Open
Description
As mentioned by @zenomt in #1, it may be advantageous to:
- Add a
nonce
param to the Resource Server's 401WWW-Authenticate
response headers. - Require WebID-OIDC tokens (bearer or PoP) to include/pass through that nonce param, for verification by the RS
Specifically, on a 401 Unauthorized http response, the Resource Server would include the authenticate header that would look something like:
WWW-Authenticate: Bearer realm="..." scope="..." nonce="abcd123"
Opening this issue as a reminder to discuss:
- Whether to include this mechanism in whatever auth system WebID-OIDC evolves into
- What to name that param (
nonce
orchallenge
or something else) - Add the requirements for its validation by the RS
Metadata
Metadata
Assignees
Labels
No labels