DPoP nonce in Nonce Endpoint

[vafeini]

OpenID4VCI draft 16 has introduced the following change in Nonce Endpoint:

The Credential Issuer MAY provide a DPoP nonce as an HTTP header as defined in Section 8.2 of [[RFC9449](https://openid.net/specs/openid-4- verifiable-credential-issuance-1_0-16.html#RFC9449)]). In this case, the Wallet uses the new nonce value in the DPoP proof when presenting an access token at the Credential Endpoint

• Update Nonce Endpoint to return DPoP nonce in responses

[dzarras]

Currently pid-issuer associates a DPoP-Nonce with a DPoP AccessToken. This means that DPoP-Nonce can be used only for authenticated endpoints.

To be able to support this feature, I propose the following:

• Instead of DPoP-Nonce being an opaque string, issue DPoP-Nonce as encrypted JWTs, similarly to how we issue CNonce as encrypted JWTs
• Validate DPoP-Nonce as encrypted JWTs, similarly to how we validate CNonce
• Remove DPoP AccessToken from DPoP-Nonce
• Update DPoPNonceWebFilter to always generate and return a new DPoP-Nonce whenever needed
• Update DPoPNonceWebFilter to add DPoP-Nonce header for all DPoP authenticated requests, and any unauthenticated request in an allow-list. The allow-list will be configurable and will initially include only the Nonce Endpoint.

@babisRoutis What do you think?

[babisRoutis]

Currently pid-issuer associates a DPoP-Nonce with a DPoP AccessToken. This means that DPoP-Nonce can be used only for authenticated endpoints.

To be able to support this feature, I propose the following:

* [ ]  Instead of DPoP-Nonce being an opaque string, issue DPoP-Nonce as encrypted JWTs, similarly to how we issue CNonce as encrypted JWTs[ ]  Validate DPoP-Nonce as encrypted JWTs, similarly to how we validate CNonce[ ]  Remove DPoP AccessToken from DPoP-Nonce[ ]  Update DPoPNonceWebFilter to always generate and return a new DPoP-Nonce whenever needed[ ]  Update DPoPNonceWebFilter to add DPoP-Nonce header for all DPoP authenticated requests, and any unauthenticated request in an allow-list. The allow-list will be configurable and will initially include only the Nonce Endpoint.

@babisRoutis What do you think?

Pleasing consider re-using c_nonce as DPoP Nonce.
No need to associate DPoP Nonce to AT and the c_nonce approach (generation & validation) should be enough.
I would recommend

• dropping the out ports for DPoPNonce
• Rename the CNonce ports to Nonce