-
Notifications
You must be signed in to change notification settings - Fork 8
initial draft for challenge endpoint #112
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Conversation
|
||
The client MUST use this nonce in the OAuth-Attestation-PoP as defined in (#client-attestation-pop-jwt). | ||
A request for a Challenge is made by sending an HTTP POST request to the URL provided in the challenge_endpoint parameter of the Authorization Server metadata. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Now that there's a dedicated endpoint, this should be registered in the iana registry i think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed we should add an IANA registration request here for this element.
Co-authored-by: Tobias Looker <[email protected]> Co-authored-by: Timo Glastra <[email protected]>
|
||
# Appendix A IANA Considerations | ||
|
||
## OAuth Parameters Registration | ||
|
||
This specification requests registration of the following values in the IANA "OAuth Authorization Server Metadata" registry {{IANA.OAuth.Params}} established by {{RFC8414}}. | ||
|
||
* Metadata Name: client_attestation_pop_nonce_required | ||
* Metadata Description: An array of URLs that specify the endpoints supporting the nonce retrieval and expecting a Client Attestation bound to a server-provided nonce. | ||
* Metadata Name: client_attestation_pop_challenge_required |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
exchage this with challenge_endpoint
Co-authored-by: Paul Bastian <[email protected]>
|
||
## Providing Challenges on Previous Successful Responses | ||
|
||
The Authorization Server MAY provide a fresh Challenge on any previous successful response using a HTTP header-based syntax. The HTTP header field parameter MUST be named "attestation-challenge" and contain the value of the Challenge. The Client MUST use this new Challenge for the next OAuth-Client-Attestation-PoP. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The Authorization Server MAY provide a fresh Challenge on any previous successful response using a HTTP header-based syntax. The HTTP header field parameter MUST be named "attestation-challenge" and contain the value of the Challenge. The Client MUST use this new Challenge for the next OAuth-Client-Attestation-PoP. | |
The Authorization Server MAY provide a fresh Challenge on any previous successful response using a HTTP header-based syntax. The HTTP header field parameter MUST be named "Attestation-Challenge" and contain the value of the Challenge. The Client MUST use this new Challenge for the next OAuth-Client-Attestation-PoP. |
Co-authored-by: Paul Bastian <[email protected]>
Closes #110
Closes #104
Closes #102
Closes #101