Skip to content

Commit 3575297

Browse files
panvapanva
committed
error-updates
1 parent b89ad41 commit 3575297

File tree

1 file changed

+6
-3
lines changed

1 file changed

+6
-3
lines changed

draft-ietf-oauth-attestation-based-client-auth.md

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -317,15 +317,18 @@ token68 = 1*( ALPHA / DIGIT / "-" / "." /
317317

318318
It is RECOMMENDED that the authorization server validate the Client Attestation JWT prior to validating the Client Attestation PoP.
319319

320-
## Validating HTTP requests feature client attestations {#checking-http-requests-with-client-attestations}
320+
## Validating HTTP requests featuring client attestations {#checking-http-requests-with-client-attestations}
321321

322322
To validate an HTTP request which contains the client attestation headers, the receiving server MUST ensure the following with regard to a received HTTP request:
323323

324324
1. There is precisely one OAuth-Client-Attestation HTTP request header field, where its value is a single well-formed JWT conforming to the syntax outlined in [](#client-attestation-jwt).
325325
2. There is precisely one OAuth-Client-Attestation-PoP HTTP request header field, where its value is a single well-formed JWT conforming to the syntax outlined in [](#client-attestation-pop-jwt).
326326
3. The signature of the Client Attestation PoP JWT obtained from the OAuth-Client-Attestation-PoP HTTP header verifies with the Client Instance Key contained in the `cnf` claim of the Client Attestation JWT obtained from the OAuth-Client-Attestation HTTP header.
327327

328-
An error parameter according to Section 3 of {{RFC6750}} SHOULD be included to indicate why a request was declined. If the Client Attestation is absent or not using an expected server-provided challenge, the value `use_attestation_challenge` can be used to indicate that an attestation with a server-provided challenge was expected. If the attestation and proof of possession was present but could not be successfully verified, the value `invalid_client_attestation` is used.
328+
When validation errors are encountered the following error codes are defined for use in either Authorization Server authenticated endpoint error responses or Resource Server error responses.
329+
330+
- `use_attestation_challenge` MUST be used when the Client Attestation PoP JWT is not using an expected server-provided challenge. When used this error code MUST be accompanied by the `OAuth-Client-Attestation-Challenge` HTTP header field parameter (as described in [](#challenge-header)).
331+
- `invalid_client_attestation` MAY be used if the attestation or its proof of possession could not be successfully verified.
329332

330333
## Client Attestation at the Token Endpoint {#token-endpoint}
331334

@@ -472,7 +475,7 @@ Content-Type: application/json
472475
}
473476
~~~
474477

475-
## Providing Challenges on Previous Responses
478+
## Providing Challenges on Previous Responses {#challenge-header}
476479

477480
The Authorization Server MAY provide a fresh Challenge with any HTTP response using a HTTP header-based syntax. The HTTP header field parameter MUST be named "OAuth-Client-Attestation-Challenge" and contain the value of the Challenge. The Client MUST use this new Challenge for the next OAuth-Client-Attestation-PoP.
478481

0 commit comments

Comments
 (0)