Nonce Endpoint for Authorization Server

[paulbastian]

Given our latest proposal for nonce fetching for Wallet Attestation, we propose to have a nonce endpoint for the Authorization Server in OpenID4VCI. Our reasoning:

• we already have a nonce endpoint for Credential Issuer
• we can use the nonce endpoint at AS to get nonces for wallet attestation before calling the PAR endpoint
• we can fetch DPoP nonces also at AS, which would bring us on par with pending PR Add DPoP Nonce to Nonce Endpoint #478
• if AS and Credential Issuer are the same, they can have a merged nonce endpoint
• in the long run extract the ideas from OpenID4VCI and Attestation-Based Client Authentication into a dedicated OAuth Draft in backwards-compatible fashion?

[tplooker]

Im supportive of this, having multiple nonce endpoints creates quite a lot of implementation difficulty.

[Sakurann]

WG discussion:

• Current situation:
  • all the nonces in the flow: wallet attestation, DPoP in AS and c_nonce (proof and key attestation) and DPoP in RS
  • existing mechanisms: nonce endpoint for c_nonce in RS; the same endpoint can be used for DPoP nonce at RS
• what remains to be specced: two nonces at AS
  • want to also improve how DPoP nonces work in general (and more deterministic) (wallet would still have to deal with DPoP nonce in the error)
• direction
  • want two separate nonce endpoints for the case where AS and RS are different entities. nonce endpoint preferred to http OPTIONS
  • have a symmetrical design between AS and RS: both have a nonce endpoint that is capable of returning DPoP-nonce header
• next steps:
  • VCI relies on IETF attestation based client authn draft for wallet attestation. that IETF draft will add a mechanism to get a challenge. VCI to reference that mechanism and add an option to add DPoP-nonce header in VCI. consider calling nonce a challenge in IETF
  • is c_nonce a nonce or a challenge? #496 as a spill over
  • Add a section that clarifies what nonces are in VCI and how to fetch them and what to be concerned about.