RFC001 - Clarification whether PAR si required or not #116
Comments
|
RFC ITB issuer requires PAR https://dss.aegean.gr/rfc-issuer/.well-known/oauth-authorization-server so all RFC compliant wallet should be able to handle it. So let's make it mandatory and update authorization request accordingly. |
|
Actually, the ITB supports PAR but doesnt mandate it...but overall I agree we need to reduce a bit the options to ensure ineroperabilty for this pilot phase... |
This is contrary to what metadata says |
|
oops had forgotten that.. I will change to false. But internally the process continues even if the wallet doesnt support PAR. This has to do with a previous issue I raised if we will make HAIP mandatory or not. But @andreasabr had some concerns about it.... |
Based on our current experiences, it is not easy to write interoperable issuer according to RFC001. There are a lot of things that are optional in OID4VCI but underspecified in RFC001. One of these things is Pushed Authorization Request. Example of authorization metadata shows it as required, but example od Authorization request is not compliant with how PAR request should look like.
If PAR is required, it should be clearly states it RFC and examples should be update accordingly.
If PAR is not required, than we don't have interoperability since at least Lissi wallet requires PAR so any issuer that will not implement PAR will not be compliant with at least one compliant wallet.
The text was updated successfully, but these errors were encountered: