Any updates on this one? The missing certificate case looks more like "invalid_request" to me:
invalid_request > The request is missing a required parameter, includes an > unsupported parameter or parameter value, repeats the same > parameter, uses more than one method for including an access > token, or is otherwise malformed. The resource server SHOULD > respond with the HTTP 400 (Bad Request) status code. > > On Fri, Sep 24, 2021 at 2:23 AM Dmitry Telegin <dmit...@backbase.com> wrote: > From the document: > > The protected resource MUST obtain, from its TLS implementation >> layer, the client certificate used for mutual TLS and MUST verify >> that the certificate matches the certificate associated with the >> access token. If they do not match, the resource access attempt MUST >> be rejected with an error, per [RFC6750 >> <https://datatracker.ietf.org/doc/html/rfc6750>], using an HTTP 401 status >> code and the "invalid_token" error code. >> >> > Should the same error code be used in the case when the resource failed to > obtain a certificate from the TLS layer? This could happen, for example, if > the TLS stack has been misconfigured (e.g. verify-client="REQUESTED" > instead of "REQUIRED" for Undertow), and the user agent provided no > certificate. > > Thanks, > Dmitry > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
