[OAUTH-WG] Questions about error cases on RFC 7523

nov matake Wed, 28 Jul 2021 18:09:22 -0700

Hi,

I have 2 questions about RFC 7523’s error cases.


1st one is about section 3.2, which requires “invalid_client” error when client 
assertion JWT is invalid.
In such case, what scheme is expected for WWW-Authentication header? I believe 
it’s not Basic, but not sure what is appropriate.
https://www.rfc-editor.org/rfc/rfc7523.html#section-3.2 
<https://www.rfc-editor.org/rfc/rfc7523.html#section-3.2>

2nd one is about section 4.2.1, which requires “invalid_client” error when 
multiple client authentication mechanism is used.
RFC 6749 section 5.2 requires “invalid_request” for such case, so it seems 
those 2 definitions are conflicting.
Do we need to return “invalid_client” if multiple authentication mechanism 
include client assertion, and otherwise return “invalid_request”?
https://www.rfc-editor.org/rfc/rfc7521.html#section-4.2.1 
<https://www.rfc-editor.org/rfc/rfc7521.html#section-4.2.1>
https://www.rfc-editor.org/rfc/rfc6749#section-5.2 
<https://www.rfc-editor.org/rfc/rfc6749#section-5.2>

thanks

nov

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

[OAUTH-WG] Questions about error cases on RFC 7523

Reply via email to