Hello Thomas, I believe Figure 16 (which is not normative) could be updated with an errata to use invalid_dpop_proof.
S pozdravem, *Filip Skokan* On Sat, 8 Mar 2025 at 18:46, Thomas Broyer <t.bro...@gmail.com> wrote: > Hi, > > I'm looking at DPoP (RFC9449) and wondering which error code should be > used by a resource server when the ath or public key don't match. > > In Section 7.1, 'error' is defined with > > > Additionally, invalid_dpop_proof is used to indicate that the DPoP proof > itself was deemed invalid based on the criteria of Section 4.3. > > and Section 4.3's step 12 is: > > > If presented to a protected resource in conjunction with an access token, > > * ensure that the value of the ath claim equals the hash of that access > token, and > > * confirm that the public key to which the access token is bound > matches the public key from the DPoP proof. > > This would hint that when those substeps fail, then invalid_dpop_proof > should be used. > > (I'm assuming that the second substep refers to Section 6 "Public Key > Confirmation") > > But Section 7.1 also has Figure 16 that "shows a response to a protected > resource request that was rejected due to the failed confirmation of the > DPoP binding in the access token" and uses invalid_token. > > So either I don't understand what "rejected due to failed confirmation of > the DPoP binding in the access token" means, or there's a contradiction > here (and if so, should an errata be reported?) > > -- > Thomas Broyer > /tɔ.ma.bʁwa.je/ <http://xn--nna.ma.xn--bwa-xxb.je/> > _______________________________________________ > OAuth mailing list -- oauth@ietf.org > To unsubscribe send an email to oauth-le...@ietf.org >
_______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
