You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
title: "The European Digital Identity Wallet Architecture and Reference Framework"
@@ -120,6 +121,56 @@ Client Instance:
120
121
Client Instance Key:
121
122
: A cryptographic asymmetric key pair that is generated by the Client Instance where the public key of the key pair is provided to the client backend. This public key is then encapsulated within the Client Attestation JWT and is utilized to sign the Client Attestation Proof of Possession.
122
123
124
+
# Relation to RATS
125
+
126
+
The Remote Attestation Procedures (RATS) architecture defined by {{RFC9334}} has some commonalities to this document. The flow specified in this specification relates to the "Passport Model" in RATS. However, while the RATS ecosystem gives explicit methods and values how the RATS Attester proves itself to the Verifier, this is deliberately out of scope for Attestation-Based Client Authentication. Additionally, the terminology between RATS and OAuth is different:
127
+
128
+
- a RATS "Attester" relates to an OAuth "Client"
129
+
- a RATS "Relying Party" relates to an OAuth "Authorization Server or Resource Server"
130
+
- a RATS "Verifier" relates to the "Client Backend" defined in this specification
131
+
- a RATS "Attestion Result" relates to the "Client Attestation JWT" defined by this specification
132
+
- a RATS "Endorser", "Reference Value Provider", "Endorsement", "Evidence" and "Policies and Reference Values" are out of scope for this specification
133
+
134
+
# Client Attestation
135
+
136
+
This draft introduces the concept of client attestations to the OAuth 2 protocol, using two JWTs: a Client Attestation and a Client Attestation Proof of Possession (PoP). These JWTs are transmitted via HTTP headers in an HTTP request from a Client Instance to an Authorization Server or Resource Server. The primary purpose of these headers is to authenticate the Client Instance.
137
+
138
+
## Client Attestation HTTP Headers {#headers}
139
+
140
+
A Client Attestation JWT and Client Attestation PoP JWT is included in an HTTP request using the following request header fields.
141
+
142
+
OAuth-Client-Attestation:
143
+
: A JWT that conforms to the structure and syntax as defined in [](#client-attestation-jwt)
144
+
145
+
OAuth-Client-Attestation-PoP:
146
+
: A JWT that adheres to the structure and syntax as defined in [](#client-attestation-pop-jwt)
147
+
148
+
The following is an example of the OAuth-Client-Attestation header.
Note that per {{RFC9110}} header field names are case-insensitive; so OAUTH-CLIENT-ATTESTATION, oauth-client-attestation, etc., are all valid and equivalent
172
+
header field names. Case is significant in the header field value, however.
173
+
123
174
# Client Attestation Format
124
175
125
176
This draft introduces the concept of client attestations to the OAuth 2 protocol, using two JWTs: a Client Attestation and a Client Attestation Proof of Possession (PoP). The primary purpose of these JWTs is to authenticate the Client Instance. These JWTs can be transmitted via HTTP headers in an HTTP request (as described in [](#headers)) from a Client Instance to an Authorization Server or Resource Server, or via a concatenated serialization (as described in [](#alternative-representation)) to enable usage outside of the traditional OAuth2 ecosystem .
@@ -476,6 +527,7 @@ This non-normative example shows a client attestations used as an wallet instanc
0 commit comments