From 357529737b60199de8917ac9f10650fd9ad0bf97 Mon Sep 17 00:00:00 2001 From: Filip Skokan Date: Sat, 12 Jul 2025 21:15:55 +0200 Subject: [PATCH 1/2] error-updates --- draft-ietf-oauth-attestation-based-client-auth.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/draft-ietf-oauth-attestation-based-client-auth.md b/draft-ietf-oauth-attestation-based-client-auth.md index e539cd3..7abdab4 100644 --- a/draft-ietf-oauth-attestation-based-client-auth.md +++ b/draft-ietf-oauth-attestation-based-client-auth.md @@ -317,7 +317,7 @@ token68 = 1*( ALPHA / DIGIT / "-" / "." / It is RECOMMENDED that the authorization server validate the Client Attestation JWT prior to validating the Client Attestation PoP. -## Validating HTTP requests feature client attestations {#checking-http-requests-with-client-attestations} +## Validating HTTP requests featuring client attestations {#checking-http-requests-with-client-attestations} To validate an HTTP request which contains the client attestation headers, the receiving server MUST ensure the following with regard to a received HTTP request: @@ -325,7 +325,10 @@ To validate an HTTP request which contains the client attestation headers, the r 2. There is precisely one OAuth-Client-Attestation-PoP HTTP request header field, where its value is a single well-formed JWT conforming to the syntax outlined in [](#client-attestation-pop-jwt). 3. The signature of the Client Attestation PoP JWT obtained from the OAuth-Client-Attestation-PoP HTTP header verifies with the Client Instance Key contained in the `cnf` claim of the Client Attestation JWT obtained from the OAuth-Client-Attestation HTTP header. -An error parameter according to Section 3 of {{RFC6750}} SHOULD be included to indicate why a request was declined. If the Client Attestation is absent or not using an expected server-provided challenge, the value `use_attestation_challenge` can be used to indicate that an attestation with a server-provided challenge was expected. If the attestation and proof of possession was present but could not be successfully verified, the value `invalid_client_attestation` is used. +When validation errors are encountered the following error codes are defined for use in either Authorization Server authenticated endpoint error responses or Resource Server error responses. + +- `use_attestation_challenge` MUST be used when the Client Attestation PoP JWT is not using an expected server-provided challenge. When used this error code MUST be accompanied by the `OAuth-Client-Attestation-Challenge` HTTP header field parameter (as described in [](#challenge-header)). +- `invalid_client_attestation` MAY be used if the attestation or its proof of possession could not be successfully verified. ## Client Attestation at the Token Endpoint {#token-endpoint} @@ -472,7 +475,7 @@ Content-Type: application/json } ~~~ -## Providing Challenges on Previous Responses +## Providing Challenges on Previous Responses {#challenge-header} The Authorization Server MAY provide a fresh Challenge with any HTTP response using a HTTP header-based syntax. The HTTP header field parameter MUST be named "OAuth-Client-Attestation-Challenge" and contain the value of the Challenge. The Client MUST use this new Challenge for the next OAuth-Client-Attestation-PoP. From d4703ba9ffcd804c42ba70fca585e6ac724c8180 Mon Sep 17 00:00:00 2001 From: Filip Skokan Date: Mon, 14 Jul 2025 07:59:08 +0200 Subject: [PATCH 2/2] fixup! error-updates --- draft-ietf-oauth-attestation-based-client-auth.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/draft-ietf-oauth-attestation-based-client-auth.md b/draft-ietf-oauth-attestation-based-client-auth.md index 7abdab4..f8bbcda 100644 --- a/draft-ietf-oauth-attestation-based-client-auth.md +++ b/draft-ietf-oauth-attestation-based-client-auth.md @@ -325,10 +325,12 @@ To validate an HTTP request which contains the client attestation headers, the r 2. There is precisely one OAuth-Client-Attestation-PoP HTTP request header field, where its value is a single well-formed JWT conforming to the syntax outlined in [](#client-attestation-pop-jwt). 3. The signature of the Client Attestation PoP JWT obtained from the OAuth-Client-Attestation-PoP HTTP header verifies with the Client Instance Key contained in the `cnf` claim of the Client Attestation JWT obtained from the OAuth-Client-Attestation HTTP header. -When validation errors are encountered the following error codes are defined for use in either Authorization Server authenticated endpoint error responses or Resource Server error responses. +When validation errors specifically related to the use of client attestations are encountered the following additional error codes are defined for use in either Authorization Server authenticated endpoint error responses (as defined in Section 5.2 of {{RFC6749}}) or Resource Server error responses (as defined in Section 3 of {{RFC6750}}). - `use_attestation_challenge` MUST be used when the Client Attestation PoP JWT is not using an expected server-provided challenge. When used this error code MUST be accompanied by the `OAuth-Client-Attestation-Challenge` HTTP header field parameter (as described in [](#challenge-header)). -- `invalid_client_attestation` MAY be used if the attestation or its proof of possession could not be successfully verified. +- `invalid_client_attestation` MAY be used in addition to the more general `invalid_client` error code as defined in {{RFC6749}} if the attestation or its proof of possession could not be successfully verified. + +In the event of errors due to situations not described above, Authorization and Resource Servers MUST follow the guidance of {{RFC6749}} and {{RFC6750}} or their respective extensions of when to return suitable Error Responses. ## Client Attestation at the Token Endpoint {#token-endpoint}