Skip to content

Refine processing expected_origins and processing steps#719

Open
awoie wants to merge 17 commits into
mainfrom
awoie/fix-224
Open

Refine processing expected_origins and processing steps#719
awoie wants to merge 17 commits into
mainfrom
awoie/fix-224

Conversation

@awoie

@awoie awoie commented Apr 16, 2026

Copy link
Copy Markdown
Contributor

Fixes #224

Comment thread 1.0/openid-4-verifiable-presentations-1_0.md Outdated
Comment thread 1.0/openid-4-verifiable-presentations-1_0.md Outdated
Comment thread 1.1/openid-4-verifiable-presentations-1_1.md Outdated
Comment thread 1.1/openid-4-verifiable-presentations-1_1.md Outdated
Co-authored-by: Oliver Terbu <o.terbu@gmail.com>
@awoie

awoie commented Apr 16, 2026

Copy link
Copy Markdown
Contributor Author

I removed the term "opaque" as per WG consensus.

@awoie awoie changed the title Clarify origin is an opaque string Refine processing expected_origins and processing steps Apr 16, 2026
Comment thread 1.0/openid-4-verifiable-presentations-1_0.md Outdated
Comment thread 1.1/openid-4-verifiable-presentations-1_1.md Outdated
Co-authored-by: Oliver Terbu <o.terbu@gmail.com>

@fkj fkj left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the clarity could be improved by also adding text to note that an Origin can really be any string in the definition of Origin.

Comment thread 1.0/openid-4-verifiable-presentations-1_0.md Outdated
Comment thread 1.1/openid-4-verifiable-presentations-1_1.md Outdated
@Sakurann

Copy link
Copy Markdown
Collaborator

APAC DCP WG discussion:

Comment thread 1.0/openid-4-verifiable-presentations-1_0.md Outdated
Co-authored-by: Frederik Krogsdal Jacobsen <fkj@users.noreply.github.com>
Comment thread 1.1/openid-4-verifiable-presentations-1_1.md Outdated
Co-authored-by: Oliver Terbu <o.terbu@gmail.com>
Comment thread 1.0/openid-4-verifiable-presentations-1_0.md Outdated
Comment thread 1.0/openid-4-verifiable-presentations-1_0.md Outdated
Comment thread 1.0/openid-4-verifiable-presentations-1_0.md
Comment thread 1.0/openid-4-verifiable-presentations-1_0.md Outdated
@brentzundel

Copy link
Copy Markdown
Collaborator

Discussed during call. In general Marco's proposed change seems fine, but it should have correct references and retain some example text.

@brentzundel

Copy link
Copy Markdown
Collaborator

@marcoscaceres could you respond to comments made so far?

@paulbastian

Copy link
Copy Markdown
Contributor

wg call:

  • suggestion from @c2bo and @fkj to further iterate on @awoie latest proposal, taking reference from Marcos suggesting and merging them with ideas from @awoie
  • @c2bo is syncing with @awoie to make a new proposal, as it seems to complicated in a suggestion

@c2bo

c2bo commented Jun 23, 2026

Copy link
Copy Markdown
Member

I added the changes discussed in comments with the reference to the html origin terminology.

I wasn't sure about the link to whatwg - in IETF we had to pin to a specific commit instead of the living standard , so I did the same here.

Comment thread 1.0/openid-4-verifiable-presentations-1_0.md Outdated
Comment thread 1.0/openid-4-verifiable-presentations-1_0.md Outdated
In addition to the above-mentioned parameters, a new parameter is introduced for OpenID4VP over the W3C Digital Credentials API:

* `expected_origins`: REQUIRED when signed requests defined in (#signed_request) are used with the Digital Credentials API (DC API). A non-empty array of strings, each string representing an Origin of the Verifier that is making the request. The Wallet MUST compare values in this parameter to the Origin to detect replay of the request from a malicious Verifier. If the Origin does not match any of the entries in `expected_origins`, the Wallet MUST return an error. This error SHOULD be an `invalid_request` error. This parameter is not for use in unsigned requests and therefore a Wallet MUST ignore this parameter if it is present in an unsigned request.
* `expected_origins`: REQUIRED when signed requests defined in (#signed_request) are used with the Digital Credentials API (DC API). A non-empty array of strings, each string representing an Origin of the Verifier that is making the request. The Wallet MUST compare values in this parameter to the provided Origin, treated as a string, using simple string comparison, without any prior processing or interpretation of either the `expected_origins` values or the provided Origin, to detect replay of the request from a malicious Verifier. Values using unsafe or unsupported URI schemes, including `ftp`, `javascript`, `data`, `ws`, and `wss`, MUST NOT be used. Values using the http scheme MUST NOT be used unless they are explicitly allowed for constrained scenarios such as local development or equivalent non-production environments. If the Origin does not match any of the entries in `expected_origins`, the Wallet MUST return an error. This error SHOULD be an `invalid_request` error. This parameter is not for use in unsigned requests and therefore a Wallet MUST ignore this parameter if it is present in an unsigned request.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not clear what "Values using unsafe or unsupported URI schemes" are, and the current list leaves it open ended. Would it be worthwhile to just restrict to http and https for now?

Similarly, the "Values using the http scheme MUST NOT be used unless they are explicitly allowed for constrained scenarios such as local development or equivalent non-production environments."

That's ambiguous. I think you want to go through the "is potentially trustworthy?" checks of the Secure Context spec. That covers the "local development or equivalent non-production environments" case unambiguously and safely.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since we also allow want to allow calls from other apps with an expected_origins value , we shouldn't restrict to http/https imho.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WG discussion. given that there are use-cases for app-to-app, preference is to not limit it to http/https only.

we could quote https://www.w3.org/TR/secure-contexts/#is-url-trustworthy for the cases when values are http/https. @marcoscaceres is Secure context document published? it says [W3C Candidate Recommendation Draft](https://www.w3.org/standards/types#CRD), 10 November 2023 which means it's not a TR but URL says TR? if it's CR draft, then "These documents MUST NOT be cited as W3C standards and may or may not become W3C standards." ...

Comment thread 1.1/openid-4-verifiable-presentations-1_1.md Outdated
Comment thread 1.1/openid-4-verifiable-presentations-1_1.md Outdated
Comment thread 1.0/openid-4-verifiable-presentations-1_0.md Outdated
Co-authored-by: Kristina <52878547+Sakurann@users.noreply.github.com>
@Sakurann

Sakurann commented Jul 2, 2026

Copy link
Copy Markdown
Collaborator

WG discussion: ready to merge once the last comment from marcos is resolved

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Clarifications on processing expected_origins and processing steps

10 participants