[OAUTH-WG] Re: Question: Improving DPoP Nonce Provisioning Without ERROR Responses
Takahiko Kawasaki <taka@authlete.com> Wed, 14 January 2026 09:32 UTC
Return-Path: <taka@authlete.com>
X-Original-To: oauth@mail2.ietf.org
Delivered-To: oauth@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 4CD76A77898A for <oauth@mail2.ietf.org>; Wed, 14 Jan 2026 01:32:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=authlete-com.20230601.gappssmtp.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j3ypmeRr-Yjb for <oauth@mail2.ietf.org>; Wed, 14 Jan 2026 01:32:24 -0800 (PST)
Received: from mail-qt1-x82c.google.com (mail-qt1-x82c.google.com [IPv6:2607:f8b0:4864:20::82c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 59505A778983 for <oauth@ietf.org>; Wed, 14 Jan 2026 01:32:24 -0800 (PST)
Received: by mail-qt1-x82c.google.com with SMTP id d75a77b69052e-50148a1cc40so1000651cf.2 for <oauth@ietf.org>; Wed, 14 Jan 2026 01:32:24 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1768383138; cv=none; d=google.com; s=arc-20240605; b=cLgaC1BS+EJKjoByhQKdCd52uzekws5oEXwg594+oiZGu3dcmReeX6MzpSqbr6CyIu rOizmQy0ZASqR5MBAUDha1g1BmqlfKte41ZkLr5ourTmOWbHa9KsOsULF5SbLS657+Pb 6/cv3jrvB01ObD60XEmeKLRTcP8zDrB8ih5guHVxsvzYsggclGeQ0fPZzvpKY//dnhUO AW3aQOuqtZYgcVSL7Y1j6y3kJOD8X3FF4RcSP4+OcPXI7t/BG72aKQBNDFjbdyzME7Bp pc17bFUIVNKL7x+bLo/fqE9/zmzLDMv2RaCvObNA1HtKLdgLgbhfCWAn9QlmKaat/olS STzA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=N5wkmddGS9j2B3T1fEvYytS22ByIPxAj6Pr+PY0/qqo=; fh=VNhZtrM4v+fDqLodpwzhtKlqSZ58qDmmwBgAMLkChdE=; b=Wq+yQVmTd8zGEJ9dxTBIsyJelz1TrmIqrNPsBJ6d34zJ9F0/iAn69YpT7HPaKw0xgb /XV6ABkEfG6o29Zhv5IMc8Md+386RRuQk5IU8QTDftcXgH/Qm1SdhQ8XYiSV5aVmfU1E YwyjGR3r2d5xw4Ktt0d1YJP4pHmYlK8TAZNJRqcH9oUvima+/5hck4fbBxC94Y/hj8Q5 VKdrvOBJvzsLu6+tpTElDksylZ9mEgGEy0dXIWOSnAJzN07wo+p775BAmy8d6+pGXXqY 1lcmv0MQVNjrt6k63zD8nI7bGenujV1xz7ANQmHNNG7oke1SzJtF3rmDuhbEvHJTUcYo ZNzw==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=authlete-com.20230601.gappssmtp.com; s=20230601; t=1768383138; x=1768987938; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=N5wkmddGS9j2B3T1fEvYytS22ByIPxAj6Pr+PY0/qqo=; b=msLj7sOcJICKUH+pN2spDxuTCoBfXfiV4poU10OXpVJsgYw6XQJYzzEZpHnl793p/x zUmYjbK1Rg89kAJUawggm9IcylifBSd0AU+akVia/u414e5mqStL2hMLAjYP+no2gH9x 7pAuDQ3gEWi+mJZfvUZPaVSOhlBxpG6XA+/rqvSYnuKanXlQoDO+uL4P8TcY59BgDo4d jGVLWuylAImhnbE9dy2EgtKZkKR9BTyHSWHceTchpC7Eo2E3+PVRykzqT1gjYEyWMS7o lA9Dftrv53MEAeZEwuvHfVC6bIqXeR/aTTGcVshbnk2a6OOdlWrL51U4Eoy5osyULgkY gltA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768383138; x=1768987938; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=N5wkmddGS9j2B3T1fEvYytS22ByIPxAj6Pr+PY0/qqo=; b=ltV1gUlntLciuDDcqpyrvqlIEbQYigaAKZhz2hh7je8dtgUPOYSanzV9Yh5xqbnPpo NImJ3H4Z8tz1Gxz4wInchQMsJawW2aN7PsV5pGu2XF2i2kKadsWmWCuM5jXGfDIODz/o XnR4KCYyb5VpzsxgTrJ8xssoNhcYECYw9zUkdzUXeFTrppcbCD8YOwx6luAn4z/tkhtq yZxkN/jOzhwN/wTszzIgYTJ38DfeTZ3/LsgUNJCnA3R7BXblSoP8mQnrvZar9SWmbMLV RHOAv+NClO+hrP+c+bDgZ6Qkoagh9nFIEWa6T9ML+Xg2DnTf6yA88+3wc4KFYwMgVY26 xJ6A==
X-Gm-Message-State: AOJu0YxD9VZ6SzFr40w4FkSWgABA3q4fOvg6VVJmP3e9WDtsWvxbGB7w 56isU2kCwAYjwYrenkrD/4pDxT7bAFUbr7GrhYeriNxVpo+VSeC4/iw4Be4XUWTF36PIISpIEx/ LVLQPAn4NDhFQJTGqWqDlBu/SVQFFn1LwuLexrcujdw==
X-Gm-Gg: AY/fxX6Ti9+pC5jitcqyW8FsMgHih5q68ppNPQ9iWOWqN+nar3BPX38oS6MDTvXsCLN NhgukLY5b/xgru5pcxkLVU6Auf7aBQuKY0NVrvMhGJtRZhindBCZoO4OsNT5UR4vFLqoTq+UPoY NF0fxaer9KNgSNVvcg1eIBGuLhI8sDW/XmaOsTt/LGH9KWUs3kJoGSbCto+XTKCTpdB+UxNE/9l ca6L5EGYLiMfTuEOeRpgIu+yIuvjwaUE1c39jlUON2WjtRBuHVxtttZlICtUCt3CVQHtqOpGhpe 3HYEWc42L546Ir42UMc+WmEiyOSD4rRPNSc=
X-Received: by 2002:ac8:5a95:0:b0:4ee:1a3:2e79 with SMTP id d75a77b69052e-501484c9737mr17597111cf.8.1768383138419; Wed, 14 Jan 2026 01:32:18 -0800 (PST)
MIME-Version: 1.0
References: <CAKFeuN_mEa6VjeeUPLK9vqnQdHkAAQx-4t4F0RnUzCmytEK58w@mail.gmail.com>
In-Reply-To: <CAKFeuN_mEa6VjeeUPLK9vqnQdHkAAQx-4t4F0RnUzCmytEK58w@mail.gmail.com>
From: Takahiko Kawasaki <taka@authlete.com>
Date: Wed, 14 Jan 2026 18:32:05 +0900
X-Gm-Features: AZwV_Qjr7tKaIAF_XJ28yu6OTqM410KMI9EUtO2uHVSpSFb_BYvPi--nWE-W0No
Message-ID: <CAHdPCmPhmKr-HCd7czTXEQ1c3GnmfA0j+=kO1dY3ok=tkSE=7w@mail.gmail.com>
