On Thu, Aug 12, 2021 at 05:05:03PM -0600, Brian Campbell wrote: > Indeed but this case would be only distinguishing between which of the two > things (token & proof) the client sent was invalid. It seems like a > reasonable amount of information to disclose that might be helpful in > troubleshooting while not giving actionable info to would-be attackers.
Agreed on what information is conveyed here. My thinking may be shaped from work on 2FA for Kerberos, where we go to great lengths to not reveal whether the password or second-factor code was incorrect, to avoid a "divide-and-conquer" type attack on human-selected passwords. The situation is, admittedly, different here. -Ben _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
