add implementation consideration for Authorization Server Metadata

paulbastian · paulbastian · commit 6ed063163dd3 · 2025-09-03T15:56:31.000+02:00
diff --git a/draft-ietf-oauth-attestation-based-client-auth.md b/draft-ietf-oauth-attestation-based-client-auth.md
@@ -576,6 +576,14 @@ In any case the Authorization Server SHOULD ensure the freshness of the Client A
 
 The approach using a challenge explicitly provided by the Authorization Server gives stronger replay attack detection guarantees, however support by the Authorization Server is OPTIONAL to simplify mandatory implementation requirements. The `jti` value is mandatory and hence acts as a default fallback.
 
+# Implementation Consideration
+
+## Authorization Server Metadata
+
+The Authorization Server SHOULD communicate support and requirement for authentication with Attestation-Based Client Authentication by using the value `attest_jwt_client_auth` in the `token_endpoint_auth_methods_supported` within its published metadata.
+
+The Authorization Server SHOULD communicate supported algorithms for client attestations by using `client_attestation_alg_values_supported` and `client_attestation_pop_alg_values_supported` within its published metadata. This enables the client to validate that its client attestation is understood by the Authorization Server prior to authentication. The client MAY try to get a new client attestation with different algorithms.
+
 # Appendix A IANA Considerations
 
 ## OAuth Parameters Registration
@@ -595,12 +603,26 @@ This specification requests registration of the following values in the IANA "OA
 * Usage Location: token error response, resource access error response
 * Protocol Extension: OAuth 2.0 Attestation-Based Client Authentication
 * Change Controller: IETF
-* Reference: this specification
+* Reference: [](#checking-http-requests-with-client-attestations) of this specification
 
 * Name: invalid_client_attestation
 * Usage Location: token error response, resource access error response
 * Protocol Extension: OAuth 2.0 Attestation-Based Client Authentication
 * Change Controller: IETF
+* Reference: [](#checking-http-requests-with-client-attestations) of this specification
+
+## OAuth Authorization Server Metadata Registration
+
+This specification requests registration of the following values in the IANA "OAuth Authorization Server Metadata" registry of {{IANA.OAuth.Params}} established by [RFC8414].
+
+* Metadata Name: client_attestation_alg_values_supported
+* Metadata Description: JSON array containing a list of algorithms supported by the authorization server for client attestation signing
+* Change Controller: IETF
+* Reference: [](#checking-http-requests-with-client-attestations) of this specification
+
+* Metadata Name: client_attestation_pop_alg_values_supported
+* Metadata Description: JSON array containing a list of algorithms supported by the authorization server for client attestation proof of possession signing
+* Change Controller: IETF
 * Reference: this specification
 
 ## Registration of attest_jwt_client_auth Token Endpoint Authentication Method
@@ -637,6 +659,8 @@ This section requests registration of the following scheme in the "Hypertext Tra
 
 * require `iat` in Client Attestation PoP JWT
 * clarify `use_attestation_challenge` and add `invalid_client_attestation`
+* add `client_attestation_alg_values_supported` and `client_attestation_pop_alg_values_supported` to IANA registration
+* add implementation consideration for Authorization Server Metadata
 
 -06
 
