Details on Session Identifier are not clear in the Explainer

[tblachowicz]

In the high-level overview diagram there is example of Sec-Session-Registration header returned by the server which contains both session_identifier and challange as named parameters. However, further in more detailed description of the Start Session flow the session_identifier is not present in the examples for Sec-Session-Registration headers. I think the identifier of the session is required in the header as indicated in the overview section.

Furthermore, the proposed structure of the Registration JWT described in Start Session section of the Explainer does not mention if and how the identifier of the session is going to be provided by the Browser to the Server. I think this is required so the Server can match the registration request sent by the Browser to the sign-in flow response. If my understanding is incorrect, please clarify that aspect of the registration flow.

[drubery]

This bug is fairly old (sorry for the delay!), but I think the current text should be more clear about this.

Sec-Session-Registration should not include a session_identifier. The session_identifier is returned here after registration succeeds. Servers can join the initial login attempt with the later session registration by setting a cookie on the login attempt that is sent to the registration endpoint.

Does that clear things up, or do you think the current language still needs work?

[kmonsen]

There is also an optional authorization parameter that will be sent by the client in the registration request, the server can use this to correlate them.