remove c_nonce from the token endpoint response
#381
Conversation
There was a problem hiding this comment.
I suggest to add a dedicated nonce endpoint to the credential issuer as replacement for the c_nonce token response parameter. Just removing the c_nonce will force wallets to try the credential issuance request in order to get a nonce in order to be able to create a proper nonce-bound proof of possession. That's complicated.
|
I think this is the previous issue about a nonce endpoint for wallet attestation that people were asking about on today's call: |
|
There has been a lot of discussion about this (and roughly mostly in favor of it) in recent months in #39 and also #331 and maybe elsewhere too. [edit: like https://github.com//issues/357 ] |
@tlodderstedt that's exactly what I had in mind when I started writing this draft: https://github.com/peppelinux/draft-demarco-oauth-nonce-endpoint?tab=readme-ov-file @jogu many of the conversations and points raised within the issue #71 was filtered and mentioned in the nonce endpoint draft |
…ue without the overhead of a full Credential Request
|
as requested, 074065b adds a dedicated nonce endpoint to the credential issuer as replacement for the c_nonce token response parameter |
There was a problem hiding this comment.
I would like to mandate nonce endpoint if the issuer requires the use of c_nonce, i.e. the presence of the endpoint enforces its usage, therefore we could get rid of sending fake ugly Credential requests to fetch a c_nonce completely.
Having this endpoint optional and no other indication of the issuer whether he requires c_nonce for proofs seems inefficient.
48a3678 updates the proposed text to do that. |
| @@ -710,6 +706,45 @@ Cache-Control: no-store | |||
| } | |||
| ``` | |||
|
|
|||
| # Nonce Endpoint {#nonce-endpoint} | |||
|
|
|||
| A Credential Issuer that requires `c_nonce` values to be incorporated into proofs in the Credential Request (see (#credential-request)) MUST offer a Nonce Endpoint. This endpoint allows a Client to acquire a fresh `c_nonce` value without the overhead of a full Credential Request. | |||
There was a problem hiding this comment.
improve readability
| A Credential Issuer that requires `c_nonce` values to be incorporated into proofs in the Credential Request (see (#credential-request)) MUST offer a Nonce Endpoint. This endpoint allows a Client to acquire a fresh `c_nonce` value without the overhead of a full Credential Request. | |
| This endpoint allows a Client to acquire a fresh `c_nonce` value without the overhead of a full Credential Request. A Credential Issuer that requires `c_nonce` values to be incorporated into proofs in the Credential Request (see (#credential-request)) MUST offer a Nonce Endpoint. |
but also do we really want to mandate nonce endpoint for all issuers that require c_nonce? than why keep an option to return c_nonce in credential response?
There was a problem hiding this comment.
was trying to keep the scope of the changes to something that had been agreed on while also accommodating Paul's request for changes
There was a problem hiding this comment.
while also keeping my own frustration in check about the fact that these are all things that were only hidden by the nonce from token endpoint but have existed all along so why do they always and only come up in the context of trying to make an improvement
There was a problem hiding this comment.
Also removing the ability to have send a c_nonce in the credential response would probably be a breaking change by most measures and it's unclear if the WG has the appetite for that.
Co-authored-by: Kristina <[email protected]>
fair questions that i guess should be discussed in the WG |
There was a problem hiding this comment.
I like the current direction.
If we keep things as-is, we can completely delete the chapter 7.3.2 as the nonce endpoint is doing the job and all other details are already covered in the main section of Credential Response
Noting that removing the ability to have send a c_nonce in the credential response would probably be a breaking change by most measures. Which, I think, would be okay by me. But should have some buy-in from the WG. |
|
Discussed on the WG call, direction on removing section 7.3.2 and consolidating its content in Nonce Endpoint definition. also in this PR, add a little more explanation that issuer can invalidate c_nonce any time. please open an issue on removing c_nonce_expires_in parameter (@tplooker). also agreed to open a separate issue on removing an option to return c_nonce from the credential error response, so that we can merge this PR as-is (@bc-pi). |
|
As I would read this PR, it recommends the wallet to use the nonce endpoint if it's present and the parameter in credential response is kind of an alternative/fallback. Therefore this paragraph does not fit any longer. |
|
aadb2bb is what I was able to summon the appetite for |
Co-authored-by: Giuseppe De Marco <[email protected]>
| Below is a non-normative example of a Nonce Request: | ||
|
|
||
| ``` | ||
| GET /nonce HTTP/1.1 |
There was a problem hiding this comment.
