Skip to content

Add text requiring wallet to check expected_origins #542

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
jogu opened this issue Apr 12, 2025 · 1 comment · Fixed by #544
Closed

Add text requiring wallet to check expected_origins #542

jogu opened this issue Apr 12, 2025 · 1 comment · Fixed by #544
Assignees
@Sakurann
Labels
has-PR
Milestone
Final 1.0

Comments

@jogu
Copy link
Collaborator

jogu commented Apr 12, 2025

As per draft Stuttgart security analysis:

Expected Origins Parameter [OID4VP, Appendix A.2] introduces a new authentication request
parameter, expected_origins for signed requests over the DC API. However, the specification
does not explicitly require the wallet to verify that the origin asserted by the DC API is included in
this set.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Sakurann Sakurann

Labels
has-PR
Projects
None yet
Milestone
Final 1.0
Development

Successfully merging a pull request may close this issue.

wallet must validate expected_origins in the signed requests openid/OpenID4VP
2 participants
@jogu @Sakurann