Skip to content

Commit f39fe2c

Browse files
fkjVanderkast
andcommitted
Clarify auth_session behavior in redirect-to-web.
Co-authored-by: Valentine Mazurov <vanderkast@yandex.ru>
1 parent 33ebd75 commit f39fe2c

1 file changed

Lines changed: 1 addition & 1 deletion

File tree

1.1/openid-4-verifiable-credential-issuance-1_1.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -928,7 +928,7 @@ The Wallet MUST only use a `request_uri` value once.
928928
Authorization servers SHOULD treat `request_uri` values as one-time use but MAY allow for duplicate requests due to a user reloading/refreshing their user agent. An expired request_uri MUST be rejected as invalid.
929929
The Authorization Server MAY include the `expires_in` key as defined in [@!RFC9126].
930930

931-
Since the `request_uri` allows the Authorization Server to associate the Authorization Request with the ongoing authorization request sequence, no `auth_session` is needed.
931+
Since the `request_uri` allows the Authorization Server to associate the Authorization Request with the ongoing authorization request sequence, the Authorization Server MUST omit `auth_session` parameter in the response. The `auth_session` will be returned in the redirect back to the Wallet if required.
932932

933933
Non-normative Example:
934934

0 commit comments

Comments
 (0)