Skip to content

Commit

Permalink
clarify expected_origins must not be used with unsigned requests
Browse files Browse the repository at this point in the history
  • Loading branch information
Kristina Yasuda authored and Kristina Yasuda committed Jan 21, 2025
1 parent d4d6e85 commit 57c7ab0
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion openid-4-verifiable-presentations-1_0.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2027,7 +2027,7 @@ The value of the `response_mode` parameter MUST be `dc_api` when the response is

In addition to the above-mentioned parameters, a new parameter is introduced for OpenID4VP over the W3C Digital Credentials API:

* `expected_origins`: REQUIRED when signed requests defined in (#signed_request) are used with the Digital Credentials API (DC API). An array of strings, each string representing an Origin of the Verifier that is making the request. The Wallet can detect replay of the request from a malicious Verifier by comparing values in this parameter to the Origin.
* `expected_origins`: REQUIRED when signed requests defined in (#signed_request) are used with the Digital Credentials API (DC API). An array of strings, each string representing an Origin of the Verifier that is making the request. The Wallet can detect replay of the request from a malicious Verifier by comparing values in this parameter to the Origin. It MUST NOT be used with unsigned requests.

Additional request parameters MAY be defined and used with OpenID4VP over the DC API.

Expand Down

0 comments on commit 57c7ab0

Please sign in to comment.