dbsc icon indicating copy to clipboard operation
dbsc copied to clipboard
verified publisher icon WICG

Why send JWTs two different ways?

Open sbweeden opened this issue 1 year ago • 2 comments

The current explainer says that when a session is being established, the JWT which contains the signed challenge is sent as the POST body data to the /path+"/startsession" endpoint. When the session is being refreshed however, despite there being a separate URL /path+"/refresh" used, the JWT signing the challenge is depicted as being sent in a header Sec-Session-Response.

It seems odd to have two different approaches for sending the JWT. Why not use either POST body, or a header, in both use cases?

sbweeden avatar Apr 22 '24 06:04 sbweeden

This came up, more or less, in #47 FWIW.

bc-pi avatar Apr 24 '24 22:04 bc-pi

Fixed to always use Sec-Session-Response as a header.

kmonsen avatar Jun 11 '24 05:06 kmonsen