Sorry, please ignore 2nd question. WWW-Authenticate header isn’t needed in this case.
> 2021/07/29 10:08、nov matake <n...@matake.jp>のメール: > > Hi, > > I have 2 questions about RFC 7523’s error cases. > > 1st one is about section 3.2, which requires “invalid_client” error when > client assertion JWT is invalid. > In such case, what scheme is expected for WWW-Authentication header? I > believe it’s not Basic, but not sure what is appropriate. > https://www.rfc-editor.org/rfc/rfc7523.html#section-3.2 > <https://www.rfc-editor.org/rfc/rfc7523.html#section-3.2> > > 2nd one is about section 4.2.1, which requires “invalid_client” error when > multiple client authentication mechanism is used. > RFC 6749 section 5.2 requires “invalid_request” for such case, so it seems > those 2 definitions are conflicting. > Do we need to return “invalid_client” if multiple authentication mechanism > include client assertion, and otherwise return “invalid_request”? > https://www.rfc-editor.org/rfc/rfc7521.html#section-4.2.1 > <https://www.rfc-editor.org/rfc/rfc7521.html#section-4.2.1> > https://www.rfc-editor.org/rfc/rfc6749#section-5.2 > <https://www.rfc-editor.org/rfc/rfc6749#section-5.2> > > thanks > > nov > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
