests are not supported. In this scenario, is reference mode usingrequest_uriachievable with an unsignedrequest_uriresponse?Example JWT header:
{ "alg": "none" }Example JWS:
References
The following references indicate that the
request_uriresponse is expected to be signed:OpenID4VP — Request URI Response
RFC 9101 — Authorization Request Object
Based on these requirements, clarification is requested on whether an unsigned
request_uriresponse is permitted or if signing is mandatory.