From 2f5b2b514eac826ebdc48b5a1ada9b9cc79de118 Mon Sep 17 00:00:00 2001 From: Giuseppe De Marco Date: Tue, 14 Oct 2025 10:35:20 +0200 Subject: [PATCH] feat: added AuthzServer metadata according to latest updates of attestation based client auth --- docs/en/credential-issuance-endpoint.rst | 4 ++++ docs/en/credential-issuer-metadata.rst | 9 +++++++++ docs/it/credential-issuance-endpoint.rst | 5 +++++ docs/it/credential-issuer-metadata.rst | 8 ++++++++ examples/ec-eaa.json | 10 ++++++++++ 5 files changed, 36 insertions(+) diff --git a/docs/en/credential-issuance-endpoint.rst b/docs/en/credential-issuance-endpoint.rst index 88b7cb2a7..f7414bcb3 100644 --- a/docs/en/credential-issuance-endpoint.rst +++ b/docs/en/credential-issuance-endpoint.rst @@ -80,6 +80,10 @@ the request to the Credential Issuer authorization endpoint MUST use the followi - It MUST be set to a value containing the Wallet Attestation JWT Proof of Possession. - `OAUTH-ATTESTATION-CLIENT-AUTH`_. +.. note:: + Clients SHOULD select the algorithms for the Wallet Attestation and its proof of possession according to the Authorization Server metadata fields + ``client_attestation_signing_alg_values_supported`` and ``client_attestation_pop_signing_alg_values_supported`` documented in :ref:`credential-issuer-metadata:Metadata for oauth_authorization_server`. + The JWT *Request Object* has the following JOSE header parameters: diff --git a/docs/en/credential-issuer-metadata.rst b/docs/en/credential-issuer-metadata.rst index 3e1030b0d..03a236e31 100644 --- a/docs/en/credential-issuer-metadata.rst +++ b/docs/en/credential-issuer-metadata.rst @@ -45,6 +45,10 @@ The *oauth_authorization_server* metadata MUST contain the following parameters. - JSON array containing a list of the supported grant type values. The authorization server MUST support *authorization_code*. * - **token_endpoint_auth_methods_supported** - JSON array containing a list of supported client authentication methods. The Token Endpoint MUST support *attest_jwt_client_auth* as defined in `OAUTH-ATTESTATION-CLIENT-AUTH`_. + * - **client_attestation_signing_alg_values_supported** + - JSON array containing the list of JWS "alg" values supported for the Wallet Attestation (the ``oauth-client-attestation+jwt``). Values MUST be chosen from Section :ref:`algorithms:cryptographic algorithms` and MUST NOT include ``none`` nor symmetric (MAC) algorithms. + * - **client_attestation_pop_signing_alg_values_supported** + - JSON array containing the list of JWS "alg" values supported for the Wallet Attestation Proof-of-Possession (the ``oauth-client-attestation-pop+jwt``). Values MUST be chosen from Section :ref:`algorithms:cryptographic algorithms` and MUST NOT include ``none`` nor symmetric (MAC) algorithms. * - **token_endpoint_auth_signing_alg_values_supported** - JSON array containing a list of the signing algorithms ("*alg*" values) supported by the token endpoint for the signature on the JWT used to authenticate the client at the Token Endpoint. See :rfc:`8414#section-2`. * - **request_object_signing_alg_values_supported** @@ -54,6 +58,11 @@ The *oauth_authorization_server* metadata MUST contain the following parameters. * - **jwks** - JSON Web Key Set containing the cryptographic keys for the authorization server. See `OID-FED`_ Section 5.2.1 and `JWK`_. +.. important:: + If ``token_endpoint_auth_methods_supported`` includes ``attest_jwt_client_auth``, the Authorization Server MUST include both + ``client_attestation_signing_alg_values_supported`` and ``client_attestation_pop_signing_alg_values_supported`` in its metadata. + Clients SHOULD fetch and parse the Authorization Server metadata to detect support and algorithm requirements for Attestation-Based Client Authentication. When algorithms are incompatible, the client MAY obtain a new client attestation using a supported algorithm. + Metadata for openid_credential_issuer ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ diff --git a/docs/it/credential-issuance-endpoint.rst b/docs/it/credential-issuance-endpoint.rst index 4754d3d17..ff6c2a162 100644 --- a/docs/it/credential-issuance-endpoint.rst +++ b/docs/it/credential-issuance-endpoint.rst @@ -81,6 +81,11 @@ la richiesta all'authorization endpoint del Credential Issuer DEVE utilizzare i - `OAUTH-ATTESTATION-CLIENT-AUTH`_. +.. note:: + I client DOVREBBERO selezionare gli algoritmi da utilizzare per la Wallet Attestation e la relativa prova di possesso sulla base dei campi di metadata dell'Authorization Server + ``client_attestation_signing_alg_values_supported`` e ``client_attestation_pop_signing_alg_values_supported`` documentati in :ref:`credential-issuer-metadata:Metadata per oauth_authorization_server`. + + Il JWT *Request Object* ha i seguenti parametri di header JOSE: .. _table_request_object_claim: diff --git a/docs/it/credential-issuer-metadata.rst b/docs/it/credential-issuer-metadata.rst index f636d8957..5babd674d 100644 --- a/docs/it/credential-issuer-metadata.rst +++ b/docs/it/credential-issuer-metadata.rst @@ -47,6 +47,10 @@ I Metadata *oauth_authorization_server* DEVONO contenere i seguenti parametri. - Array JSON contenente un elenco dei metodi di *client authentication* supportati. Il *token endpoint* DEVE supportare *attest_jwt_client_auth* come definito in `OAUTH-ATTESTATION-CLIENT-AUTH`_. * - **token_endpoint_auth_signing_alg_values_supported** - Array JSON contenente un elenco degli algoritmi di firma ("valori *alg*") supportati dal *token endpoint* per la firma sul JWT utilizzato per autenticare il client al *token endpoint*. Vedi :rfc:`8414#section-2`. + * - **client_attestation_signing_alg_values_supported** + - Array JSON con l’elenco dei valori JWS "alg" supportati per la Wallet Attestation (``oauth-client-attestation+jwt``). I valori DEVONO provenire dalla Sezione :ref:`algorithms:Algoritmi Crittografici` e NON DEVONO includere ``none`` né algoritmi simmetrici (MAC). + * - **client_attestation_pop_signing_alg_values_supported** + - Array JSON con l’elenco dei valori JWS "alg" supportati per la Proof-of-Possession della Wallet Attestation (``oauth-client-attestation-pop+jwt``). I valori DEVONO provenire dalla Sezione :ref:`algorithms:Algoritmi Crittografici` e NON DEVONO includere ``none`` né algoritmi simmetrici (MAC). * - **request_object_signing_alg_values_supported** - Array JSON contenente un elenco degli algoritmi di firma ("valori *alg*") supportati per i *Request Objects*. Vedi `[openid-connect-discovery-1_0] `_. * - **dpop_signing_alg_values_supported** @@ -54,6 +58,10 @@ I Metadata *oauth_authorization_server* DEVONO contenere i seguenti parametri. * - **jwks** - JSON Web Key Set contenente le chiavi crittografiche per '*authorization server*. Vedi `OID-FED`_ Sezione 5.2.1 e `JWK`_. +.. important:: + Se ``token_endpoint_auth_methods_supported`` include ``attest_jwt_client_auth``, l’Authorization Server DEVE includere entrambi ``client_attestation_signing_alg_values_supported`` e ``client_attestation_pop_signing_alg_values_supported`` nei propri metadati. I client DOVREBBERO recuperare e analizzare i metadati per rilevare supporto e requisiti di algoritmo per l’Attestation-Based Client Authentication e, in caso di incompatibilità, POSSONO ottenere una nuova attestation con un algoritmo supportato. + + Metadata per openid_credential_issuer ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ diff --git a/examples/ec-eaa.json b/examples/ec-eaa.json index 78dc8982f..e7a77cff5 100644 --- a/examples/ec-eaa.json +++ b/examples/ec-eaa.json @@ -66,6 +66,16 @@ "token_endpoint_auth_methods_supported": [ "attest_jwt_client_auth" ], + "client_attestation_signing_alg_values_supported": [ + "ES256", + "ES384", + "ES512" + ], + "client_attestation_pop_signing_alg_values_supported": [ + "ES256", + "ES384", + "ES512" + ], "token_endpoint_auth_signing_alg_values_supported": [ "ES256", "ES384",