On 28/08/17 18:53, Brian Campbell wrote:
> "invalid_client" is the appropriate error, if the client is
> configured/registered for MTLS authentication, because it's effectively
> failed client authentication.
>
> I would say that "invalid_request" is probably the appropriate error for a
> public cl
+1 Sent from Astro for Android On 2017-08-29 at 4:33 AM, Torsten
wrote: +1 for removing tls_client_auth_root Am 28.08.2017 um 20:24
schrieb John Bradley : Having discussed it with
Brian, I agree that removing “tls_client_auth_root” is the way to go.
It would be hard to implement in some cases, and
+1 for removing tls_client_auth_root
> Am 28.08.2017 um 20:24 schrieb John Bradley :
>
> Having discussed it with Brian, I agree that removing “tls_client_auth_root”
> is the way to go.
> It would be hard to implement in some cases, and it is up to the AS to
> configure the roots it trusts fo
Having discussed it with Brian, I agree that removing “tls_client_auth_root” is
the way to go.
It would be hard to implement in some cases, and it is up to the AS to
configure the roots it trusts for client authentication.
In reality every TLS client auth deployment is likely to have custom ru
Some feedback was received recently off-list that pointed out difficulties
with implementation around the "tls_client_auth_root_dn" constraint in the
PKI method of OAuth MTLS client authentication from
draft-ietf-oauth-mtls-03. Basically the feedback was that popular web
servers such as Nginx and A
"invalid_client" is the appropriate error, if the client is
configured/registered for MTLS authentication, because it's effectively
failed client authentication.
I would say that "invalid_request" is probably the appropriate error for a
public client with mutual_tls_sender_constrained_access_token
