dbsc icon indicating copy to clipboard operation
dbsc copied to clipboard

Published 20 hours ago verified publisher icon WICG

In startsession we deliver authorization artifact in two different ways

Open alextok opened this issue 1 year ago • 2 comments

In startsession we deliver authorization artifact in two different ways as Authorization header and as part of JWT body.

https://github.com/WICG/dbsc?tab=readme-ov-file#start-session

I think we need to have one way of doing this. I prever JWT body, as it cryto bound to keys.

alextok avatar Mar 23 '24 09:03 alextok

The case for keeping it in the header is if there is a use case in which the user agent would need a valid access token to access the /securesession/startsession endpoint. Is that a possibility? The proposed standard just mentions allowing "...the server to link registration with some preceding sign in flow." If that's the whole story then I agree we don't need it in the header.

mattjm avatar Mar 28 '24 04:03 mattjm

I removed it from the header here: https://github.com/WICG/dbsc/commit/cffa9fbc0515382a45880c6fb140c1612cf3073f

Keeping this issue open in case there is a case for keeping it in the header like @mattjm mentions. I think it would be best for the server to expect it in the JWT as it is signed by the key.

kmonsen avatar Mar 28 '24 05:03 kmonsen