Thanks for the reply. That makes sense.

Given that MTLS is not a draft but rather a proposed standard (RFC 8705),
do you think there is a chance the changes you proposed could land in MTLS
one day?

On Wed, Nov 10, 2021 at 6:24 PM Justin Richer <[email protected]> wrote:

> This is just my interpretation, but this feels more like invalid token,
> because you’re not presenting all of the material required for the token
> itself. The DPoP draft has added “invalid_dpop_proof” as an error code,
> which I think is even better, but the MTLS draft is missing such an element
> and that is arguably a mistake in the document. The MTLS draft also re-uses
> “Bearer” as a token header, which is also a mistake in my opinion.
>
> But given the codes available, “invalid_token” seems to fit better because
> you aren’t messing up the request _to the resource_ itself, you’re messing
> up the token presentation.
>
>  — Justin
>
> On Nov 10, 2021, at 10:17 AM, Dmitry Telegin <
> [email protected]> wrote:
>
> Any updates on this one? The missing certificate case looks more like
> "invalid_request" to me:
>
> invalid_request
>>          The request is missing a required parameter, includes an
>>          unsupported parameter or parameter value, repeats the same
>>          parameter, uses more than one method for including an access
>>          token, or is otherwise malformed.  The resource server SHOULD
>>          respond with the HTTP 400 (Bad Request) status code.
>>
>>
> On Fri, Sep 24, 2021 at 2:23 AM Dmitry Telegin <[email protected]>
> wrote:
>
>> From the document:
>>
>>    The protected resource MUST obtain, from its TLS implementation
>>>    layer, the client certificate used for mutual TLS and MUST verify
>>>    that the certificate matches the certificate associated with the
>>>    access token.  If they do not match, the resource access attempt MUST
>>>    be rejected with an error, per [RFC6750 
>>> <https://datatracker.ietf.org/doc/html/rfc6750>], using an HTTP 401 status
>>>    code and the "invalid_token" error code.
>>>
>>>
>> Should the same error code be used in the case when the resource failed
>> to obtain a certificate from the TLS layer? This could happen, for example,
>> if the TLS stack has been misconfigured (e.g. verify-client="REQUESTED"
>> instead of "REQUIRED" for Undertow), and the user agent provided no
>> certificate.
>>
>> Thanks,
>> Dmitry
>>
>> _______________________________________________
> OAuth mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to