-
Notifications
You must be signed in to change notification settings - Fork 22
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pre-Authorized Code Flow: When wallet must include authorization_details
to the Token Request?
#388
Comments
My take: There should never be a requirement from an issuer for the wallet to include The case where the wallet would do it is when it has a specific integration with that issuer and is aware it can usefully do something by including The default position is that the pre-authorised code alone is sufficient and will result in the wallet receiving all the credentials the issuer intends to issue. |
Dear @jogu thank you for your comment. I think that there are issuance use-cases which cannot be implemented without Not having a way to communicate this requirement to the wallet, leaves as the only option what you call "specific integration", in your comment. I think, though, that this need for a "special integration" limits, to some extend, the interoperability wallet/issuer . An anticipated, feature was added to d14 (to use |
Ah, so there is an issue open to potentially clarify things in the spec here: #242 I think there's an assumption above that an authorization_details in the response can only be provided if an authorization details is provided in the request? I believe that an |
Hi @jogu Yes. I think that at the end of the day what is creating confusion is the phrase:
This clearly describes that token response can have What you suggest for Pre-authorized Code flow, that is In Pre-Authorized Code, an implied "authorization" has already happened and token endpoint just returns the authorization details and the access token for this. |
In paragraph 6.1.1
there is the following text
From a wallet perspective, it is not clear, IMHO, when
authorization_details
MUST be included to the token request in Pre-Authorized Code Flow.From the Issuer perspective, it is also not clear how will can the wallet be informed that it MUST use
authorization_details
in Pre-Authorized Code Flow.For instance, taking the example from 6.2 and assuming there was a credential offer with a Pre-Authorized Code Flow
authorization_details
to the token request (to receive such a response)?authorization_details
for a specificcredential_configuration_id
?PS: In the authorization code flow, the absence/presence of a scope in the
credential_configuration_id
meta-data could be used as a hint. If scope is missing probablyauthorization_details
should be used.The text was updated successfully, but these errors were encountered: