Closed babisRoutis closed 1 month ago
Attestation based client authentication states that
Implementers should be aware that the design of this authentication mechanism deliberately allows for a Client Instance to re-use a single Client Attestation JWT in multiple interactions/requests with an Authorization Server, whilst producing a fresh Client Attestation PoP JWT. Client deployments should consider this when determining the validity period for issued Client Attestation JWTs as this ultimately controls how long a Client Instance can re-use a single Client Attestation JWT.
To my understanding, the highlighted phrase means that library should produce a new PoP JWT with each interaction. For instance, in a typical HAIP scenario
access_token
Those two interactions, will use different PoP JWT, yet bound to the same client attestation JWT.
PR aims (hopefully) to support attestation-base client (wallet) authentication.
Client
having two memberPublic
andAttested
.Client
would express the OAUTH2 client and in particular the way that it can be authenticated to token and/or PAR endpointClient.Attested
has already aClientAttestationJWT
. How this is provisioned is outside the scope of the PRTokenEndPointClient
to create aClientAttestation
by producing the POP JWTclientId
withclient
inOpenId4VCIConfig
Closes #304