Origins need a way to get their token validation key so they can actually validate tokens. Clients get this key in the WWW-Authenticate challenge as the "token-key" attribute. I propose we add a new field to the issuer configuration that points to the URI for fetching origin keys, and then have the response carry the corresponding key and token protocol.
Specifically, add this key to the config:
{
...
"token-key-uri": <URI for fetching the per- or cross-origin token key>,
...
}
An example URI might be /token-key, and one might query it like so:
GET /token-key?origin=origin.example
And then the response might be:
{
token-type: 0x0003,
token-key: <encoded token key as is sent in the WWW-Authenticate challenge>
}
Origins need a way to get their token validation key so they can actually validate tokens. Clients get this key in the WWW-Authenticate challenge as the "token-key" attribute. I propose we add a new field to the issuer configuration that points to the URI for fetching origin keys, and then have the response carry the corresponding key and token protocol.
Specifically, add this key to the config:
An example URI might be /token-key, and one might query it like so:
And then the response might be: