Hello,
When DPoP proof is used in conjunction with a token (protected resource
access; token refresh), what should be the order of validation of those?
The draft doesn't mention this, and it's hard to deduce logically which
should come first, since validation is mutual ("ath" DPoP claim vs.
"cnf/jkt" token claim) and there is a sort of circular dependency. Are we
going to address that in the spec, or intentionally leave as unspecified?
Background: a developer asked me if it's guaranteed that the protected
resource return a 401 in the case of invalid access token; currently, the
answer seems to be "implementation specific".
Regards,
Dmitry
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
