Feedback from Interop. @jogu
There is uncertainty among developers as to whether wallets should follow HTTP redirects (301, 302, 307), and when yes in which cases.
Same for VCI.
Most HTTP clients follow redirects by default. Current OpenID Conformance Test does not follow redirects.
example
a verifier implementation redirects a call to the request-uri
HTTP GET https://verifier.example.com/request-uri?static
<- HTTP 307 Temporary Redirect https://verifier.example.com/request-uri?id=234234
HTTP GET https://verifier.example.com/request-uri?id=234234
<- HTTP 200 OK <Authorization Request>
Should this be allowed?
In my opinion HTTP redirects are a standard HTTP pattern that should be allowed by default and explicitly disallowed when necessary.
Feedback from Interop. @jogu
There is uncertainty among developers as to whether wallets should follow HTTP redirects (301, 302, 307), and when yes in which cases.
Same for VCI.
Most HTTP clients follow redirects by default. Current OpenID Conformance Test does not follow redirects.
example
a verifier implementation redirects a call to the request-uri
HTTP GET https://verifier.example.com/request-uri?static<-
HTTP 307 Temporary Redirect https://verifier.example.com/request-uri?id=234234HTTP GET https://verifier.example.com/request-uri?id=234234<-
HTTP 200 OK <Authorization Request>Should this be allowed?
In my opinion HTTP redirects are a standard HTTP pattern that should be allowed by default and explicitly disallowed when necessary.