You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@@ -253,7 +259,7 @@ The following example is the decoded header and payload of a JWT meeting the pro
253
259
}
254
260
~~~
255
261
256
-
# Client Attestation using a Header based syntax
262
+
# Client Attestation using a Header based syntax {#header-based}
257
263
258
264
The following section defines how a Client Attestation can be provided in an HTTP request using HTTP headers.
259
265
@@ -310,8 +316,8 @@ It is RECOMMENDED that the authorization server validate the Client Attestation
310
316
311
317
To validate an HTTP request which contains the client attestation headers, the receiving server MUST ensure the following with regard to a received HTTP request:
312
318
313
-
1. There is precisely one OAuth-Client-Attestation HTTP request header field, where its value is a single well-formed JWT conforming to the syntax outlined in [](client-attestation-jwt).
314
-
2. There is precisely one OAuth-Client-Attestation-PoP HTTP request header field, where its value is a single well-formed JWT conforming to the syntax outlined in [](client-attestation-pop-jwt).
319
+
1. There is precisely one OAuth-Client-Attestation HTTP request header field, where its value is a single well-formed JWT conforming to the syntax outlined in [](#client-attestation-jwt).
320
+
2. There is precisely one OAuth-Client-Attestation-PoP HTTP request header field, where its value is a single well-formed JWT conforming to the syntax outlined in [](#client-attestation-pop-jwt).
315
321
3. The signature of the Client Attestation PoP JWT obtained from the OAuth-Client-Attestation-PoP HTTP header verifies with the Client Instance Key contained in the `cnf` claim of the Client Attestation JWT obtained from the OAuth-Client-Attestation HTTP header.
316
322
317
323
## Client Attestation at the Token Endpoint {#token-endpoint}
To validate a client attestation using the concatenated serialization form, the receiving server MUST ensure the following:
422
428
423
-
1. Before the '~' character, there exists precisely a single well-formed JWT conforming to the syntax outlined in [](client-attestation-jwt).
424
-
2. After the '~' character, there exists precisely a single well-formed JWT conforming to the syntax outlined in [](client-attestation-pop-jwt).
429
+
1. Before the '~' character, there exists precisely a single well-formed JWT conforming to the syntax outlined in [](#client-attestation-jwt).
430
+
2. After the '~' character, there exists precisely a single well-formed JWT conforming to the syntax outlined in [](#client-attestation-pop-jwt).
425
431
3. The signature of the Client Attestation PoP JWT obtained after the '~' character verifies with the Client Instance Key contained in the `cnf` claim of the Client Attestation JWT obtained before the '~' character.
426
432
427
433
# Nonce Retrieval {#nonce-retrieval}
@@ -432,7 +438,7 @@ An Authorization Server compliant with this specification SHOULD signal via the
432
438
433
439
A Request to an endpoint supporting the server-provided nonce MUST include the `attestation-nonce-request` field name with the value `true` and use the HTTP method of type OPTIONS (without payload) to actively request a nonce. The server answers with an HTTP Response with status code 200 without body, but sets the header field `attestation-nonce` to the nonce.
434
440
435
-
The client MUST use this nonce in the OAuth-Attestation-PoP as defined in (#client-attestation-pop-jwt).
441
+
The client MUST use this nonce in the OAuth-Attestation-PoP as defined in [](#client-attestation-pop-jwt).
436
442
437
443
The following is a non-normative example of a request:
438
444
@@ -450,6 +456,25 @@ Host: as.example.com
450
456
attestation-nonce: AYjcyMzY3ZDhiNmJkNTZ
451
457
~~~
452
458
459
+
# Verification and Processing
460
+
461
+
Upon receiving a Client Attestation, the receiving server MUST ensure the following:
462
+
463
+
1. If the Client Attestation was received via Header based Syntax (as described in [](#header-based)):
464
+
465
+
* The HTTP request contains exactly one field `OAuth-Client-Attestation` and one field `OAuth-Client-Attestation-PoP`.
466
+
* Both fields contain exactly one well-formed JWT.
467
+
468
+
2. The Client Attestation JWT contains all claims and header parameters as per [](#client-attestation-jwt).
469
+
3. The Client Attestation PoP JWT contains all claims and header parameters as per [](#client-attestation-pop-jwt).
470
+
4. The alg JOSE Header Parameter for both JWTs indicates a registered asymmetric digital signature algorithm {{IANA.JOSE.ALGS}}, is not none, is not MAC based, is supported by the application, and is acceptable per local policy.
471
+
5. The signature of the Client Attestation JWT verifies with the public key of a known and trusted Attester.
472
+
6. The key contained in the `cnf` claim of the Client Attestation JWT is not a private key.
473
+
7. The signature of the Client Attestation PoP JWT verifies with the public key contained in the `cnf` claim of the Client Attestation JWT.
474
+
8. If the server provided a challenge value to the client, the `challenge` claim is present in the Client Attestation PoP JWT and matches the server-provided challenge value.
475
+
9. The creation time of the Client Attestation PoP JWT as determined by either the `iat` claim or a server managed timestamp via the challenge claim, is within an acceptable window.
476
+
10. The audience claim in the Client Attestation PoP JWT is the issuer identifier URL of the authorization server as described in {{RFC8414}} .
477
+
453
478
# Implementation Considerations
454
479
455
480
## Reuse of a Client Attestation JWT
@@ -542,6 +567,7 @@ This section requests registration of the following scheme in the "Hypertext Tra
0 commit comments