Yes, it potentially could. But I think we *really* want to avoid adding a challenge/response round trip to every call. So it wouldn't be a nonce exactly and there'd need to some guidance or something on what it is and how long it could be used. And that could introduce new server side state. Also the challenge doesn't exist for the token endpoint.
On Tue, May 5, 2020 at 1:15 PM Nikos Fotiou <fot...@aueb.gr> wrote: > Hi all, > > There was some discussion about adding “server contribution” in the DPoP > proof. I was wondering if the “challenge” server response described in > section 6 can include such a contribution (e.g., a server generated nonce). > > > > Best, > > Nikos > > > > *From:* OAuth <oauth-boun...@ietf.org> *On Behalf Of *Brian Campbell > *Sent:* Friday, May 1, 2020 10:03 PM > *To:* oauth <oauth@ietf.org> > *Subject:* [OAUTH-WG] Fwd: New Version Notification for > draft-ietf-oauth-dpop-01.txt > > > > I've pushed out a -01 revision of DPoP hopefully allowing folks enough > time to read it before the interim meeting on Monday (apologies that it > wasn't sooner but the edits took longer than expected or hoped). For ease > of reference the changes in this revision are summarized below. There are, > of course, still outstanding issues and discussion points that I hope to > make some progress on during the interim meeting on Monday. > > > > -01 > > > * Editorial updates > * Attempt to more formally define the DPoP Authorization header > scheme > * Define the 401/WWW-Authenticate challenge > * Added "invalid_dpop_proof" error code for DPoP errors in token > request > * Fixed up and added to the IANA section > * Added "dpop_signing_alg_values_supported" authorization server > metadata > * Moved the Acknowledgements into an Appendix and added a bunch of > names (best effort) > > > > ---------- Forwarded message --------- > From: <internet-dra...@ietf..org <internet-dra...@ietf.org>> > Date: Fri, May 1, 2020 at 12:24 PM > Subject: New Version Notification for draft-ietf-oauth-dpop-01.txt > To: Torsten Lodderstedt <tors...@lodderstedt.net>, David Waite < > da...@alkaline-solutions.com>, John Bradley <ve7...@ve7jtb.com>, Brian > Campbell <bcampb...@pingidentity.com>, Daniel Fett <m...@danielfett.de>, > Michael Jones <m...@microsoft.com> > > > > > A new version of I-D, draft-ietf-oauth-dpop-01.txt > has been successfully submitted by Brian Campbell and posted to the > IETF repository. > > Name: draft-ietf-oauth-dpop > Revision: 01 > Title: OAuth 2.0 Demonstration of Proof-of-Possession at the > Application Layer (DPoP) > Document date: 2020-05-01 > Group: oauth > Pages: 22 > URL: > https://www.ietf.org/internet-drafts/draft-ietf-oauth-dpop-01.txt > Status: https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/ > Htmlized: https://tools.ietf.org/html/draft-ietf-oauth-dpop-01 > Htmlized: > https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop > Diff: https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-dpop-01 > > Abstract: > This document describes a mechanism for sender-constraining OAuth 2.0 > tokens via a proof-of-possession mechanism on the application level. > This mechanism allows for the detection of replay attacks with access > and refresh tokens. > > > > > Please note that it may take a couple of minutes from the time of > submission > until the htmlized version and diff are available at tools.ietf.org. > > The IETF Secretariat > > > *CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited... > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you.* > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
