Any updates on this one? As of -04 we have a clear distinction between
"error=invalid_token" and "error=invalid_dpop_proof", so the question could
be reworded like this:
- if DPoP proof is used in combination with access token, and both are
invalid, which one of the "invalid_token" and "invalid_dpop_proof" should
be signaled?
Regards,
Dmitry
Backbase
On Fri, Jul 30, 2021 at 6:37 PM Dmitry Telegin <dmit...@backbase.com> wrote:
> Hello,
>
> When DPoP proof is used in conjunction with a token (protected resource
> access; token refresh), what should be the order of validation of those?
> The draft doesn't mention this, and it's hard to deduce logically which
> should come first, since validation is mutual ("ath" DPoP claim vs.
> "cnf/jkt" token claim) and there is a sort of circular dependency. Are we
> going to address that in the spec, or intentionally leave as unspecified?
>
> Background: a developer asked me if it's guaranteed that the protected
> resource return a 401 in the case of invalid access token; currently, the
> answer seems to be "implementation specific".
>
> Regards,
> Dmitry
>
>
>
>
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
