Merge pull request #148 from oauth-wg/118-http-headers-normative

paulbastian · web-flow · commit 29202345a926 · 2025-09-12T22:04:23.000+02:00
mandate header fields
diff --git a/draft-ietf-oauth-attestation-based-client-auth.md b/draft-ietf-oauth-attestation-based-client-auth.md
@@ -271,7 +271,7 @@ The following section defines how a Client Attestation can be provided in an HTT
 
 ## Client Attestation HTTP Headers {#headers}
 
-A Client Attestation JWT and Client Attestation PoP JWT can be included in an HTTP request using the following request header fields.
+When using headers to transfer the Client Attestation JWT and Client Attestation PoP JWT to an Authorization Server, they MUST be provided in an HTTP request using the following HTTP headers.
 
 OAuth-Client-Attestation:
 : A JWT that conforms to the structure and syntax as defined in [](#client-attestation-jwt)
@@ -642,6 +642,7 @@ This section requests registration of the following scheme in the "Hypertext Tra
 * clarify `use_attestation_challenge` and add `invalid_client_attestation`
 * clarify refresh token binding
 * check client_id at PAR endpoint
+* mandate the defined header fields if the attestation and pop are transferred via header fields
 
 -06
 
