add note(s) about exposing/allowing headers w/ CORS about draft-dpop HOT 4 CLOSED

Thank you @panva! I'll incorporate your suggestions (probably tweaked somewhat) into the draft source.

from draft-dpop.

Disclaimer: I am not a CORS expert. I am unfamiliar with various server framework defaults when it comes to CORS setup so this may not be applicable to every reader/developer. I suggest we add notes to sections 8 and 9 to give implementers a hint that additional scaffolding may be required to support browser based client applications.

I would highly suggest this be reviewed by a subject matter expert first.

In Section 8 Authorization Server-Provided Nonce, given the use_dpop_nonce error is part of the response body.

Note that browser-based client application using CORS¹ only have access to CORS-safelisted response HTTP headers by default, in order for the application to obtain the DPoP-Nonce HTTP header value, authorization server CORS configuration may need to be adjusted, e.g. by using the Access-Control-Expose-Headers² response HTTP header to expose the DPoP-Nonce HTTP Header to the application.

In Section 9 Resource Server-Provided Nonce, given the use_dpop_nonce error is in the WWW-Authenticate HTTP header.

Note that browser-based client application using CORS¹ only have access to CORS-safelisted response HTTP headers by default, in order for the application to detect that nonce use is being requested and to obtain the DPoP-Nonce HTTP header value, resource server CORS configuration may need to be adjusted, e.g. by using the Access-Control-Expose-Headers² response HTTP header to expose the WWW-Authenticate and DPoP-Nonce HTTP Headers to the application.

from draft-dpop.

I don't love it but #154 has my attempt at this. It uses somewhat reworded parts of @panva 's suggested text. And I decided to put a note about WWW-Authenticate in Sec 7.1. The DPoP Authentication Scheme rather than repeating the nonce stuff in Section 9. That seems to better follow the existing structure/flow of the document. For better or worse. But Section 9 points back to Section 8 so kinda inherits it's stuff. While the Access-Control-Expose-Headers are relevant to CORS clients in Section 7.1 regardless of nonce usage.

from draft-dpop.

merged #154

from draft-dpop.