-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Using a server provided nonce to limit the lifetime of a Client Attestation PoP JWT #59
Comments
Please see #67 for a proposal to use DPoP which would provide an alternative solution to this proposal. |
Thoughts from today's editor call: Proposal 1: DPoP styleAdvantages:
Disadvantage:
Proposal 2: new/extended mechanismextend DPoP with:
Advantages:
Disadvantage:
Do we want the Wallet to cache the nonces at all? Doesn't this open tracking by the issuer? This makes it even more obvious that we need explicit nonce requests! |
@paulbastian How do you envision the client to determine whether a nonce is needed? I'm asking since if the client would know this in advance, it would allow a design where the client could obtain the nonce from a dedicated endpoint before calculating the PoP and sending the token request. |
One idea was to add certain datapoints to the (previous) response - things like expiration time that could be a used as an indicator for the client that a nonce is not valid anymore (but not a guarantee that it will be accepted by the server). |
My question is related to a client that just received an authorization code and now wants to authentication using a client attestation. How is the client supposed to figure our whether a nonce is needed? I see the following options:
|
I think there are 2 kinds of information we should consider: |
Following up on the conversations some of us had after IIW (see openid/OpenID4VCI#71 (comment)), this issue proposes the addition of a server provided nonce mechanism to limit the lifetime of a Client Attestation PoP JWT, similar to the DPoP nonce mechanism.
This relates to openid/OpenID4VCI#71, however the required changes need to be addressed on the attestation spec and not on the VCI spec.
I'm currently working on a PR to add this.
The text was updated successfully, but these errors were encountered: