Indeed but this case would be only distinguishing between which of the two things (token & proof) the client sent was invalid. It seems like a reasonable amount of information to disclose that might be helpful in troubleshooting while not giving actionable info to would-be attackers.
On Thu, Aug 12, 2021 at 4:33 PM Benjamin Kaduk <ka...@mit.edu> wrote: > It's not immediately obvious to me that making the distinction is good (but > I'm also basically devoid of the context in which this exchange will > occur). > > With security protocols there can be risks from overly descriptive errors, > which might (e.g.) leak information that "this is a valid token" vs "this > is a bogus token" that an attacker who came upon something token-shaped > might not otherwise be able to ascertain. > > -Ben > > On Mon, Aug 09, 2021 at 03:58:22PM -0600, Brian Campbell wrote: > > Hi Dmitry, > > > > I think you are right that it's probably worthwhile to allow for a > > distinction in a protected resource error response. I'm inclined to say > > that a new error code such as "invalid_dpop_proof" to use with the 401 > > response containing the DPoP WWW-Authenticate header is the most > > straightforward way to accommodate it in the document. I'll look to add > > that, probably somewhere in section 7 > > < > https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-03.html#name-protected-resource-access > >, > > in the next draft revision. > > > > > > On Thu, Aug 5, 2021 at 8:50 AM Dmitry Telegin <dmitryt= > > 40backbase....@dmarc.ietf.org> wrote: > > > > > Hello, > > > > > > When a protected resource is accessed using DPoP proof + DPoP-bound > access > > > token, either of those could be invalid. Should we make distinction > between > > > these two cases? I.e. should the response always be a 401 Unauthorized > with > > > WWW-Authenticate: DPoP ... error="invalid_token"? or could we use > > > error="invalid_dpop_proof", similar to token request? or maybe even > 400 Bad > > > Request? > > > > > > Regards, > > > Dmitry > > > > > > _______________________________________________ > > > OAuth mailing list > > > OAuth@ietf.org > > > https://www.ietf.org/mailman/listinfo/oauth > > > > > > > -- > > _CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged > > material for the sole use of the intended recipient(s). Any review, use, > > distribution or disclosure by others is strictly prohibited. If you > have > > received this communication in error, please notify the sender > immediately > > by e-mail and delete the message and any file attachments from your > > computer. Thank you._ > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
