initial draft for challenge endpoint #112

paulbastian · 2025-05-09T14:25:35Z

Closes #110
Closes #104
Closes #102
Closes #101

include some security consideration comparing freshness and replay prevention @paulbastian
discuss option to include some state parameter to the challenge request
IANA registry entry @tplooker
adapt header based syntax to Attestation-Challenge @paulbastian
clarify that the response using the HTTP header may also be an error @c2bo
introduce an use_attestation_challenge OAuth error @c2bo
introduce invalid_client_attestation @c2bo
consider namespacing headers etc @tplooker

draft-ietf-oauth-attestation-based-client-auth.md

TimoGlastra · 2025-05-10T12:49:53Z

draft-ietf-oauth-attestation-based-client-auth.md


-The client MUST use this nonce in the OAuth-Attestation-PoP as defined in (#client-attestation-pop-jwt).
+A request for a Challenge is made by sending an HTTP POST request to the URL provided in the challenge_endpoint parameter of the Authorization Server metadata.


Now that there's a dedicated endpoint, this should be registered in the iana registry i think?

Agreed we should add an IANA registration request here for this element.

draft-ietf-oauth-attestation-based-client-auth.md

Co-authored-by: Tobias Looker <[email protected]> Co-authored-by: Timo Glastra <[email protected]>

paulbastian · 2025-05-20T16:21:55Z

draft-ietf-oauth-attestation-based-client-auth.md


 # Appendix A IANA Considerations

 ## OAuth Parameters Registration

 This specification requests registration of the following values in the IANA "OAuth Authorization Server Metadata" registry {{IANA.OAuth.Params}} established by {{RFC8414}}.

-* Metadata Name: client_attestation_pop_nonce_required
-* Metadata Description: An array of URLs that specify the endpoints supporting the nonce retrieval and expecting a Client Attestation bound to a server-provided nonce.
+* Metadata Name: client_attestation_pop_challenge_required


exchage this with challenge_endpoint

Co-authored-by: Paul Bastian <[email protected]>

paulbastian · 2025-05-27T06:28:31Z

draft-ietf-oauth-attestation-based-client-auth.md

+
+## Providing Challenges on Previous Successful Responses
+
+The Authorization Server MAY provide a fresh Challenge on any previous successful response using a HTTP header-based syntax. The HTTP header field parameter MUST be named "attestation-challenge" and contain the value of the Challenge. The Client MUST use this new Challenge for the next OAuth-Client-Attestation-PoP.


Suggested change

The Authorization Server MAY provide a fresh Challenge on any previous successful response using a HTTP header-based syntax. The HTTP header field parameter MUST be named "attestation-challenge" and contain the value of the Challenge. The Client MUST use this new Challenge for the next OAuth-Client-Attestation-PoP.

The Authorization Server MAY provide a fresh Challenge on any previous successful response using a HTTP header-based syntax. The HTTP header field parameter MUST be named "Attestation-Challenge" and contain the value of the Challenge. The Client MUST use this new Challenge for the next OAuth-Client-Attestation-PoP.

draft-ietf-oauth-attestation-based-client-auth.md

Co-authored-by: Paul Bastian <[email protected]>

paulbastian added 2 commits May 9, 2025 16:24

initial draft for challenge endpoint

e556191

fix linting

6cbc2ae

TimoGlastra reviewed May 10, 2025

View reviewed changes