endpoint URL in pop JWT? #38
Comments
|
I didn't get the "actual URL" , do you mean the |
|
@tlodderstedt can you confirm what you mean, I read your issue as meaning we should be including the endpoint that the PoP is going to be presented at (e.g the token endpoint)? |
|
yes, that's what I mean. The PoP should be restricted to the endpoint URL it is sent to. |
|
The HTU claim in DPoP serves a couple of purposes which are freshness and audience constraint. With this draft the client attestation PoP already has normative text around populating the aud value for audience constraint and a mechanism around jti for a limited solution to detecting freshness (replay attacks). We also have #39 discussing a solution to a server generated nonce which will improve the freshness (replay attacks). With those mechanisms in place I dont believe we also need an HTU style claim. |
Should the actual URL the client attestation pop JWT shall be sent to be included in the pop JWT?
DPoP has it but I assume the nonce is powerful enough to protect against replay but want to make sure we have thought about it.
The text was updated successfully, but these errors were encountered: