Hi Dmitry, I think you are right that it's probably worthwhile to allow for a distinction in a protected resource error response. I'm inclined to say that a new error code such as "invalid_dpop_proof" to use with the 401 response containing the DPoP WWW-Authenticate header is the most straightforward way to accommodate it in the document. I'll look to add that, probably somewhere in section 7 <https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-03.html#name-protected-resource-access>, in the next draft revision.
On Thu, Aug 5, 2021 at 8:50 AM Dmitry Telegin <dmitryt= [email protected]> wrote: > Hello, > > When a protected resource is accessed using DPoP proof + DPoP-bound access > token, either of those could be invalid. Should we make distinction between > these two cases? I.e. should the response always be a 401 Unauthorized with > WWW-Authenticate: DPoP ... error="invalid_token"? or could we use > error="invalid_dpop_proof", similar to token request? or maybe even 400 Bad > Request? > > Regards, > Dmitry > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
