Skip to content

initial draft for challenge endpoint #112

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 8 commits into
base: main
Choose a base branch
from
Draft

Conversation

paulbastian
Copy link
Collaborator

@paulbastian paulbastian commented May 9, 2025

Closes #110
Closes #104
Closes #102
Closes #101

  • include some security consideration comparing freshness and replay prevention @paulbastian
  • discuss option to include some state parameter to the challenge request
  • IANA registry entry @tplooker
  • adapt header based syntax to Attestation-Challenge @paulbastian
  • clarify that the response using the HTTP header may also be an error @c2bo
  • introduce an use_attestation_challenge OAuth error @c2bo
  • introduce invalid_client_attestation @c2bo
  • consider namespacing headers etc @tplooker


The client MUST use this nonce in the OAuth-Attestation-PoP as defined in (#client-attestation-pop-jwt).
A request for a Challenge is made by sending an HTTP POST request to the URL provided in the challenge_endpoint parameter of the Authorization Server metadata.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now that there's a dedicated endpoint, this should be registered in the iana registry i think?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed we should add an IANA registration request here for this element.

Co-authored-by: Tobias Looker <[email protected]>
Co-authored-by: Timo Glastra <[email protected]>

# Appendix A IANA Considerations

## OAuth Parameters Registration

This specification requests registration of the following values in the IANA "OAuth Authorization Server Metadata" registry {{IANA.OAuth.Params}} established by {{RFC8414}}.

* Metadata Name: client_attestation_pop_nonce_required
* Metadata Description: An array of URLs that specify the endpoints supporting the nonce retrieval and expecting a Client Attestation bound to a server-provided nonce.
* Metadata Name: client_attestation_pop_challenge_required
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

exchage this with challenge_endpoint


## Providing Challenges on Previous Successful Responses

The Authorization Server MAY provide a fresh Challenge on any previous successful response using a HTTP header-based syntax. The HTTP header field parameter MUST be named "attestation-challenge" and contain the value of the Challenge. The Client MUST use this new Challenge for the next OAuth-Client-Attestation-PoP.
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The Authorization Server MAY provide a fresh Challenge on any previous successful response using a HTTP header-based syntax. The HTTP header field parameter MUST be named "attestation-challenge" and contain the value of the Challenge. The Client MUST use this new Challenge for the next OAuth-Client-Attestation-PoP.
The Authorization Server MAY provide a fresh Challenge on any previous successful response using a HTTP header-based syntax. The HTTP header field parameter MUST be named "Attestation-Challenge" and contain the value of the Challenge. The Client MUST use this new Challenge for the next OAuth-Client-Attestation-PoP.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
4 participants