Hi, I'm looking at DPoP (RFC9449) and wondering which error code should be used by a resource server when the ath or public key don't match.
In Section 7.1, 'error' is defined with > Additionally, invalid_dpop_proof is used to indicate that the DPoP proof itself was deemed invalid based on the criteria of Section 4.3. and Section 4.3's step 12 is: > If presented to a protected resource in conjunction with an access token, > * ensure that the value of the ath claim equals the hash of that access token, and > * confirm that the public key to which the access token is bound matches the public key from the DPoP proof. This would hint that when those substeps fail, then invalid_dpop_proof should be used. (I'm assuming that the second substep refers to Section 6 "Public Key Confirmation") But Section 7.1 also has Figure 16 that "shows a response to a protected resource request that was rejected due to the failed confirmation of the DPoP binding in the access token" and uses invalid_token. So either I don't understand what "rejected due to failed confirmation of the DPoP binding in the access token" means, or there's a contradiction here (and if so, should an errata be reported?) -- Thomas Broyer /tɔ.ma.bʁwa.je/ <http://xn--nna.ma.xn--bwa-xxb.je/>
_______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
