Dear OAuth WG,
after discussions about the nonce fetching mechanism on
attestation-based client authentication at OSW 2025/IETF 122 and in the
mailing list and github afterwards, we have drafted a new mechanism that
hopefully pleases everybody on this difficult topic. Our proposal is as
usual on Github under PR#112
(https://github.com/oauth-wg/draft-ietf-oauth-attestation-based-client-auth/pull/112)
I will summarize the most important points:
- renaming nonce to challenge
- include optional challenge endpoint
- AS may publish challenge endpoint through its metadata
- additional mechanism using newly defined HTTP Header
OAuth-Client-Attestation-Challenge, which may be used to provide a
challenge on previous successful responses
- extended security consideration on freshness and replay attack
prevention, listing all possible mechanisms and how the challenge
endpoint fits in
- implementation consideration on replay attack prevention
Example:
POST /as/challenge HTTP/1.1
Host: as.example.com
Accept: application/json
HTTP/1.1 200 OK
Host: as.example.com
Content-Type: application/json
{
"attestation_challenge": "AYjcyMzY3ZDhiNmJkNTZ"
}
We appreciate your feedback!
Best regards,
Paul + Christian + Tobias
_______________________________________________
OAuth mailing list -- [email protected]
To unsubscribe send an email to [email protected]
