From 6fc38e9738b0bbfcc038518fe7cf8c266bc18843 Mon Sep 17 00:00:00 2001 From: Micha Kraus Date: Fri, 11 Jul 2025 10:16:07 +0200 Subject: [PATCH 1/2] do not use error response use_attestation_challenge on absent client attestation --- draft-ietf-oauth-attestation-based-client-auth.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/draft-ietf-oauth-attestation-based-client-auth.md b/draft-ietf-oauth-attestation-based-client-auth.md index e539cd3..b2ae1c0 100644 --- a/draft-ietf-oauth-attestation-based-client-auth.md +++ b/draft-ietf-oauth-attestation-based-client-auth.md @@ -325,7 +325,7 @@ To validate an HTTP request which contains the client attestation headers, the r 2. There is precisely one OAuth-Client-Attestation-PoP HTTP request header field, where its value is a single well-formed JWT conforming to the syntax outlined in [](#client-attestation-pop-jwt). 3. The signature of the Client Attestation PoP JWT obtained from the OAuth-Client-Attestation-PoP HTTP header verifies with the Client Instance Key contained in the `cnf` claim of the Client Attestation JWT obtained from the OAuth-Client-Attestation HTTP header. -An error parameter according to Section 3 of {{RFC6750}} SHOULD be included to indicate why a request was declined. If the Client Attestation is absent or not using an expected server-provided challenge, the value `use_attestation_challenge` can be used to indicate that an attestation with a server-provided challenge was expected. If the attestation and proof of possession was present but could not be successfully verified, the value `invalid_client_attestation` is used. +An error parameter according to Section 3 of {{RFC6750}} SHOULD be included to indicate why a request was declined. If the Client Attestation is not using an expected server-provided challenge, the value `use_attestation_challenge` can be used to indicate that an attestation with a server-provided challenge was expected. If the attestation and proof of possession was present but could not be successfully verified, the value `invalid_client_attestation` is used. ## Client Attestation at the Token Endpoint {#token-endpoint} @@ -625,6 +625,8 @@ This section requests registration of the following scheme in the "Hypertext Tra --- back # Document History +-07 +* do not use error response `use_attestation_challenge` on absent client attestation -06 From d55a321f49973ef0f7aa8b7991d566f3432cd8b4 Mon Sep 17 00:00:00 2001 From: Paul Bastian Date: Fri, 11 Jul 2025 10:29:28 +0200 Subject: [PATCH 2/2] add Micha Kraus to Acknowledments --- draft-ietf-oauth-attestation-based-client-auth.md | 1 + 1 file changed, 1 insertion(+) diff --git a/draft-ietf-oauth-attestation-based-client-auth.md b/draft-ietf-oauth-attestation-based-client-auth.md index b2ae1c0..1389176 100644 --- a/draft-ietf-oauth-attestation-based-client-auth.md +++ b/draft-ietf-oauth-attestation-based-client-auth.md @@ -694,6 +694,7 @@ Filip Skokan, Francesco Marino, Guiseppe De Marco, Kristina Yasuda, +Micha Kraus, Michael B. Jones, Takahiko Kawasaki and