You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@@ -419,6 +424,32 @@ To validate a client attestation using the concatenated serialization form, the
419
424
2. After the '~' character, there exists precisely a single well-formed JWT conforming to the syntax outlined in [](client-attestation-pop-jwt).
420
425
3. The signature of the Client Attestation PoP JWT obtained after the '~' character verifies with the Client Instance Key contained in the `cnf` claim of the Client Attestation JWT obtained before the '~' character.
421
426
427
+
# Nonce Retrieval {#nonce-retrieval}
428
+
429
+
This specification defines header fields that allow a Client to request a fresh nonce value to be used in the OAuth-Client-Attestation-PoP. The nonce is opaque to the client.
430
+
431
+
An Authorization Server compliant with this specification SHOULD signal via the metadata entry `client_attestation_pop_nonce_required` which endpoints support and expect a server-provided nonce. The client MUST retrieve a nonce before other calls to this endpoint and MUST use this nonce for the Client Attestation PoP.
432
+
433
+
A Request to an endpoint supporting the server-provided nonce MUST include the `attestation-nonce-request` field name with the value `true` and use the HTTP method of type OPTIONS (without payload) to actively request a nonce. The server answers with an HTTP Response with status code 200 without body, but sets the header field `attestation-nonce` to the nonce.
434
+
435
+
The client MUST use this nonce in the OAuth-Attestation-PoP as defined in (#client-attestation-pop-jwt).
436
+
437
+
The following is a non-normative example of a request:
438
+
439
+
~~~
440
+
OPTIONS /as/par HTTP/1.1
441
+
Host: as.example.com
442
+
attestation-nonce-request: true
443
+
~~~
444
+
445
+
the following is a non-normative example of a response:
446
+
447
+
~~~
448
+
HTTP/1.1 200 OK
449
+
Host: as.example.com
450
+
attestation-nonce: AYjcyMzY3ZDhiNmJkNTZ
451
+
~~~
452
+
422
453
# Implementation Considerations
423
454
424
455
## Reuse of a Client Attestation JWT
@@ -458,6 +489,15 @@ The approach using a nonce explicitly provided by the authorization server gives
458
489
459
490
# Appendix A IANA Considerations
460
491
492
+
## OAuth Parameters Registration
493
+
494
+
This specification requests registration of the following values in the IANA "OAuth Authorization Server Metadata" registry {{IANA.OAuth.Params}} established by {{RFC8414}}.
* Metadata Description: An array of URLs that specify the endpoints supporting the nonce retrieval and expecting a Client Attestation bound to a server-provided nonce.
498
+
* Change Controller: IETF
499
+
* Reference: [](#nonce-retrieval) of this specification
500
+
461
501
## Registration of attest_jwt_client_auth Token Endpoint Authentication Method
462
502
463
503
This section registers the value "attest_jwt_client_auth" in the IANA "OAuth Token Endpoint Authentication Methods" registry established by OAuth 2.0 Dynamic Client Registration Protocol {{RFC7591}}.
@@ -479,12 +519,25 @@ This section requests registration of the following scheme in the "Hypertext Tra
479
519
* Status: permanent
480
520
* Reference: [](#headers) of this specification
481
521
522
+
<br/>
523
+
524
+
* Field Name: attestation-nonce-request
525
+
* Status: permanent
526
+
* Reference: [](#nonce-retrieval) of this specification
527
+
528
+
<br/>
529
+
530
+
* Field Name: attestation-nonce
531
+
* Status: permanent
532
+
* Reference: [](#nonce-retrieval) of this specification
0 commit comments