In startsession we deliver authorization artifact in two different ways
Opened this issue · 2 comments
alextok commented
In startsession we deliver authorization artifact in two different ways as Authorization header and as part of JWT body.
https://github.com/WICG/dbsc?tab=readme-ov-file#start-session
I think we need to have one way of doing this. I prever JWT body, as it cryto bound to keys.
mattjm commented
The case for keeping it in the header is if there is a use case in which the user agent would need a valid access token to access the /securesession/startsession endpoint. Is that a possibility? The proposed standard just mentions allowing "...the server to link registration with some preceding sign in flow." If that's the whole story then I agree we don't need it in the header.