Skip to content

The Figure 1 should be redrawn #160

New issue
New issue
Open
Open
The Figure 1 should be redrawn#160
@Denisthemalice

Description

@Denisthemalice
Denisthemalice
opened on Oct 16, 2025

The stages (1) to (4) are out of the scope of the document and should be renamed (a) to (f). See issue #157.

The flow description is missing to illustrate the ability of the AS to send a challenge to the Client Instance.

Let us number the exchanges between the Client and the AS starting with (1) which will be an optional flow.

This would change the description of the flows in the following way:

(1) The Client Instance sends an optional a challenge request to the
Authorisation Server.

(2) If a challenge request has been sent to the Authorisation Server,
the Authorisation Server sends back a challenge to the Client
Instance.

(3) The Client Instance generates a Client Attestation PoK JWT with
a Client Instance Key that includes the challenge and can include
the hash value of a previous message exchanged with the
Authorisation Server (e.g., a set of claims that the Client
Instance has requested to be included into a credential that
will be issued or a token request).

(4) The Client Instance sends both the Client Attestation JWT and the
Client Attestation PoK JWT to the authorization server.

(5) The Authorisation Server verifies both the Client Attestation JWT
and the Client Attestation PoK JWT and verifies the technical
characteristics about the type of the device and the firmware /
software on which the client instance is running match with its
policy to issue either a set of claims that the Client Instance
has requested to be included into a credential that will be
issued or a security token.

Note: PoK = Proof of Knowledge

             (c)
          +-------+
          |       |
          |      \ /
   +-----------------+      +-----------------+
   |                 |      |                 |
   | Client Attester |  OR  | Client Attester |
   |                 |      |                 |
   +-----------------+      +-----------------+
              / \  |          |
          (b)  |   |  (d)     | (f)
               |  \ /        \ /       (1) Opt.
             +-------------------+  chall. request   +---------------+
             |                   |-----------------> |               |
             |      Client       |(2) Opt. challenge | Authorization |
      +----->|     Instance      |<----------------- |     Server    |
  (a) |      |                   | (4) Response      |               |
      +------|                   |------------------>|               |
             +-------------------+                   +---------------+
                  / \      |                            / \      |
                   |       |                             |       |
                   +-------+                             +-------+  
                      (3)                                   (5)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions