Update JWT contents for DBSC

Daniel Rubery · chromium-wpt-export-bot · commit 5ca066a68da1 · 2025-09-25T11:18:38.000-07:00
This CL splits the header and payload functions in session_binding_utils.h in order to allow for three different JWT schemas for DBSC: - OTFeedback disabled (both registration and refresh) - OTFeedback enabled, registration - OTFeedback enabled, refresh We can clean up the Legacy* functions when removing the OTFeedback flag. Fixed: 442623885 Change-Id: If6700157859aaa669d4fd7a7775687654b6d025a Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6977530 Commit-Queue: Daniel Rubery <drubery@chromium.org> Reviewed-by: thefrog <thefrog@chromium.org> Cr-Commit-Position: refs/heads/main@{#1520715}
diff --git a/device-bound-session-credentials/jwt_helper.py b/device-bound-session-credentials/jwt_helper.py
@@ -22,7 +22,7 @@ def decode_jwt(token, key=None):
         # If there is a key passed in (for refresh), use that for checking the signature below.
         # Otherwise (for registration), use the key sent within the JWT to check the signature.
         if key == None:
-            key = decoded_payload.get('key')
+            key = decoded_header.get('jwk')
         public_key = serialization.load_pem_public_key(jwk_to_pem(key))
         # Verifying the signature will throw an exception if it fails.
         verify_rs256_signature(header, payload, signature, public_key)
diff --git a/device-bound-session-credentials/refresh_session.py b/device-bound-session-credentials/refresh_session.py
@@ -41,7 +41,4 @@ def main(request, response):
         if not verified or jwt_payload.get("jti") != challenge:
             return (400, response.headers, "")
 
-        if jwt_payload.get("sub") != session_id_header:
-            return (400, response.headers, "")
-
     return test_session_manager.get_session_instructions_response(session_id, request)
diff --git a/device-bound-session-credentials/start_session.py b/device-bound-session-credentials/start_session.py
@@ -11,7 +11,7 @@ def main(request, response):
 
     jwt_header, jwt_payload, verified = jwt_helper.decode_jwt(request.headers.get("Secure-Session-Response").decode('utf-8'))
     session_id = test_session_manager.create_new_session()
-    test_session_manager.set_session_key(session_id, jwt_payload.get('key'))
+    test_session_manager.set_session_key(session_id, jwt_header.get('jwk'))
 
     if not verified or jwt_payload.get("jti") != "login_challenge_value":
         return (400, response.headers, "")
