In startsession we deliver authorization artifact in two different ways

WICG / dbsc

Other

272 stars 19 forks source link

In startsession we deliver authorization artifact in two different ways #19

Open alextok opened 3 months ago

alextok commented 3 months ago

In startsession we deliver authorization artifact in two different ways as Authorization header and as part of JWT body.

https://github.com/WICG/dbsc?tab=readme-ov-file#start-session

I think we need to have one way of doing this. I prever JWT body, as it cryto bound to keys.

mattjm commented 3 months ago

The case for keeping it in the header is if there is a use case in which the user agent would need a valid access token to access the /securesession/startsession endpoint. Is that a possibility? The proposed standard just mentions allowing "...the server to link registration with some preceding sign in flow." If that's the whole story then I agree we don't need it in the header.

kmonsen commented 3 months ago

I removed it from the header here: https://github.com/WICG/dbsc/commit/cffa9fbc0515382a45880c6fb140c1612cf3073f

Keeping this issue open in case there is a case for keeping it in the header like @mattjm mentions. I think it would be best for the server to expect it in the JWT as it is signed by the key.