tfpauly
commented
2 years ago Right. I agree that this is odd to have a header that depends on the body — however, in our discussion, I also brought up that the attester needs to look at the token type in the body first anyway, since that's how you know if you're doing the rate-limited version at all. The non-rate-limited types don't have extra headers at all. So, this may not be an issue in practice.
The parsing of both
Sec-Token-Request-BlindandSec-Token-Request-Keyare dependent on the token_type inside the client's TokenRequest, which has a slightly odd layering.