[OAUTH-WG] new proposal on challenge endpoint for attestation-based client authentication
Paul Bastian <paul.bastian@posteo.de> Tue, 17 June 2025 15:56 UTC
Return-Path: <paul.bastian@posteo.de>
X-Original-To: oauth@mail2.ietf.org
Delivered-To: oauth@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 91FCE3602B9D for <oauth@mail2.ietf.org>; Tue, 17 Jun 2025 08:56:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.396
X-Spam-Level:
X-Spam-Status: No, score=-4.396 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=posteo.de
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iHvc_qkRT88u for <oauth@mail2.ietf.org>; Tue, 17 Jun 2025 08:56:00 -0700 (PDT)
Received: from mout02.posteo.de (mout02.posteo.de [185.67.36.66]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256)) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id F07613602B98 for <oauth@ietf.org>; Tue, 17 Jun 2025 08:55:59 -0700 (PDT)
Received: from submission (posteo.de [185.67.36.169]) by mout02.posteo.de (Postfix) with ESMTPS id 40858240101 for <oauth@ietf.org>; Tue, 17 Jun 2025 17:55:58 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.de; s=2017; t=1750175758; bh=xU0vGUw/CSkWsrYqkOpXTXzN3B92BnDfNAEyCIm+kcA=; h=Message-ID:Date:MIME-Version:From:To:Subject:Content-Type: Content-Transfer-Encoding:From; b=JyYfsQQ56LWz57yGBG5v+Eknwqd8Rov7CQ1knlOlSJdtX6zHoDln6YvLGlQQp/Kdi t5sMiWqAHUPpGrAa5JeVOOGTo7ZT+dls2PqCD9FLnU7Pu3iQ+6RHEoYQlF6x7xfcnd iGedKZ4AcTj/SUVxoegAk6P6Fs/hkhTK0e9tz4IM/e3n9ryfrYW94eFfs9caxfjivL RppbVMplMVcBQRO2yCgJ+9AkLnX0tiUhSHEvNsig60aSTvxBtUtI1Xo3w1fVgV1q75 ut+g7rzucNcXJi1LTF//hhwfOPWidRhiMshIN1Uxl9DROXDaA2s9xs/ysZJVGoIIUc uogjfmVmP5HTg==
Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4bMBL56D4lz9rxR for <oauth@ietf.org>; Tue, 17 Jun 2025 17:55:57 +0200 (CEST)
Message-ID: <fd9232ac-6933-4853-8d9f-30770b0430b2@posteo.de>
Date: Tue, 17 Jun 2025 15:55:57 +0000
MIME-Version: 1.0
Content-Language: en-US
From: Paul Bastian <paul.bastian@posteo.de>
To: oauth@ietf.org
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Message-ID-Hash: 2U7L645A2NKVP2U25IDUKP6MRLKRAG5R
X-Message-ID-Hash: 2U7L645A2NKVP2U25IDUKP6MRLKRAG5R
X-MailFrom: paul.bastian@posteo.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] new proposal on challenge endpoint for attestation-based client authentication
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/NWjKN2YEITjyhHEJnh4xrrzxca4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
Dear OAuth WG, after discussions about the nonce fetching mechanism on attestation-based client authentication at OSW 2025/IETF 122 and in the mailing list and github afterwards, we have drafted a new mechanism that hopefully pleases everybody on this difficult topic. Our proposal is as usual on Github under PR#112 (https://github.com/oauth-wg/draft-ietf-oauth-attestation-based-client-auth/pull/112) I will summarize the most important points: - renaming nonce to challenge - include optional challenge endpoint - AS may publish challenge endpoint through its metadata - additional mechanism using newly defined HTTP Header OAuth-Client-Attestation-Challenge, which may be used to provide a challenge on previous successful responses - extended security consideration on freshness and replay attack prevention, listing all possible mechanisms and how the challenge endpoint fits in - implementation consideration on replay attack prevention Example: POST /as/challenge HTTP/1.1 Host: as.example.com Accept: application/json HTTP/1.1 200 OK Host: as.example.com Content-Type: application/json { "attestation_challenge": "AYjcyMzY3ZDhiNmJkNTZ" } We appreciate your feedback! Best regards, Paul + Christian + Tobias
- [OAUTH-WG] new proposal on challenge endpoint for… Paul Bastian
- [OAUTH-WG] Re: new proposal on challenge endpoint… Kristina Yasuda