Section 4 talks about validating JWT Access Tokens https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-04#section-4
It has a list of things the RS MUST do when validating a request made with a JWT access token. This section contains phrases like "...and reject tokens..." and "MUST be rejected if...", without clear instructions on *how* to reject this request. For these, I could infer that the RFC6750 error code "invalid_token" is the correct response, but these could benefit from being more explicit about that here. Step 7 says: "the resource server SHOULD check the auth_time value and request re-authentication..." But there are no instructions on how the RS should respond to indicate that the client should request re-authentication. This sounds like a different response than "invalid_token" to me, but in any case, regardless of what the correct response is, Section 4 really needs a description of how to respond in these error cases. ---- Aaron Parecki aaronparecki.com @aaronpk _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
