It's not immediately obvious to me that making the distinction is good (but I'm also basically devoid of the context in which this exchange will occur).
With security protocols there can be risks from overly descriptive errors, which might (e.g.) leak information that "this is a valid token" vs "this is a bogus token" that an attacker who came upon something token-shaped might not otherwise be able to ascertain. -Ben On Mon, Aug 09, 2021 at 03:58:22PM -0600, Brian Campbell wrote: > Hi Dmitry, > > I think you are right that it's probably worthwhile to allow for a > distinction in a protected resource error response. I'm inclined to say > that a new error code such as "invalid_dpop_proof" to use with the 401 > response containing the DPoP WWW-Authenticate header is the most > straightforward way to accommodate it in the document. I'll look to add > that, probably somewhere in section 7 > <https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-03.html#name-protected-resource-access>, > in the next draft revision. > > > On Thu, Aug 5, 2021 at 8:50 AM Dmitry Telegin <dmitryt= > 40backbase....@dmarc.ietf.org> wrote: > > > Hello, > > > > When a protected resource is accessed using DPoP proof + DPoP-bound access > > token, either of those could be invalid. Should we make distinction between > > these two cases? I.e. should the response always be a 401 Unauthorized with > > WWW-Authenticate: DPoP ... error="invalid_token"? or could we use > > error="invalid_dpop_proof", similar to token request? or maybe even 400 Bad > > Request? > > > > Regards, > > Dmitry > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > > > -- > _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged > material for the sole use of the intended recipient(s). Any review, use, > distribution or disclosure by others is strictly prohibited. If you have > received this communication in error, please notify the sender immediately > by e-mail and delete the message and any file attachments from your > computer. Thank you._ > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
