Challenge/nonce endpoint

[rohe]

According to step 3-5 of the "Wallet instance initialization and registration" the Wallet Instance sends a request to the Wallet Provider Backend and receives a one-time challenge. Which endpoint is used ? According to the Wallet Providers metadata there is only one endpoint and that is the token endpoint. Is this a new endpoint not yet documented ? In the same paragraph it is stated that "This endpoint is compliant with the specification OAuth 2.0 Nonce Endpoint." Even so it should be part of the Wallet Providers metadata. Demanding that Nonce endpoint discovery must be used according to the specification above is just overkill.

[cmarco0]

According to the text and the specification https://datatracker.ietf.org/doc/draft-demarco-oauth-nonce-endpoint/, the "endpoint" referenced in the statement, "this endpoint is compliant with the OAuth 2.0 Nonce Endpoint specification," is the nonce endpoint and is part of the wallet provider’s backend infrastructure.

[rohe]

Yes, but there is no reference to a nonce endpoint in the metadata specified in the Wallet Solution document. If it doesn't appear in the metadata then the only way to find the endpoint is to send a query without the nonce and then handle the error response returned. This is adding round trips as well as code that could be avoided if the nonce_endpoint just appeared in the wallet provider metadata. There is nothing in the OAuth2.0 Nonce Endpoint specification that prohibits this.

[peppelinux]

@cmarco0 please do a PR for the definition of the nonce_endpoint metadata parameter, here: https://github.com/peppelinux/draft-demarco-oauth-nonce-endpoint

somethign like

Nonce Issuer Metadata

The Nonce Issuers that uses the Nonce endpoint MUST include in their entity metadata the parameters:

nonce_endpoint. REQUIRED. It MUST be an HTTPs URL indicating the endpoint where the client can request the Nonce.