change http method for nonce retrieval to HEAD

c2bo · c2bo · commit 27b81ea624e1 · 2025-03-02T23:37:16.000+01:00
diff --git a/draft-ietf-oauth-attestation-based-client-auth.md b/draft-ietf-oauth-attestation-based-client-auth.md
@@ -409,15 +409,14 @@ To validate a client attestation using the concatenated serialization form, the
 This specification defines header fields that allow a Client to request a fresh nonce value to be used in the OAuth-Client-Attestation-PoP.
 An Authorization Server compliant with this specification SHOULD signal via metadata whether a server-provided nonce MUST be used by the client.
 
-A Request to an endpoint from the AS can include the `attestation-nonce-request` field name with the value `true`. The server answers with a HTTP Response with status code 200, no payload, and the header field name `attestation-nonce` and value equal to the nonce.
+A Request to an endpoint from the AS can include the `attestation-nonce-request` field name with the value `true` and use the HTTP method of type HEAD (without payload). The server answers with an HTTP Response with status code 200, no payload, and the header field name `attestation-nonce` and value equal to the nonce.
 
 The client MUST use this nonce in the OAuth-Attestation-PoP as defined in (#client-attestation-pop-jwt).
 
-
 The following is a non-normative example of a request:
 
 ~~~
-POST /token HTTP/1.1
+HEAD /token HTTP/1.1
 Host: as.example.com
 attestation-nonce-request: true
 ~~~
