You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@@ -258,7 +264,7 @@ The following example is the decoded header and payload of a JWT meeting the pro
258
264
}
259
265
~~~
260
266
261
-
# Client Attestation using a Header based syntax
267
+
# Client Attestation using a Header based syntax {#header-based}
262
268
263
269
The following section defines how a Client Attestation can be provided in an HTTP request using HTTP headers.
264
270
@@ -315,8 +321,8 @@ It is RECOMMENDED that the authorization server validate the Client Attestation
315
321
316
322
To validate an HTTP request which contains the client attestation headers, the receiving server MUST ensure the following with regard to a received HTTP request:
317
323
318
-
1. There is precisely one OAuth-Client-Attestation HTTP request header field, where its value is a single well-formed JWT conforming to the syntax outlined in []{client-attestation-jwt}.
319
-
2. There is precisely one OAuth-Client-Attestation-PoP HTTP request header field, where its value is a single well-formed JWT conforming to the syntax outlined in [](client-attestation-pop-jwt).
324
+
1. There is precisely one OAuth-Client-Attestation HTTP request header field, where its value is a single well-formed JWT conforming to the syntax outlined in [](#client-attestation-jwt).
325
+
2. There is precisely one OAuth-Client-Attestation-PoP HTTP request header field, where its value is a single well-formed JWT conforming to the syntax outlined in [](#client-attestation-pop-jwt).
320
326
3. The signature of the Client Attestation PoP JWT obtained from the OAuth-Client-Attestation-PoP HTTP header verifies with the Client Instance Key contained in the `cnf` claim of the Client Attestation JWT obtained from the OAuth-Client-Attestation HTTP header.
321
327
322
328
An error parameter according to Section 3 of {{RFC6750}} SHOULD be included to indicate why a request was declined. If the Client Attestation is absent or not using an expected server-provided challenge, the value `use_attestation_challenge` can be used to indicate that an attestation with a server-provided challenge was expected. If the attestation and proof of possession was present but could not be successfully verified, the value `invalid_client_attestation` is used.
To validate a client attestation using the concatenated serialization form, the receiving server MUST ensure the following:
431
437
432
-
1. Before the '~' character, there exists precisely a single well-formed JWT conforming to the syntax outlined in [](client-attestation-jwt).
433
-
2. After the '~' character, there exists precisely a single well-formed JWT conforming to the syntax outlined in [](client-attestation-pop-jwt).
438
+
1. Before the '~' character, there exists precisely a single well-formed JWT conforming to the syntax outlined in [](#client-attestation-jwt).
439
+
2. After the '~' character, there exists precisely a single well-formed JWT conforming to the syntax outlined in [](#client-attestation-pop-jwt).
434
440
3. The signature of the Client Attestation PoP JWT obtained after the '~' character verifies with the Client Instance Key contained in the `cnf` claim of the Client Attestation JWT obtained before the '~' character.
Upon receiving a Client Attestation, the receiving server MUST ensure the following conditions and rules:
497
+
498
+
1. If the Client Attestation was received via Header based Syntax (as described in [](#header-based)):
499
+
500
+
* The HTTP request contains exactly one field `OAuth-Client-Attestation` and one field `OAuth-Client-Attestation-PoP`.
501
+
* Both fields contain exactly one well-formed JWT.
502
+
503
+
2. The Client Attestation JWT contains all claims and header parameters as per [](#client-attestation-jwt).
504
+
3. The Client Attestation PoP JWT contains all claims and header parameters as per [](#client-attestation-pop-jwt).
505
+
4. The alg JOSE Header Parameter for both JWTs indicates a registered asymmetric digital signature algorithm {{IANA.JOSE.ALGS}}, is not none, is not MAC based, is supported by the application, and is acceptable per local policy.
506
+
5. The signature of the Client Attestation JWT verifies with the public key of a known and trusted Attester.
507
+
6. The key contained in the `cnf` claim of the Client Attestation JWT is not a private key.
508
+
7. The signature of the Client Attestation PoP JWT verifies with the public key contained in the `cnf` claim of the Client Attestation JWT.
509
+
8. If the server provided a challenge value to the client, the `challenge` claim is present in the Client Attestation PoP JWT and matches the server-provided challenge value.
510
+
9. The creation time of the Client Attestation PoP JWT as determined by either the `iat` claim or a server managed timestamp via the challenge claim, is within an acceptable window.
511
+
10. The audience claim in the Client Attestation PoP JWT is the issuer identifier URL of the authorization server as described in {{RFC8414}}.
512
+
11. The Client Attestation JWT is fresh enough for the policies of the authorization server by checking the `iat` or `exp` claims.
513
+
12. Depending on the security requirements of the deployment, additional checks to guarantee replay protection for the Client Attestation PoP JWT might need to be applied (see [](#security-consideration-replay) for more details).
514
+
13. If a `client_id` is provided in the request containing the Client Attestation, then this `client_id` matches the `sub` claim of the Client Attestation JWT and the `iss` claim of the Client Attestation PoP JWT.
488
515
489
516
# Implementation Considerations
490
517
@@ -609,6 +636,7 @@ This section requests registration of the following scheme in the "Hypertext Tra
609
636
* rewrite security consideration on replay attacks
610
637
* add implementation consideration on replay attacks
0 commit comments