Skip to content

Clarification on aud claim of Request object #684

New issue
New issue
Open
Open
Clarification on aud claim of Request object#684
@babisRoutis

Description

@babisRoutis
babisRoutis
opened on Nov 26, 2025

Specification provides the following description

When the Verifier is sending a Request Object as defined in [RFC9101], the aud claim value depends on whether the recipient of the request can be identified by the Verifier or not:

  • the aud claim MUST be equal to the iss (issuer) claim value, when Dynamic Discovery is performed.
  • the aud claim MUST be "https://self-issued.me/v2", when Static Discovery metadata is used.
    Note: "https://self-issued.me/v2" is a symbolic string and can be used as an aud claim value even when this specification is used standalone, without SIOPv2.

Can you please clarify what this Dynamic vs Static discovery means when

  • we have a OpenID4VP authorization request (not combined with SIOP) and
  • wallet is a mobile application

To my understanding, in the above case a Verifier has the chance to "dynamically" discover the wallet only if

  • Verifier uses request_uri_method equal to post and
  • Wallet performs such a post, passing wallet_metadata

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions