Address gaps in BPoP protocol and feedback

MicrosoftEdge / MSEdgeExplainers

Home for explainer documents originated by the Microsoft Edge team

Creative Commons Attribution 4.0 International

1.29k stars 205 forks source link

Address gaps in BPoP protocol and feedback #667

Open sameerag opened 1 year ago

sameerag commented 1 year ago

Added support for the below:

Edited the Explainer to add:
- refresh-in support for background nonce renewal
- expires-in support to reduce key verification frequency
- Added adaptation considerations and key management considerations
Added a new document (similar content but format more friendly for a W3 explainer)
Pending:
- Sequence diagrams

alextok commented 11 months ago

A server may also return a new BPoP nonce on any 200 response.

why only 200? why it cannot be any response. We get first nonce via 401

Refers to: BindingContext/explainer.md:173 in bec12c8. [](commit_id = bec12c85762993aac874d80ae385b8e0e1e458c0, deletion_comment = False)

sameerag commented 11 months ago

A server may also return a new BPoP nonce on any 200 response.

why only 200? why it cannot be any response. We get first nonce via 401

Refers to: BindingContext/explainer.md:173 in bec12c8. [](commit_id = bec12c8, deletion_comment = False)

I think it is in-reference to piggy backing on regular oath flows, that BPoP-Nonce can be attached to any successful oauth response, and not specifically requested. @will-bartlett can clarify more.