Skip to content

new proposal for challenge endpoint#112

Merged
paulbastian merged 20 commits intomainfrom
nonce_endpoint
Jul 7, 2025
Merged

new proposal for challenge endpoint#112
paulbastian merged 20 commits intomainfrom
nonce_endpoint

Conversation

@paulbastian
Copy link
Collaborator

@paulbastian paulbastian commented May 9, 2025
edited by tplooker
Loading

Closes #73
Closes #110
Closes #104
Closes #102
Closes #101
Closes #103
Closes #116
Closes #109

  • include some security consideration comparing freshness and replay prevention @paulbastian
  • discuss option to include some state parameter to the challenge request
  • IANA registry entry @tplooker
  • adapt header based syntax to Attestation-Challenge @paulbastian
  • clarify that the response using the HTTP header may also be an error @c2bo
  • introduce an use_attestation_challenge OAuth error @c2bo
  • introduce invalid_client_attestation @c2bo
  • consider namespacing headers etc @tplooker

TimoGlastra
TimoGlastra reviewed May 10, 2025
View reviewed changes
TimoGlastra
TimoGlastra reviewed May 10, 2025
View reviewed changes
TimoGlastra
TimoGlastra reviewed May 10, 2025
View reviewed changes
tplooker
tplooker reviewed May 18, 2025
View reviewed changes
tplooker
tplooker reviewed May 18, 2025
View reviewed changes
tplooker
tplooker reviewed May 18, 2025
View reviewed changes
tplooker
tplooker reviewed May 18, 2025
View reviewed changes
@paulbastian @tplooker @TimoGlastra
Apply suggestions from code review
b067835 
Co-authored-by: Tobias Looker <tobias.looker@mattr.global>
Co-authored-by: Timo Glastra <timo@animo.id>
paulbastian
paulbastian commented May 20, 2025
View reviewed changes
@tplooker @paulbastian
Update draft-ietf-oauth-attestation-based-client-auth.md
ce8fc80 
Co-authored-by: Paul Bastian <paul.bastian@posteo.de>
paulbastian
paulbastian commented May 27, 2025
View reviewed changes
paulbastian
paulbastian commented May 27, 2025
View reviewed changes
c2bo
c2bo reviewed Jun 2, 2025
View reviewed changes
@c2bo @paulbastian
change to upper case name for header field
43261f9 
Co-authored-by: Paul Bastian <paul.bastian@posteo.de>
paulbastian
paulbastian commented Jun 3, 2025
View reviewed changes
@tplooker
Copy link
Collaborator

tplooker commented Jun 4, 2025

FYI
f1fef28 updates the iana registration.
803ea07 namespaces the Attestation-Challenge HTTP header by suffixing it with OAuth-Client- making it consistent with the other HTTP headers we've defined in the spec.

@tplooker
Copy link
Collaborator

tplooker commented Jun 4, 2025

Have updated the list of issues this PR closes as I think it also addresses #103, with this sentence.

If the Authorization Server offers a challenge endpoint, the Client MUST retrieve a challenge and MUST use this challenge in the OAuth-Attestation-PoP as defined in (#client-attestation-pop-jwt).

We could if we felt the need make this even clearer but I'm pretty comfortable with it, as it is.

@tplooker tplooker mentioned this pull request Jun 4, 2025
Closed
@tplooker
Copy link
Collaborator

tplooker commented Jun 4, 2025

Also added #116 to the list of issues this PR closes.

@tplooker tplooker mentioned this pull request Jun 4, 2025
Closed
@tplooker
Copy link
Collaborator

tplooker commented Jun 4, 2025

To discuss whether this also covers #109

@paulbastian paulbastian marked this pull request as ready for review June 9, 2025 21:55
paulbastian
paulbastian commented Jun 10, 2025
View reviewed changes
c2bo
c2bo approved these changes Jun 13, 2025
View reviewed changes
Copy link
Member

@c2bo c2bo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is in a decent state now - at least good enough to get more feedback. Should we post this to the mailing list and ask for feedback?

paulbastian and others added 2 commits June 14, 2025 08:38
@paulbastian
Copy link
Collaborator Author

paulbastian commented Jun 14, 2025

I think this is in a decent state now - at least good enough to get more feedback. Should we post this to the mailing list and ask for feedback?

I agree. Next steps afterwards should be making PoP exp optional/removed and the processing & verification to round it up. However, this is ready for the mailing list. Wdyt @tplooker

@tplooker
Copy link
Collaborator

tplooker commented Jun 16, 2025

I agree. Next steps afterwards should be making PoP exp optional/removed and the processing & verification to round it up. However, this is ready for the mailing list. Wdyt @tplooker

I agree

@tplooker tplooker requested a review from TimoGlastra June 16, 2025 06:34
@paulbastian paulbastian changed the title initial draft for challenge endpoint new proposal for challenge endpoint Jun 17, 2025
@paulbastian
Copy link
Collaborator Author

paulbastian commented Jun 24, 2025

@jricher would you be able to give this a review, as we've discussed this at EIC?

tplooker
tplooker reviewed Jun 26, 2025
View reviewed changes
panva
panva reviewed Jul 4, 2025
View reviewed changes
Copy link
Member

@panva panva left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review as per @paulbastian's request. 🙏

c2bo
c2bo reviewed Jul 4, 2025
View reviewed changes
@c2bo @panva
Apply suggestions from filip's review
66fc8ba 
Co-authored-by: Filip Skokan <panva.ip@gmail.com>
@tplooker tplooker mentioned this pull request Jul 6, 2025
Merged
@paulbastian paulbastian merged commit adf7c67 into main Jul 7, 2025
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@c2bo c2bo c2bo approved these changes

@tplooker tplooker tplooker approved these changes

@TimoGlastra TimoGlastra Awaiting requested review from TimoGlastra

+1 more reviewer

@panva panva panva left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

5 participants

@paulbastian @tplooker @panva @c2bo @TimoGlastra