Comments (4)
Thank you @panva! I'll incorporate your suggestions (probably tweaked somewhat) into the draft source.
from draft-dpop.
Disclaimer: I am not a CORS expert. I am unfamiliar with various server framework defaults when it comes to CORS setup so this may not be applicable to every reader/developer. I suggest we add notes to sections 8 and 9 to give implementers a hint that additional scaffolding may be required to support browser based client applications.
I would highly suggest this be reviewed by a subject matter expert first.
In Section 8 Authorization Server-Provided Nonce, given the use_dpop_nonce
error is part of the response body.
Note that browser-based client application using CORS1 only have access to CORS-safelisted response HTTP headers by default, in order for the application to obtain the
DPoP-Nonce
HTTP header value, authorization server CORS configuration may need to be adjusted, e.g. by using theAccess-Control-Expose-Headers
2 response HTTP header to expose theDPoP-Nonce
HTTP Header to the application.
In Section 9 Resource Server-Provided Nonce, given the use_dpop_nonce
error is in the WWW-Authenticate
HTTP header.
Note that browser-based client application using CORS1 only have access to CORS-safelisted response HTTP headers by default, in order for the application to detect that nonce use is being requested and to obtain the
DPoP-Nonce
HTTP header value, resource server CORS configuration may need to be adjusted, e.g. by using theAccess-Control-Expose-Headers
2 response HTTP header to expose theWWW-Authenticate
andDPoP-Nonce
HTTP Headers to the application.
Footnotes
from draft-dpop.
I don't love it but #154 has my attempt at this. It uses somewhat reworded parts of @panva 's suggested text. And I decided to put a note about WWW-Authenticate
in Sec 7.1. The DPoP Authentication Scheme rather than repeating the nonce stuff in Section 9. That seems to better follow the existing structure/flow of the document. For better or worse. But Section 9 points back to Section 8 so kinda inherits it's stuff. While the Access-Control-Expose-Headers
are relevant to CORS clients in Section 7.1 regardless of nonce usage.
from draft-dpop.
merged #154
from draft-dpop.
Related Issues (20)
- Requirement for servers to reject DPoP proofs that contain private keys HOT 2
- Requests are HTTP, not HTTPS HOT 1
- There is no charset parameter defined for x-www-form-urlencoded HOT 1
- Remove redundant normative language HOT 7
- Reference "confidential client" from oauth2 ? HOT 1
- a client MAY send a DPoP-bound access token using the `Bearer` scheme upon receipt of a `WWW-Authenticate HOT 3
- Editorial: nonces HOT 6
- Artwork line wrapping per RFC 8792 HOT 2
- Other methods to bound a PK with an AT HOT 3
- Import token68 syntax, don't replicate it HOT 1
- No normative language in security considerations HOT 2
- Considerations for new authentication schemes HOT 4
- Considerations on stripping query parameter from requests HOT 3
- little more detail on PKCE/dpop_jkt and code injection
- Resource servers and new nonce values via 200 OK HOT 2
- RFC723x are now superseeded by RFC9110
- AS providing new nonce in authorization code grant should not consume authorization code HOT 3
- ref JWT BCP HOT 1
- Mention correlation attack HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from draft-dpop.