Skip to content

70 register as and client metadata for algorithm negotiation of attestations and pops #142

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
paulbastian merged 6 commits into from
Sep 15, 2025
Merged

70 register as and client metadata for algorithm negotiation of attestations and pops #142

Changes from 4 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
6ed0631
add implementation consideration for Authorization Server Metadata
paulbastian Sep 3, 2025
0ef45b4
add "signing" to the metadata entries
paulbastian Sep 3, 2025
a991591
more guidance for the client
paulbastian Sep 3, 2025
02add0a
Merge branch 'main' into 70-register-as-and-client-metadata-for-algor…
paulbastian Sep 5, 2025
c47489f
Apply suggestions from code review
paulbastian Sep 15, 2025
b9672bf
Update draft-ietf-oauth-attestation-based-client-auth.md
paulbastian Sep 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 24 additions & 2 deletions draft-ietf-oauth-attestation-based-client-auth.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -525,6 +525,12 @@ Upon receiving a Client Attestation, the receiving server MUST ensure the follow

# Implementation Considerations

## Authorization Server Metadata

The Authorization Server SHOULD communicate support and requirement for authentication with Attestation-Based Client Authentication by using the value `attest_jwt_client_auth` in the `token_endpoint_auth_methods_supported` within its published metadata. The client SHOULD fetch and parse the Authorization Server metadata and recognize the requirement the requirement for client authentication using Attestation-Based Client Authentication if the given parameters are present.

The Authorization Server SHOULD communicate supported algorithms for client attestations by using `client_attestation_signing_alg_values_supported` and `client_attestation_pop_signing_alg_values_supported` within its published metadata. This enables the client to validate that its client attestation is understood by the Authorization Server prior to authentication. The client MAY try to get a new client attestation with different algorithms.

## Reuse of a Client Attestation JWT

Implementers should be aware that the design of this authentication mechanism deliberately allows for a Client Instance to re-use a single Client Attestation JWT in multiple interactions/requests with an Authorization Server, whilst producing a fresh Client Attestation PoP JWT. Client deployments should consider this when determining the validity period for issued Client Attestation JWTs as this ultimately controls how long a Client Instance can re-use a single Client Attestation JWT.
Expand Down Expand Up @@ -598,12 +604,26 @@ This specification requests registration of the following values in the IANA "OA
* Usage Location: token error response, resource access error response
* Protocol Extension: OAuth 2.0 Attestation-Based Client Authentication
* Change Controller: IETF
* Reference: this specification
* Reference: [](#checking-http-requests-with-client-attestations) of this specification

* Name: invalid_client_attestation
* Usage Location: token error response, resource access error response
* Protocol Extension: OAuth 2.0 Attestation-Based Client Authentication
* Change Controller: IETF
* Reference: [](#checking-http-requests-with-client-attestations) of this specification

## OAuth Authorization Server Metadata Registration

This specification requests registration of the following values in the IANA "OAuth Authorization Server Metadata" registry of {{IANA.OAuth.Params}} established by [RFC8414].

* Metadata Name: client_attestation_signing_alg_values_supported
* Metadata Description: JSON array containing a list of algorithms supported by the authorization server for client attestation signing
* Change Controller: IETF
* Reference: [](#checking-http-requests-with-client-attestations) of this specification

* Metadata Name: client_attestation_pop_signing_alg_values_supported
* Metadata Description: JSON array containing a list of algorithms supported by the authorization server for client attestation proof of possession signing
* Change Controller: IETF
* Reference: this specification

## Registration of attest_jwt_client_auth Token Endpoint Authentication Method
Expand All @@ -628,7 +648,7 @@ This section requests registration of the following scheme in the "Hypertext Tra
* Reference: [](#headers) of this specification

<br/>

add implementation consideration for Authorization Server Metadata
* Field Name: OAuth-Client-Attestation-Challenge
* Status: permanent
* Reference: [](#challenge-retrieval) of this specification
Expand All @@ -640,6 +660,8 @@ This section requests registration of the following scheme in the "Hypertext Tra

* require `iat` in Client Attestation PoP JWT
* clarify `use_attestation_challenge` and add `invalid_client_attestation`
* add `client_attestation_signing_alg_values_supported` and `client_attestation_pop_signing_alg_values_supported` to IANA registration
* add implementation consideration for Authorization Server Metadata
* clarify refresh token binding
* check client_id at PAR endpoint

Expand Down