fix using use_attestation_challenge error parameter code for missing … #132
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
paulbastian
approved these changes
Jul 11, 2025
c2bo
approved these changes
Jul 11, 2025
panva
reviewed
Jul 12, 2025
| @@ -325,7 +325,7 @@ To validate an HTTP request which contains the client attestation headers, the r | |||
| 2. There is precisely one OAuth-Client-Attestation-PoP HTTP request header field, where its value is a single well-formed JWT conforming to the syntax outlined in [](#client-attestation-pop-jwt). | |||
| 3. The signature of the Client Attestation PoP JWT obtained from the OAuth-Client-Attestation-PoP HTTP header verifies with the Client Instance Key contained in the `cnf` claim of the Client Attestation JWT obtained from the OAuth-Client-Attestation HTTP header. | |||
|
|
|||
| An error parameter according to Section 3 of {{RFC6750}} SHOULD be included to indicate why a request was declined. If the Client Attestation is absent or not using an expected server-provided challenge, the value `use_attestation_challenge` can be used to indicate that an attestation with a server-provided challenge was expected. If the attestation and proof of possession was present but could not be successfully verified, the value `invalid_client_attestation` is used. | |||
| An error parameter according to Section 3 of {{RFC6750}} SHOULD be included to indicate why a request was declined. If the Client Attestation is not using an expected server-provided challenge, the value `use_attestation_challenge` can be used to indicate that an attestation with a server-provided challenge was expected. If the attestation and proof of possession was present but could not be successfully verified, the value `invalid_client_attestation` is used. | |||
There was a problem hiding this comment.
Suggested change
| An error parameter according to Section 3 of {{RFC6750}} SHOULD be included to indicate why a request was declined. If the Client Attestation is not using an expected server-provided challenge, the value `use_attestation_challenge` can be used to indicate that an attestation with a server-provided challenge was expected. If the attestation and proof of possession was present but could not be successfully verified, the value `invalid_client_attestation` is used. | |
| When validation errors are encountered the following error codes are defined for use in either Authorization Server authenticated endpoint error responses or Resource Server error responses. | |
| - `use_attestation_challenge` MUST be used when the Client Attestation PoP JWT is not using an expected server-provided challenge. When used this error code MUST be accompanied by the `OAuth-Client-Attestation-Challenge` HTTP header field parameter (as described in [](#challenge-header)). | |
| - `invalid_client_attestation` MAY be used if the attestation or its proof of possession could not be successfully verified. |
There was a problem hiding this comment.
And change
## Providing Challenges on Previous Responses
to
## Providing Challenges on Previous Responses {#challenge-header}
There was a problem hiding this comment.
I am making this suggestion because a) this section is referenced from Token and PAR endpoint sections and linking 6750 error handling is invalid.
Making use_attestation_challenge a MUST use when challenge validations fail just makes sense and having to have it accompanied by OAuth-Client-Attestation-Challenge as well. I don't mind defining invalid_client_attestation but only as a MAY because on the AS authenticated endpoints the convention is already invalid_client for client authentication failures.
There was a problem hiding this comment.
I've opened #135 as an alternative to this PR with all suggestions applied.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
solves #131