Skip to content

Make auth_session optional if other binding mechanism exists. #706

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
fkj wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Make auth_session optional if other binding mechanism exists. #706

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
d6ee7cf
Make auth_session optional if other binding mechanism exists.
fkj Feb 6, 2026
46edbda
Clarify auth_session behavior in redirect-to-web.
fkj Feb 27, 2026
21aa905
Clarify auth_session requirements on interaction types.
fkj Feb 27, 2026
5215b8c
Make auth_session required only if interaction type requires it.
fkj Mar 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 16 additions & 2 deletions 1.1/openid-4-verifiable-credential-issuance-1_1.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -808,10 +808,19 @@ Depending on this assessment, the response from the Interactive Authorization En
### Interaction Required Response {#iae-interaction-required-response}

By setting `status` to `require_interaction` in the response, the Authorization Server requests an additional user interaction.
In this case, the following keys MUST be present in the response as well:
In this case, the following key MUST be present in the response as well:

* `type`: REQUIRED. String indicating which type of interaction is required, as defined below. The Authorization Server MUST NOT set this to a value that was not included in the `interaction_types_supported` parameter sent by the Wallet.
* `auth_session`: REQUIRED. String containing a value that allows the Authorization Server to associate subsequent requests by this Wallet with the ongoing authorization request sequence. Wallets SHOULD treat this value as an opaque value. The value returned MUST be distinct for each interactive authorization response.

The Authorization Server MUST provide a mechanism to associate the next request by this Wallet with the ongoing authorization request sequence.
The following key MAY be present in the response to provide such a mechanism:

* `auth_session`: REQUIRED if specified by the interaction type. String containing a value that allows the Authorization Server to associate subsequent requests by this Wallet with the ongoing authorization request sequence. Wallets SHOULD treat this value as an opaque value. The value returned MUST be distinct for each interactive authorization response.

A definition of a custom type of interaction MUST include exactly one of the following:

1. A normative requirement that the `auth_session` key MUST be included in the Interaction Required Response.
2. A definition of a mechanism to associate the next request by the Wallet with the ongoing authorization request sequence.

The Wallet MUST include the most recently received `auth_session` in follow-up requests to the Interactive Authorization Endpoint.

Expand All @@ -826,6 +835,8 @@ If `type` is set to `openid4vp_presentation`, as shown in the following example,
* The `response_mode` MUST be either `iae-post` for unencrypted responses or `iae-post.jwt` for encrypted responses. These modes are used to indicate to the Wallet to return the response back to the same Interactive Authorization Endpoint.
* If `expected_origins` is present, it MUST contain only the derived Origin of the Interactive Authorization Endpoint as defined in Section 4 in [@RFC6454]. For example, the derived Origin from `https://example.com/iae` is `https://example.com`.

The response MUST include the key `auth_session` to associate the next request by this Wallet with the ongoing authorization request sequence.

The following is a non-normative example of an unsigned Authorization Request:

```
Expand Down Expand Up @@ -939,6 +950,8 @@ In this case, the Authorization server MUST include the key `request_uri` in the
The Wallet MUST use the `request_uri` value to build an Authorization Request as defined in Section 4 of [@!RFC9126] and complete the rest of the authorization process as defined there.
The Authorization Server MAY include the `expires_in` key as defined in [@!RFC9126].

Since the `request_uri` allows the Authorization Server to associate the Authorization Request with the ongoing authorization request sequence, the Authorization Server MUST omit `auth_session` parameter in the response. The `auth_session` will be returned in the redirect back to the Wallet if required.

Non-normative Example:

```
Expand Down Expand Up @@ -975,6 +988,7 @@ It is RECOMMENDED to use this extension point instead of modifying the OAuth pro
See (#iae-security) for additional security considerations.

In the following non-normative example, this extension point is used to read the Betelgeuse Intergalactic ID card through an NFC interface in the Wallet. A token called `biic_token` is used to start the process.
It is assumed that the `biic_token` is used by the Authorization Server to associate the next request by this Wallet with the ongoing authorization request sequence, and no `auth_session` is thus needed.

```
HTTP/1.1 200 OK
Expand Down
Loading