The proposed challenge fetching mechanism makes sense to me, also based on our experience and discussions in OpenID4VC work in OIDF DCP WG.
Thank you for this work, Kristina On Tue, Jun 17, 2025 at 5:57 PM Paul Bastian <[email protected]> wrote: > Dear OAuth WG, > > after discussions about the nonce fetching mechanism on > attestation-based client authentication at OSW 2025/IETF 122 and in the > mailing list and github afterwards, we have drafted a new mechanism that > hopefully pleases everybody on this difficult topic. Our proposal is as > usual on Github under PR#112 > ( > https://github.com/oauth-wg/draft-ietf-oauth-attestation-based-client-auth/pull/112) > > I will summarize the most important points: > > - renaming nonce to challenge > - include optional challenge endpoint > - AS may publish challenge endpoint through its metadata > - additional mechanism using newly defined HTTP Header > OAuth-Client-Attestation-Challenge, which may be used to provide a > challenge on previous successful responses > - extended security consideration on freshness and replay attack > prevention, listing all possible mechanisms and how the challenge > endpoint fits in > - implementation consideration on replay attack prevention > > Example: > > POST /as/challenge HTTP/1.1 > Host: as.example.com > Accept: application/json > > HTTP/1.1 200 OK > Host: as.example.com > Content-Type: application/json > > { > "attestation_challenge": "AYjcyMzY3ZDhiNmJkNTZ" > } > > We appreciate your feedback! > > Best regards, > Paul + Christian + Tobias > > _______________________________________________ > OAuth mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
