You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: draft-ietf-oauth-attestation-based-client-auth.md
+9-5Lines changed: 9 additions & 5 deletions
Original file line number
Diff line number
Diff line change
@@ -143,7 +143,7 @@ Client Attester:
143
143
: An entity that authenticates a Client Instance and attests it by issuing a Client Attestation JWT.
144
144
145
145
Challenge:
146
-
: A String that is the input to a cryptographic challenge-response pattern. This is traditionally called nonce within OAuth.
146
+
: A String that is the input to a cryptographic challenge-response pattern. This is traditionally called a nonce within OAuth.
147
147
148
148
# Relation to RATS
149
149
@@ -224,7 +224,7 @@ The following content applies to the JWT Claims Set:
224
224
* `exp`: REQUIRED. The `exp` (expiration time) claim MUST specify the time at which the Client Attestation PoP is considered expired. The authorization server MUST reject any JWT with an expiration time that has passed, subject to allowable clock skew between systems. Note that the authorization server may reject JWTs with an "exp" claim value that is unreasonably far in the future.
225
225
* `aud`: REQUIRED. The `aud` (audience) claim MUST specify a value that identifies the authorization server as an intended audience. The {{RFC8414}} issuer identifier URL of the authorization server MUST be used as a value for an "aud" element to identify the authorization server as the intended audience of the JWT.
226
226
* `jti`: REQUIRED. The `jti` (JWT identifier) claim MUST specify a unique identifier for the Client Attestation PoP. The authorization server MAY ensure that JWTs are not replayed by maintaining the set of used "jti" values for the length of time for which the JWT would be considered valid based on the applicable "exp" instant.
227
-
* `challenge`: OPTIONAL. The `challenge` (challenge) claim MUST specify a String value that is provided by the authorization server to associate the Client Attestation PoP JWT with a particular transaction and prevent replay attacks.
227
+
* `challenge`: OPTIONAL. The `challenge` (challenge) claim MUST specify a String value that is provided by the authorization server for the client to include in the Client Attestation PoP JWT.
228
228
* `iat`: OPTIONAL. The `iat` (issued at) claim MUST specify the time at which the Client Attestation PoP was issued. Note that the authorization server may reject JWTs with an "iat" claim value that is unreasonably far in the past.
229
229
* `nbf`: OPTIONAL. The `nbf` (not before) claim MUST specify the time before which the Client Attestation PoP MUST NOT be accepted for processing.
230
230
@@ -429,7 +429,7 @@ To validate a client attestation using the concatenated serialization form, the
429
429
430
430
# Challenge Retrieval {#challenge-retrieval}
431
431
432
-
This section defines an optional mechanism that allows a Client to request a fresh Challenge from the Authorization Server to be used for the OAuth-Client-Attestation-PoP. This construct may be similar or equivalent to a nonce, see [](terminology). The challenge is opaque to the client.
432
+
This section defines an optional mechanism that allows a Client to request a fresh Challenge from the Authorization Server to be included in the ClientAttestationPoP JWT. This construct may be similar or equivalent to a nonce, see [](terminology). The value of the challenge is opaque to the client.
433
433
434
434
An Authorization Server MAY offer a challenge endpoint, that it MUST signal via the metadata entry `challenge_endpoint`. If the Authorization Server offers a challenge endpoint, the Client MUST retrieve a challenge and MUST use this challenge in the OAuth-Attestation-PoP as defined in (#client-attestation-pop-jwt).
435
435
@@ -444,7 +444,7 @@ Accept: application/json
444
444
~~~
445
445
446
446
The Authorization Server provides a Challenge in the HTTP response with a 200 status code and the following parameters included in the message body of the HTTP response using the application/json media type:
447
-
* attestation-challenge: REQUIRED. String containing a Challenge to be used in the OAuth-Attestation-PoP as defined in (#client-attestation-pop-jwt).
447
+
* attestation_challenge: REQUIRED. String containing a Challenge to be used in the OAuth-Attestation-PoP as defined in (#client-attestation-pop-jwt).
448
448
449
449
The Authorization Server MUST make the response uncacheable by adding a `Cache-Control` header field including the value `no-store`. The Authorization Server MAY add additional challenges or data.
450
450
@@ -453,7 +453,11 @@ The following is a non-normative example of a response:
453
453
~~~
454
454
HTTP/1.1 200 OK
455
455
Host: as.example.com
456
-
attestation-challenge: AYjcyMzY3ZDhiNmJkNTZ
456
+
Content-Type: application/json
457
+
458
+
{
459
+
"attestation_challenge": "AYjcyMzY3ZDhiNmJkNTZ"
460
+
}
457
461
~~~
458
462
459
463
## Providing Challenges on Previous Successful Responses
0 commit comments