Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
remove
c_nonce
from the token endpoint response #381base: main
Are you sure you want to change the base?
remove
c_nonce
from the token endpoint response #381Changes from 6 commits
ce28a10
074065b
48a3678
58bbf81
0e0d188
b7b4c08
aeb3839
aadb2bb
55c109e
File filter
Filter by extension
Conversations
Jump to
There are no files selected for viewing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wouldn't a POST request be more appropriate? I mean the endpoint is supposed to provide a new/different value with every response and the result should not be cached (in my opinion).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1, I tried to push in this direction as well: #381 (comment)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I didn't realize this was GET. my suggestion has been POST. In german wallet project we have been prototyping with POST and it works well https://bmi.usercontent.opencode.de/eudi-wallet/eidas-2.0-architekturkonzept/flows/PID-IssuerSigned-cloud/#issuer-session-endpoint-at-the-pid-provider
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Other than describing the media type of content that doesn't exist as JSON, which is semantically invalid and maybe syntactically wrong too, what value does the German wallet project get from using POST?
=== Screenshot of the previously cited german wallet project ===
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No.
That's why it was made not cacheable in the example https://github.com/openid/OpenID4VCI/pull/381/files#diff-1f424614b35a9899813079f1b1f6218631a2aedd993368ccb89bb81a9eda0289R741 and text https://github.com/openid/OpenID4VCI/pull/381/files#diff-1f424614b35a9899813079f1b1f6218631a2aedd993368ccb89bb81a9eda0289R734 using the
Cache-Control
construct that HTTP gives for control of caching.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My naive feeling that using a GET to get some data is the most straightforward way to get some data remained unchanged by that discussion over the course of the last two weeks.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My 2 cents for what they are worth,
If we asked the question "is this call safe (i.e. is it read-only)" I think the answer would be "maybe". Safe calls shouldn't alter the state of the server in any way but without knowing how the server implements the nonce endpoint we would not know the answer to the question.
If we asked the question "is this call idempotent" I think we would also get a "maybe". Client could do this call just to "fetch a value" which might not assume any intention of a side-effect, and from the perspective of the server it would depend on the implementation.
I do see the point in making it a GET because it is technically just fetching a random value, so semantically if fits, but there might be an embedded assumption here that this random value is a prerequisite for some other steps, and that getting a nonce can be viewed as setting up a state that needs to be validated by the server.
One could argue that it might be safer to make this a
POST
because this would communicate that the call might not be safe or idempotent and that subsequent calls could cause load, burden, and side-effects for the server.But this is just philosophizing, I personally do not have a clear preference, I see arguments for both
GET
andPOST
.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I suggest to rename c_nonce to nonce, making the nonce endpoint of general purpose. A nonce is issued by an entity for a specific scope known to its issuer, we don't need to use a particular member name to say that it is a credential nonce, it's a only nonce
nonce and nonce_expires_in would be enough from my perspective, allowing the nonce endpoint to be a general and reusable endpoint within the OAuth framework
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A general and reusable endpoint within the OAuth framework was in no way a goal of this work. Not at all.
And I used c_nonce (a name that I honestly think is terrible for many reasons) to allow for this PR to fit into the broader document more easily and with less risk.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay, since this Nonce Endpoint is specifically tailored for credential issuance within the sole scope of the OpenID4VCI specs, it would make sense to rename the endpoint metadata parameter from
nonce_endpoint
tocredential_nonce_endpoint
.In this way, other nonce endpoints created for other OpenID/IETF specs will not collide with this one.
The related section should therefore be renamed to "Credential Nonce Endpoint," adding "Credential" as a prefix to contextualize its scope.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't have any opinion on the metadata name yet, but:
I'm not sure I see any danger of collision with IETF specs - the new endpoint is only present in the credential issuer metadata, so I can't imagine IETF would ever start defining values in there.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As @jogu points out (thanks @jogu!) there is no problem with collision because this endpoint is at the credential issuer.
This seems to be in the same vein of what I said about this in slack to you @peppelinux yesterday but bears repenting, "the context is totally different."
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
bo-ring :-)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I menat IANA metadata registry
https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml
OAuth Authorization Server Metadata
nonce_endpoint might collide over there, yes different contexts (openid != IETF) but if this endpoint is specialized for credential issuance it would be better to give to it a name pointing exactly and esplicitly in this way
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
that context is still totally different
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
after a maybe productive but definitely not appropriate side discussion about this over in slack - I think Giuseppe and I can agree to disagree
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just to try to clarify, the nonce endpoint here is part of the issuer metadata. We will not be making an IANA registration for nonce_endpoint in the OAuth Authorization Server Metadata because we're not defining a nonce endpoint for the authorization server. The suggested nonce_endpoint is (technically) a resource server endpoint as that's how we define the credential issuer.
Adding nonce_endpoint here would not prevent the OAuth WG defining a nonce endpoint for authorization servers, nor would it conflict with any such endpoint. It also wouldn't stop the OAuth WG defining a general nonce endpoint for resource servers should they choose to do so, as resource server metadata would also not have a name space that overlaps with credential issuer metadata (i.e. you could have a nonce endpoint defined in
.well-known/oauth-resource server
and a potentially different nonce endpoint defined in/.well-known/openid-credential-issuer
.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Perhaps this text could be a bit more lenient, namely to allow cases where the same
c_nonce
can be cached for a small amount of time (via themax-age
value on theCache-Control
).There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think that should be accounted for at the HTTP layer of cache.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I mean, sure the client will hold onto the thing so it can use it on a subsequent credential request but that's not something that should be conveyed at the HTTP cache level.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if we allow
max-age
I think we just define thenonce_expires_in
on an HTTP levelThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
or not at any level #394
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
by which i mean, it's not appropriate at the HTTP layer and it's not needed at the application layer so why have it at all?