add clarification on http redirect#753
Conversation
Co-authored-by: Frederik Krogsdal Jacobsen <fkj@users.noreply.github.com>
|
TODO: Also add to 1.0 errata? I'd assume so, but would like to have a confirmation to do so. |
I would say yes, this should also be an errata for 1.0. |
jogu
left a comment
There was a problem hiding this comment.
I'd agree with adding this to the errata too.
Co-authored-by: Joseph Heenan <joseph@heenan.me.uk>
|
|
||
| ## HTTP Redirects {#http_redirects} | ||
|
|
||
| This specification does not use HTTP redirects (HTTP status codes 3xx) for the HTTP requests defined in this specification that the Wallet sends directly to the Verifier. Specifically, HTTP redirects are not used in the request to retrieve the Request Object from the Request URI (whether using the `get` method as defined in [@RFC9101] or the `post` method defined in (#request_uri_method_post)) and the request transmitting the Authorization Response to the Response URI (see (#response_mode_post)). If the Wallet receives an HTTP redirect in response to one of these requests, it SHOULD NOT follow the redirect and SHOULD treat the response as an error. Extensions and profiles of this specification MAY define the use of HTTP redirects for specific requests. |
There was a problem hiding this comment.
What does "directly" mean in "that the Wallet sends directly to the Verifier" ? Are there any indirect messages?
There was a problem hiding this comment.
I think it is intended to mean "not including messages that include a redirect_uri" which obviously should be redirected to.
There was a problem hiding this comment.
Should we mention Section 15.4 of RFC9110 to make this language clear?
There was a problem hiding this comment.
I added that note below to make clear that redirect_uri is something different - I believe status codes 3xx are pretty clear?
|
@c2bo It looks like your question about whether this should also be 1.0 errata has been answered positively. Would you like to modify this PR with that addition or do that in a separate PR? |
Co-authored-by: Paul Bastian <paul.bastian@posteo.de>
Added the changes to 1.0 as well and accepted @paulbastian's suggestion. Everything should be good to go now from my side |
Closes #680