-
Notifications
You must be signed in to change notification settings - Fork 15
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Regression issue : the authorization_server endpoint in the offer is not taken into account anymore #3172
Comments
The url is not the good one, it is probably a fallback if there is no endpoint found. the wallet should look for the authorization server metadata on the authorization_server of the offer + "/.well-known/oauth-authorization-server" endpoint as it is defined here https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-ID1.html#name-credential-issuer-metadata-p |
@hawkbee1 si l 'url de l'authorization (URL_AS) server est dans la credential offer il faut verifier qu'il est aussi dans la liste des authorization server qui est donnée dans les credential issuer metadata attribut si il n'y a pas d'authorization server nommé dans l offer. il faut utiliser l'url de l issuer (URL_ISSUER) pour trouver les metadatas de l authorization server sur Donc en definitive les metadatas de l'authorization server ne sont pas mélangées avec celles de l issuer et ne sont pas sur /.well-known/openid-configuration......sauf pour EBSI V3x |
OPENID4VCI with draft >= 13 |
authorization_servers: OPTIONAL. Array of strings, where each string is an identifier of the OAuth 2.0 Authorization Server (as defined in [RFC8414]) the Credential Issuer relies on for authorization. If this parameter is omitted, the entity providing the Credential Issuer is also acting as the Authorization Server, i.e., the Credential Issuer's identifier is used to obtain the Authorization Server metadata. The actual OAuth 2.0 Authorization Server metadata is obtained from the oauth-authorization-server well-known location as defined in Section 3 of [RFC8414]. When there are multiple entries in the array, the Wallet may be able to determine which Authorization Server to use by querying the metadata; for example, by examining the grant_types_supported values, the Wallet can filter the server to use based on the grant type it plans to use. When the Wallet is using authorization_server parameter in the Credential Offer as a hint to determine which Authorization Server to use out of multiple, the Wallet MUST NOT proceed with the flow if the authorization_server Credential Offer parameter value does not match any of the entries in the authorization_servers array. |
Authorization servers supporting metadata MUST make a JSON document Different applications utilizing OAuth authorization servers in Jones, et al. Standards Track [Page 8] URI string "/.well-known/oauth-authorization-server", which is the An OAuth 2.0 application using this specification MUST specify what Some OAuth applications will choose to use the well-known URI suffix 3.1. Authorization Server Metadata Request An authorization server metadata document MUST be queried using an The client would make the following request when the issuer
If the issuer identifier value contains a path component, any
Using path components enables supporting multiple issuers per host. Jones, et al. Standards Track [Page 9] 3.2. Authorization Server Metadata Response The response is a set of claims about the authorization server's Claims that return multiple values are represented as JSON arrays. An error response uses the applicable HTTP status code value. The following is a non-normative example response:
Jones, et al. Standards Track [Page 10] 3.3. Authorization Server Metadata Validation The "issuer" value returned MUST be identical to the authorization
Processing some OAuth 2.0 messages requires comparing values in the Therefore, comparisons between JSON strings and other Unicode strings
Note that this is the same equality comparison procedure described in
The identifiers "/.well-known/openid-configuration", "op_policy_uri", The algorithm for transforming the issuer identifier to an |
it fauils with Sicpa test |
That is the first authorization_endpoint to use if it exists
In the following case the authorization_server endpoint is in the offer and the token endpoint is in the authorization server metadata
test with
The text was updated successfully, but these errors were encountered: