I have asked a question about consent flow before, but wasn’t specific enough.
- Browser ask Auth Server for Authentication
- Auth Server redirect to Consent-app
- Consent app verify the challenge by
3.1)Retrieves a public key from Auth Server
3.2)Uses the public key to verify the challenge
- User logs in and authorizes the scopes
- Consent app creates a response:
5.1)Retrieves a private key from Auth Server
5.2)Creates a response message and sign with the private key.
I would like to understand more about step 5.1. Why do we need to request a private key over http, would it be better to do
1)Consent app generate a public/private key pair
2)Consent app sign the response using the private key and send to Auth Server
3)Upon receiving the response, Auth Server send a request to consent app for public key
4)Auth Server uses the public key to verify the response is from Consent Server
I know we are in a process to refactor consent flow, so most likely I will need change my current Consent App impl. Having some insight will be very beneficial.
Thanks very much!