Hi John, On 09/07/2020 12:45 PM, John Mattsson wrote:
> > The mechanism is not presented as an error message when the client in good > faith tries to access a resource. It is presented as something C do > intentionally to dicsover the AS. In the description in the draft, C is > clearly aware that the request is unauthorized. Yes, the request and response are unauthorized. The client must ascertain that the AS is authorized to provide access token and access information to the client. Accordingly, section 6.5 states that "the client MUST be able to determine whether an AS has the authority to issue access tokens for a certain RS." The information that is provided by RS helps C to find the respective AS. If an attacker changed that information, C would still not communicate with an unauthorized AS. Viele Grüße Steffi _______________________________________________ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace