Skip to content

new proposal for challenge endpoint #112

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 15 commits into
base: main
Choose a base branch
from
Open

new proposal for challenge endpoint #112

wants to merge 15 commits into from

Conversation

paulbastian
Copy link
Collaborator

@paulbastian paulbastian commented May 9, 2025
edited
Loading

Closes #110
Closes #104
Closes #102
Closes #101
Closes #103
Closes #116
Potentially Closes #109 ?

  • include some security consideration comparing freshness and replay prevention @paulbastian
  • discuss option to include some state parameter to the challenge request
  • IANA registry entry @tplooker
  • adapt header based syntax to Attestation-Challenge @paulbastian
  • clarify that the response using the HTTP header may also be an error @c2bo
  • introduce an use_attestation_challenge OAuth error @c2bo
  • introduce invalid_client_attestation @c2bo
  • consider namespacing headers etc @tplooker

TimoGlastra
TimoGlastra reviewed May 10, 2025
View reviewed changes
TimoGlastra
TimoGlastra reviewed May 10, 2025
View reviewed changes
TimoGlastra
TimoGlastra reviewed May 10, 2025
View reviewed changes
tplooker
tplooker reviewed May 18, 2025
View reviewed changes
tplooker
tplooker reviewed May 18, 2025
View reviewed changes
tplooker
tplooker reviewed May 18, 2025
View reviewed changes
tplooker
tplooker reviewed May 18, 2025
View reviewed changes
@paulbastian @tplooker @TimoGlastra
Apply suggestions from code review
b067835 
Co-authored-by: Tobias Looker <[email protected]>
Co-authored-by: Timo Glastra <[email protected]>
paulbastian
paulbastian commented May 20, 2025
View reviewed changes
paulbastian
paulbastian commented May 27, 2025
View reviewed changes
paulbastian
paulbastian commented May 27, 2025
View reviewed changes
c2bo
c2bo reviewed Jun 2, 2025
View reviewed changes
paulbastian
paulbastian commented Jun 3, 2025
View reviewed changes
@tplooker
Copy link
Collaborator

tplooker commented Jun 4, 2025

FYI
f1fef28 updates the iana registration.
803ea07 namespaces the Attestation-Challenge HTTP header by suffixing it with OAuth-Client- making it consistent with the other HTTP headers we've defined in the spec.

@tplooker
Copy link
Collaborator

tplooker commented Jun 4, 2025

Have updated the list of issues this PR closes as I think it also addresses #103, with this sentence.

If the Authorization Server offers a challenge endpoint, the Client MUST retrieve a challenge and MUST use this challenge in the OAuth-Attestation-PoP as defined in (#client-attestation-pop-jwt).

We could if we felt the need make this even clearer but I'm pretty comfortable with it, as it is.

@tplooker tplooker mentioned this pull request Jun 4, 2025
Open
@tplooker
Copy link
Collaborator

tplooker commented Jun 4, 2025

Also added #116 to the list of issues this PR closes.

@tplooker tplooker mentioned this pull request Jun 4, 2025
Open
@tplooker
Copy link
Collaborator

tplooker commented Jun 4, 2025

To discuss whether this also covers #109

@paulbastian paulbastian marked this pull request as ready for review June 9, 2025 21:55
paulbastian
paulbastian commented Jun 10, 2025
View reviewed changes
c2bo
c2bo approved these changes Jun 13, 2025
View reviewed changes
Copy link
Member

@c2bo c2bo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is in a decent state now - at least good enough to get more feedback. Should we post this to the mailing list and ask for feedback?

@paulbastian
Copy link
Collaborator Author

I think this is in a decent state now - at least good enough to get more feedback. Should we post this to the mailing list and ask for feedback?

I agree. Next steps afterwards should be making PoP exp optional/removed and the processing & verification to round it up. However, this is ready for the mailing list. Wdyt @tplooker

@tplooker
Copy link
Collaborator

I agree. Next steps afterwards should be making PoP exp optional/removed and the processing & verification to round it up. However, this is ready for the mailing list. Wdyt @tplooker

I agree

@tplooker tplooker requested a review from TimoGlastra June 16, 2025 06:34
@paulbastian paulbastian changed the title initial draft for challenge endpoint new proposal for challenge endpoint Jun 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tplooker tplooker tplooker left review comments

@c2bo c2bo c2bo approved these changes

@TimoGlastra TimoGlastra Awaiting requested review from TimoGlastra

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
4 participants
@paulbastian @tplooker @c2bo @TimoGlastra