What I think was meant by "rejected due to failed confirmation of the DPoP binding in the access token" is that an access token was presented with a valid dpop proof but the access token was bound to a different key than the one in the proof, so the key confirmation of the access token wasn't successful and therefore the access token is considered invalid. So invalid_token was used there intentionally to indicate that the access token is considered invalid.
Filip did note that the examples are not normative so it's kinda moot but regardless I don't believe there's an error or contradiction here. [apologies for the very late reply here - this got lost in my inbox for a few months] On Sat, Mar 8, 2025 at 11:33 AM Filip Skokan <[email protected]> wrote: > Hello Thomas, > > I believe Figure 16 (which is not normative) could be updated with an > errata to use invalid_dpop_proof. > > S pozdravem, > *Filip Skokan* > > > On Sat, 8 Mar 2025 at 18:46, Thomas Broyer <[email protected]> wrote: > >> Hi, >> >> I'm looking at DPoP (RFC9449) and wondering which error code should be >> used by a resource server when the ath or public key don't match. >> >> In Section 7.1, 'error' is defined with >> >> > Additionally, invalid_dpop_proof is used to indicate that the DPoP >> proof itself was deemed invalid based on the criteria of Section 4.3. >> >> and Section 4.3's step 12 is: >> >> > If presented to a protected resource in conjunction with an access >> token, >> > * ensure that the value of the ath claim equals the hash of that >> access token, and >> > * confirm that the public key to which the access token is bound >> matches the public key from the DPoP proof. >> >> This would hint that when those substeps fail, then invalid_dpop_proof >> should be used. >> >> (I'm assuming that the second substep refers to Section 6 "Public Key >> Confirmation") >> >> But Section 7.1 also has Figure 16 that "shows a response to a protected >> resource request that was rejected due to the failed confirmation of the >> DPoP binding in the access token" and uses invalid_token. >> >> So either I don't understand what "rejected due to failed confirmation of >> the DPoP binding in the access token" means, or there's a contradiction >> here (and if so, should an errata be reported?) >> >> -- >> Thomas Broyer >> /tɔ.ma.bʁwa.je/ <http://xn--nna.ma.xn--bwa-xxb.je/> >> _______________________________________________ >> OAuth mailing list -- [email protected] >> To unsubscribe send an email to [email protected] >> > _______________________________________________ > OAuth mailing list -- [email protected] > To unsubscribe send an email to [email protected] > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
