From 747db7fc701a2b4a7bcc7a507a8cb48de0c99b11 Mon Sep 17 00:00:00 2001 From: Sakurann Date: Sun, 26 Apr 2026 23:50:27 +0200 Subject: [PATCH 1/3] section New Parameters is not exhaustive --- 1.0/openid-4-verifiable-presentations-1_0.md | 3 +++ 1.1/openid-4-verifiable-presentations-1_1.md | 3 +++ 2 files changed, 6 insertions(+) diff --git a/1.0/openid-4-verifiable-presentations-1_0.md b/1.0/openid-4-verifiable-presentations-1_0.md index cccbdc27..273b7730 100644 --- a/1.0/openid-4-verifiable-presentations-1_0.md +++ b/1.0/openid-4-verifiable-presentations-1_0.md @@ -289,6 +289,9 @@ One exception to this rule is the `transaction_data` parameter. Wallets that do ## New Parameters {#new_parameters} This specification defines the following new request parameters: +`response_uri`: +: As defined in (#security_considerations_direct_post). + `dcql_query`: : A JSON object containing a DCQL query as defined in (#dcql_query). diff --git a/1.1/openid-4-verifiable-presentations-1_1.md b/1.1/openid-4-verifiable-presentations-1_1.md index c82af1df..caed6709 100644 --- a/1.1/openid-4-verifiable-presentations-1_1.md +++ b/1.1/openid-4-verifiable-presentations-1_1.md @@ -285,6 +285,9 @@ One exception to this rule is the `transaction_data` parameter. Wallets that do ## New Parameters {#new_parameters} This specification defines the following new request parameters: +`response_uri`: +: As defined in (#security_considerations_direct_post). + `dcql_query`: : A JSON object containing a DCQL query as defined in (#dcql_query). From 3780976dbfa37910b844fd42b87ddfd4d44607f4 Mon Sep 17 00:00:00 2001 From: Sakurann Date: Mon, 27 Apr 2026 00:00:50 +0200 Subject: [PATCH 2/3] resolves #675 --- 1.0/openid-4-verifiable-presentations-1_0.md | 5 +++-- 1.1/openid-4-verifiable-presentations-1_1.md | 3 ++- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/1.0/openid-4-verifiable-presentations-1_0.md b/1.0/openid-4-verifiable-presentations-1_0.md index 273b7730..46671db1 100644 --- a/1.0/openid-4-verifiable-presentations-1_0.md +++ b/1.0/openid-4-verifiable-presentations-1_0.md @@ -311,7 +311,7 @@ This specification defines the following new request parameters: Other metadata parameters MUST be ignored unless a profile of this specification explicitly defines them as usable in the `client_metadata` parameter. `request_uri_method`: -: OPTIONAL. A string determining the HTTP method to be used when the `request_uri` parameter is included in the same request. Two case-sensitive valid values are defined in this specification: `get` and `post`. If `request_uri_method` value is `get`, the Wallet MUST send the request to retrieve the Request Object using the HTTP GET method, i.e., as defined in [@RFC9101]. If `request_uri_method` value is `post`, a supporting Wallet MUST send the request using the HTTP POST method as detailed in (#request_uri_method_post). If the `request_uri_method` parameter is not present, the Wallet MUST process the `request_uri` parameter as defined in [@RFC9101]. Wallets not supporting the `post` method will send a GET request to the Request URI (default behavior as defined in [@RFC9101]). `request_uri_method` parameter MUST NOT be present if a `request_uri` parameter is not present. +: OPTIONAL. A case-sensitive string determining the HTTP method to be used when the `request_uri` parameter is included in the same request. Two case-sensitive valid values are defined in this specification: `get` and `post`. If `request_uri_method` value is `get`, the Wallet MUST send the request to retrieve the Request Object using the HTTP GET method, i.e., as defined in [@RFC9101]. If `request_uri_method` value is `post`, a supporting Wallet MUST send the request using the HTTP POST method as detailed in (#request_uri_method_post). If the `request_uri_method` parameter is not present, the Wallet MUST process the `request_uri` parameter as defined in [@RFC9101]. Wallets not supporting the `post` method will send a GET request to the Request URI (default behavior as defined in [@RFC9101]). `request_uri_method` parameter MUST NOT be present if a `request_uri` parameter is not present. If the Verifier set the `request_uri_method` parameter value to `post` and there is no other means to convey its capabilities to the Wallet, it SHOULD add the `client_metadata` parameter to the Authorization Request. This enables the Wallet to assess the Verifier's capabilities, allowing it to transmit only the relevant capabilities through the `wallet_metadata` parameter in the Request URI POST request. @@ -3570,7 +3570,8 @@ The technology described in this specification was made available from contribut -31 * Clarify that `encrypted_response_enc_values_supported` applies only if JWE content encryption algorithm is used - * Clarify that `aud` corresponds to `issuer` Wallet Metadata paremeter if Dynamic Discovery is used + * Clarify that `aud` corresponds to `issuer` Wallet Metadata paremeter if Dynamic Discovery is used + * Clarified that request_uri_method is a case-sensitive string -final diff --git a/1.1/openid-4-verifiable-presentations-1_1.md b/1.1/openid-4-verifiable-presentations-1_1.md index caed6709..b0699c65 100644 --- a/1.1/openid-4-verifiable-presentations-1_1.md +++ b/1.1/openid-4-verifiable-presentations-1_1.md @@ -307,7 +307,7 @@ This specification defines the following new request parameters: Other metadata parameters MUST be ignored unless a profile of this specification explicitly defines them as usable in the `client_metadata` parameter. `request_uri_method`: -: OPTIONAL. A string determining the HTTP method to be used when the `request_uri` parameter