Wouldn't a POST request be more appropriate? I mean the endpoint is supposed to provide a new/different value with every response and the result should not be cached (in my opinion).
There was a problem hiding this comment.
+1, I tried to push in this direction as well: #381 (comment)
There was a problem hiding this comment.
I didn't realize this was GET. my suggestion has been POST. In german wallet project we have been prototyping with POST and it works well https://bmi.usercontent.opencode.de/eudi-wallet/eidas-2.0-architekturkonzept/flows/PID-IssuerSigned-cloud/#issuer-session-endpoint-at-the-pid-provider
There was a problem hiding this comment.
Other than describing the media type of content that doesn't exist as JSON, which is semantically invalid and maybe syntactically wrong too, what value does the German wallet project get from using POST?
=== Screenshot of the previously cited german wallet project ===
There was a problem hiding this comment.
Wouldn't a POST request be more appropriate?
No.
I mean the endpoint is supposed to provide a new/different value with every response and the result should not be cached (in my opinion).
That's why it was made not cacheable in the example https://github.com/openid/OpenID4VCI/pull/381/files#diff-1f424614b35a9899813079f1b1f6218631a2aedd993368ccb89bb81a9eda0289R741 and text https://github.com/openid/OpenID4VCI/pull/381/files#diff-1f424614b35a9899813079f1b1f6218631a2aedd993368ccb89bb81a9eda0289R734 using the Cache-Control construct that HTTP gives for control of caching.
There was a problem hiding this comment.
My 2 cents for what they are worth,
If we asked the question "is this call safe (i.e. is it read-only)" I think the answer would be "maybe". Safe calls shouldn't alter the state of the server in any way but without knowing how the server implements the nonce endpoint we would not know the answer to the question.
If we asked the question "is this call idempotent" I think we would also get a "maybe". Client could do this call just to "fetch a value" which might not assume any intention of a side-effect, and from the perspective of the server it would depend on the implementation.
I do see the point in making it a GET because it is technically just fetching a random value, so semantically if fits, but there might be an embedded assumption here that this random value is a prerequisite for some other steps, and that getting a nonce can be viewed as setting up a state that needs to be validated by the server.
One could argue that it might be safer to make this a POST because this would communicate that the call might not be safe or idempotent and that subsequent calls could cause load, burden, and side-effects for the server.
But this is just philosophizing, I personally do not have a clear preference, I see arguments for both GET and POST.
There was a problem hiding this comment.
I can see arguments for both as well but was really trying to avoid them entirely with a simple (maybe simplistic) approach.
There was a problem hiding this comment.
but avoidance didn't work and so f7b4dc8 Removed the HTTP method specificity from the Nonce Request text and change the example from GET to POST
There was a problem hiding this comment.
After reading the comments and listening to the discussions, I'm ok with GET or POST, but we need to pick one.
There was a problem hiding this comment.
as discussed on the call - it's POST now 55c8388
…hange the example from GET to POST
There was a problem hiding this comment.
Happy to accept if Joseph's proposal is incorporated.
https://github.com/openid/OpenID4VCI/pull/381/files#r1787382536
…the client mandatory if it's present and a nonce is required" Co-authored-by: Joseph Heenan <[email protected]>
it's done with 9e0d059 |
Great, thanks! |
|
As discussed on today's WG call - we now have an astounding 12 approvals and no remaining objections/comments - merging! Thank you everyone! |
remove
c_nonceandc_nonce_expires_infrom the token endpoint response to fix #39again