To: vj <vijayakumar.b97@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000cae706064855c858"
Message-ID-Hash: IQGI345BJ35F4YYXN6SNIO5EZJQ5DLWI
X-Message-ID-Hash: IQGI345BJ35F4YYXN6SNIO5EZJQ5DLWI
X-MailFrom: taka@authlete.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Re: Question: Improving DPoP Nonce Provisioning Without ERROR Responses
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ux5Gyf8S-om8B318eYYPCmf7J8Q>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
Hi Vijay, UI/UX confusion can be avoided if the client handles errors caused by nonce expiration internally and retries the request without reporting the error to the UI/UX layer. It has already been confirmed that clients can be implemented in a way that allows DPoP nonce updates to be performed seamlessly, without disturbing other layers. Introducing a dedicated endpoint specifically for issuing DPoP nonces would likely require lengthy discussions, similar to those that occurred when a nonce endpoint was introduced in the OpenID for Verifiable Credential Issuance specification, and would require changes not only to client-side implementations but also to server-side implementations. Given that the DPoP specification has already been finalized as an RFC and its implementability has been demonstrated, it is unlikely that the community would be receptive to revisiting and modifying it. I've written a brief blog post that includes pseudocode illustrating request retry logic in the case of DPoP nonce expiration. Please take a look if you're interested. DPoP Nonce https://darutk.medium.com/dpop-nonce-9787b9d276d1 Best Regards, Taka at Authlete On Mon, Jan 12, 2026 at 10:32 PM vj <vijayakumar.b97@gmail.com> wrote: > Hello OAuth Working Group, > > I’m currently implementing DPoP (RFC 9449) and have encountered a > practical UX challenge related to the way DPoP nonces are issued by > authorization servers. > > Per the current standard, when a client sends a DPoP request that requires > a nonce, the authorization server responds with a 400 Bad Request (or 401 > Unauthorized from a resource server) including a DPoP-Nonce header and a > use_dpop_nonce error code. The client is then expected to retry the > request with the supplied nonce in the DPoP proof’s nonce claim. IETF > <https://www.ietf.org/rfc/rfc9449.html?utm_source=chatgpt.com> > > In many implementations today, this leads to visible error responses in > client logs or user interfaces before the retry occurs. This behavior — > although correct per the spec — sometimes confuses customers or developers > because an error response is served before the nonce exchange completes. > > *Questions / Suggestions:* > > 1. > > *Is there any recommended best practice for provisioning a nonce > outside of a 400/401 error response?* > For example, could a dedicated endpoint be defined for clients to > fetch the current nonce from the authorization server prior to a token or > resource request? > 2. > > While the spec allows nonces to be supplied in a 200 OK response > header instead of via challenge responses, that behavior is optional. If > used consistently, it could avoid initial error responses entirely. Are > there guidelines or recommendations on when servers should prefer this 200 > OK mechanism? IETF > <https://www.ietf.org/rfc/rfc9449.html?utm_source=chatgpt.com> > 3. > > If introducing an endpoint solely to serve a current nonce is *not* > advisable for security or protocol correctness reasons, could the group > clarify the intended UX pattern for nonces in high-frequency or browser > environments? > > We’d appreciate any clarification or guidance the working group can > provide. > -- > Thanks & Regards, > Vijay > Programmer | Cyber Security > Email: vijayakumar.b97@gmail.com > _______________________________________________ > OAuth mailing list -- oauth@ietf.org > To unsubscribe send an email to oauth-leave@ietf.org > -- *Takahiko Kawasaki* Co-Founder taka@authlete.com [image: Authlete] authlete.com <https://www.authlete.com/> |Linkedin <https://www.linkedin.com/company/authlete/>