is included in the same request. Two case-sensitive valid values are defined in this specification: `get` and `post`. If `request_uri_method` value is `get`, the Wallet MUST send the request to retrieve the Request Object using the HTTP GET method, i.e., as defined in [@RFC9101]. If `request_uri_method` value is `post`, a supporting Wallet MUST send the request using the HTTP POST method as detailed in (#request_uri_method_post). If the `request_uri_method` parameter is not present, the Wallet MUST process the `request_uri` parameter as defined in [@RFC9101]. Wallets not supporting the `post` method will send a GET request to the Request URI (default behavior as defined in [@RFC9101]). `request_uri_method` parameter MUST NOT be present if a `request_uri` parameter is not present. +: OPTIONAL. A ase-sensitive string determining the HTTP method to be used when the `request_uri` parameter is included in the same request. Two case-sensitive valid values are defined in this specification: `get` and `post`. If `request_uri_method` value is `get`, the Wallet MUST send the request to retrieve the Request Object using the HTTP GET method, i.e., as defined in [@RFC9101]. If `request_uri_method` value is `post`, a supporting Wallet MUST send the request using the HTTP POST method as detailed in (#request_uri_method_post). If the `request_uri_method` parameter is not present, the Wallet MUST process the `request_uri` parameter as defined in [@RFC9101]. Wallets not supporting the `post` method will send a GET request to the Request URI (default behavior as defined in [@RFC9101]). `request_uri_method` parameter MUST NOT be present if a `request_uri` parameter is not present. If the Verifier set the `request_uri_method` parameter value to `post` and there is no other means to convey its capabilities to the Wallet, it SHOULD add the `client_metadata` parameter to the Authorization Request. This enables the Wallet to assess the Verifier's capabilities, allowing it to transmit only the relevant capabilities through the `wallet_metadata` parameter in the Request URI POST request. @@ -3638,3 +3638,4 @@ The technology described in this specification was made available from contribut * Add security consideration not to use VP Token as Access Token * Clarify that `encrypted_response_enc_values_supported` applies only if JWE content encryption algorithm is used; e.g., it does not apply to JOSE HPKE * Clarify that `aud` corresponds to `issuer` Wallet Metadata paremeter if Dynamic Discovery is used + * Clarified that request_uri_method is a case-sensitive string From 71b6e6b46e60f95d4184906e167cc430ea77caf3 Mon Sep 17 00:00:00 2001 From: Brent Zundel Date: Thu, 7 May 2026 09:32:56 -0600 Subject: [PATCH 3/3] Update 1.1/openid-4-verifiable-presentations-1_1.md Co-authored-by: Frederik Krogsdal Jacobsen --- 1.1/openid-4-verifiable-presentations-1_1.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/1.1/openid-4-verifiable-presentations-1_1.md b/1.1/openid-4-verifiable-presentations-1_1.md index b0699c65..0db3c723 100644 --- a/1.1/openid-4-verifiable-presentations-1_1.md +++ b/1.1/openid-4-verifiable-presentations-1_1.md @@ -307,7 +307,7 @@ This specification defines the following new request parameters: Other metadata parameters MUST be ignored unless a profile of this specification explicitly defines them as usable in the `client_metadata` parameter. `request_uri_method`: -: OPTIONAL. A ase-sensitive string determining the HTTP method to be used when the `request_uri` parameter is included in the same request. Two case-sensitive valid values are defined in this specification: `get` and `post`. If `request_uri_method` value is `get`, the Wallet MUST send the request to retrieve the Request Object using the HTTP GET method, i.e., as defined in [@RFC9101]. If `request_uri_method` value is `post`, a supporting Wallet MUST send the request using the HTTP POST method as detailed in (#request_uri_method_post). If the `request_uri_method` parameter is not present, the Wallet MUST process the `request_uri` parameter as defined in [@RFC9101]. Wallets not supporting the `post` method will send a GET request to the Request URI (default behavior as defined in [@RFC9101]). `request_uri_method` parameter MUST NOT be present if a `request_uri` parameter is not present. +: OPTIONAL. A case-sensitive string determining the HTTP method to be used when the `request_uri` parameter is included in the same request. Two case-sensitive valid values are defined in this specification: `get` and `post`. If `request_uri_method` value is `get`, the Wallet MUST send the request to retrieve the Request Object using the HTTP GET method, i.e., as defined in [@RFC9101]. If `request_uri_method` value is `post`, a supporting Wallet MUST send the request using the HTTP POST method as detailed in (#request_uri_method_post). If the `request_uri_method` parameter is not present, the Wallet MUST process the `request_uri` parameter as defined in [@RFC9101]. Wallets not supporting the `post` method will send a GET request to the Request URI (default behavior as defined in [@RFC9101]). `request_uri_method` parameter MUST NOT be present if a `request_uri` parameter is not present. If the Verifier set the `request_uri_method` parameter value to `post` and there is no other means to convey its capabilities to the Wallet, it SHOULD add the `client_metadata` parameter to the Authorization Request. This enables the Wallet to assess the Verifier's capabilities, allowing it to transmit only the relevant capabilities through the `wallet_metadata` parameter in the Request URI POST request.