Hello, When a protected resource is accessed using DPoP proof + DPoP-bound access token, either of those could be invalid. Should we make distinction between these two cases? I.e. should the response always be a 401 Unauthorized with WWW-Authenticate: DPoP ... error="invalid_token"? or could we use error="invalid_dpop_proof", similar to token request? or maybe even 400 Bad Request?
Regards, Dmitry
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
