In startsession we deliver authorization artifact in two different ways

Question

In startsession we deliver authorization artifact in two different ways

Opened this issue 6 months ago · 2 comments

In startsession we deliver authorization artifact in two different ways as Authorization header and as part of JWT body.

https://github.com/WICG/dbsc?tab=readme-ov-file#start-session

I think we need to have one way of doing this. I prever JWT body, as it cryto bound to keys.

Answer 1 · 2024-03-28T04:31:55.000Z

The case for keeping it in the header is if there is a use case in which the user agent would need a valid access token to access the /securesession/startsession endpoint. Is that a possibility? The proposed standard just mentions allowing "...the server to link registration with some preceding sign in flow." If that's the whole story then I agree we don't need it in the header.

Answer 2 · 2024-03-28T05:16:54.000Z

I removed it from the header here:
cffa9fb

Keeping this issue open in case there is a case for keeping it in the header like @mattjm mentions. I think it would be best for the server to expect it in the JWT as it is signed by the key.