openid
DPoP-Nonce is not clear enough to link its usage
In current specs, at nonce endpoint example shows about returning additional response header "DPoP-Nonce" which is not clear enough.
I read issue https://github.com/openid/OpenID4VCI/issues/412 and got the understanding it is to save additional call at credential endpoint, however its value in example is in the format of JWT.
HTTP/1.1 200 OK Content-Type: application/json Cache-Control: no-store DPoP-Nonce: eyJ7S_zG.eyJH0-Z.HX4w-7v
{ "c_nonce": "wKI4LT17ac15ES9bw8ac4" }
According to DPoP usage, server returns an access token bound to passed public key in jwt format, however here in nonce endpoint there is no public key passed as it is an unprotected resource.
My questions: What is the content of this response header jwt? Is it really a jwt or can be any string similar to c_nonce? If it is really jwt, what additional information need to be passed by wallet to link two different response nonces?
Also, could you please add some example at credential endpoint to depict usage of this response header.
What is the content of this response header jwt?
The contents of the DPoP-Nonce header is as defined in the DPoP spec.
Is it really a jwt or can be any string similar to c_nonce?
It's an opaque string. (The value is in the example is pretty odd, but I believe it is not a valid JWT. The same value is used in the examples in https://datatracker.ietf.org/doc/html/rfc9449 )
