Better guidance how the Verifier matches the incoming direct_post request with the user session

[paulbastian]

In 5.2. Existing Parameters OpenID4VP says about state:

REQUIRED under the conditions defined in Section 5.3. Otherwise, state is OPTIONAL. state values MUST only contain ASCII URL safe characters (uppercase and lowercase letters, decimal digits, hyphen, period, underscore, and tilde).

In 14.3.2. Protection of the Response URI OpenID4VP says about state:

The Verifier SHOULD protect its Response URI from inadvertent requests by checking that the value of the received state parameter corresponds to a recent Authorization Request.

I propose to update the text in section 5.2:

REQUIRED under the conditions defined in Section 5.3. Otherwise, state is RECOMMENDED. state values MUST only contain ASCII URL safe characters (uppercase and lowercase letters, decimal digits, hyphen, period, underscore, and tilde).

[jogu]

Discussed on today's WG call:

Either we need to change that text about protection of the response uri, or we need to change state to be recommended for redirect flows.

Not sure there's another way to protect response uri?

[paulbastian]

I've seen people putting identifiers in the response URI, but I think the state is a much clearer way to do this, so I would recommend state.

[fkj]

Sounds like a good idea to me to make state RECOMMENDED.

[brentzundel]

@paulbastian agreed to raise a PR