>From the document: The protected resource MUST obtain, from its TLS implementation > layer, the client certificate used for mutual TLS and MUST verify > that the certificate matches the certificate associated with the > access token. If they do not match, the resource access attempt MUST > be rejected with an error, per [RFC6750 > <https://datatracker.ietf.org/doc/html/rfc6750>], using an HTTP 401 status > code and the "invalid_token" error code. > > Should the same error code be used in the case when the resource failed to obtain a certificate from the TLS layer? This could happen, for example, if the TLS stack has been misconfigured (e.g. verify-client="REQUESTED" instead of "REQUIRED" for Undertow), and the user agent provided no certificate.
Thanks, Dmitry
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
