Skip to content

fix(verification/api): Return URL-safe nonce in challenge response sessions#428

Open
cowbon wants to merge 2 commits into
veraison:mainfrom
cowbon:urlsafe
Open

fix(verification/api): Return URL-safe nonce in challenge response sessions#428
cowbon wants to merge 2 commits into
veraison:mainfrom
cowbon:urlsafe

Conversation

@cowbon

@cowbon cowbon commented Jun 29, 2026

Copy link
Copy Markdown
Collaborator

ratsd uses URL-safe base64 encoded nonce instead of standard encoded base64. See veraison/ratsd#37. Align the implementation so the nonce can be used directly from the /challenge-response/v1/newSession response body

Signed-off-by: Ian Chin Wang <ian.chin.wang@oracle.com>
@cowbon cowbon changed the title Return URL-safe nonce in challenge sessions fix(api): Return URL-safe nonce in challenge sessions Jun 29, 2026
@cowbon cowbon changed the title fix(api): Return URL-safe nonce in challenge sessions fix(verification/api): Return URL-safe nonce in challenge response sessions Jun 29, 2026
Comment thread integration-tests/utils/generators.py

@yogeshbdeshpande yogeshbdeshpande left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please have a look!

Signed-off-by: Ian Chin Wang <ian.chin.wang@oracle.com>
@yogeshbdeshpande

Copy link
Copy Markdown
Collaborator

@cowbon : I am not clear about this change, can we have a meeting today to understand the change?

As far as I understand, Verifier does two things.

  1. If it receives a Nonce Bytes, from RP it checks if it is URL Safe to Encode and then uses it, inside Session
  2. If the Verifier receives nonce Size then it check for Size validity and uses to mint a URL safe Nonce value???

@cowbon

cowbon commented Jun 30, 2026

Copy link
Copy Markdown
Collaborator Author

@cowbon : I am not clear about this change, can we have a meeting today to understand the change?

As far as I understand, Verifier does two things.

  1. If it receives a Nonce Bytes, from RP it checks if it is URL Safe to Encode and then uses it, inside Session
  2. If the Verifier receives nonce Size then it check for Size validity and uses to mint a URL safe Nonce value???

Hi Yogesh, thanks for the info about the verifier design. However, /newSeesion issues the standard nonce, and the burden to convert standard nonce to URL-safe nonce is on the attester. If URL-safe nonce is preferred over the standard one, why can't the verifier issue an URL-safe nonce to avoid the additional step?

@cowbon cowbon requested a review from setrofim June 30, 2026 15:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants