Skip to content

Commit d4703ba

Browse files
panvapanva
committed
fixup! error-updates
1 parent 3575297 commit d4703ba

File tree

1 file changed

+4
-2
lines changed

1 file changed

+4
-2
lines changed

draft-ietf-oauth-attestation-based-client-auth.md

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -325,10 +325,12 @@ To validate an HTTP request which contains the client attestation headers, the r
325325
2. There is precisely one OAuth-Client-Attestation-PoP HTTP request header field, where its value is a single well-formed JWT conforming to the syntax outlined in [](#client-attestation-pop-jwt).
326326
3. The signature of the Client Attestation PoP JWT obtained from the OAuth-Client-Attestation-PoP HTTP header verifies with the Client Instance Key contained in the `cnf` claim of the Client Attestation JWT obtained from the OAuth-Client-Attestation HTTP header.
327327

328-
When validation errors are encountered the following error codes are defined for use in either Authorization Server authenticated endpoint error responses or Resource Server error responses.
328+
When validation errors specifically related to the use of client attestations are encountered the following additional error codes are defined for use in either Authorization Server authenticated endpoint error responses (as defined in Section 5.2 of {{RFC6749}}) or Resource Server error responses (as defined in Section 3 of {{RFC6750}}).
329329

330330
- `use_attestation_challenge` MUST be used when the Client Attestation PoP JWT is not using an expected server-provided challenge. When used this error code MUST be accompanied by the `OAuth-Client-Attestation-Challenge` HTTP header field parameter (as described in [](#challenge-header)).
331-
- `invalid_client_attestation` MAY be used if the attestation or its proof of possession could not be successfully verified.
331+
- `invalid_client_attestation` MAY be used in addition to the more general `invalid_client` error code as defined in {{RFC6749}} if the attestation or its proof of possession could not be successfully verified.
332+
333+
In the event of errors due to situations not described above, Authorization and Resource Servers MUST follow the guidance of {{RFC6749}} and {{RFC6750}} or their respective extensions of when to return suitable Error Responses.
332334

333335
## Client Attestation at the Token Endpoint {#token-endpoint}
334336

0 commit comments

Comments
 (0)