Re: [OAUTH-WG] draft-ietf-oauth-mtls-03: resource server error code
Brian Campbell <bcampbell@pingidentity.com> Wed, 23 August 2017 11:21 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0254C132223 for <oauth@ietfa.amsl.com>; Wed, 23 Aug 2017 04:21:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3tL9cmsByfnR for <oauth@ietfa.amsl.com>; Wed, 23 Aug 2017 04:21:00 -0700 (PDT)
Received: from mail-io0-x232.google.com (mail-io0-x232.google.com [IPv6:2607:f8b0:4001:c06::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E9266132392 for <oauth@ietf.org>; Wed, 23 Aug 2017 04:20:59 -0700 (PDT)
Received: by mail-io0-x232.google.com with SMTP id g135so6265733iog.1 for <oauth@ietf.org>; Wed, 23 Aug 2017 04:20:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=OCL0zJ10sJZAGDPj6SaLR4GOze+BbT0agoXJiXx1fmE=; b=c0MI3CuE5tKpNO9WjqbblBkV4Oox8KGkv1XeXbMRLlfS0bD0en9cSU5wy/qw3Jo15B hFI1e0ZnQBRwlQ3nbfMB4QcgapprHzPJEKsOWtlFEzoF+8eJ6zbhqSZkN1PYlyMNuSE8 Tj4sSGeyMmjQ//cyruHpeUFFbOJpb3wS5p7XA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=OCL0zJ10sJZAGDPj6SaLR4GOze+BbT0agoXJiXx1fmE=; b=ukOL0qg8ciURNsS2f+AW6cOlgaLsLlnonKFgYTVNW8GKqxuXeABzoUFkXxJDMCVEQS Kq7aSSCJUVLCEAWpGg2YposV9arNZzlA+BJHd/yPjZej0+nQbnguV1BO3Ekui/XENDhC +I6iT03hyEtvDQWFzonxm9Qk2D8RGc5i33kXMHgYtsKYjOwx5pN0rjUwajg/GaEND4ZY CcKGIJGGeB/h6FQ10ZrxJ43KJH7OYD2mRefCuyajl2b/hhQ5fs0ugfCCxXQWpddZzN1L h4CBHVJdg7wD+o54YCEfzVxJrT65c9Wq37CKLuRO4PHzjDfA1VnFsctTXWiumwbYAlpO 35Lw==
X-Gm-Message-State: AHYfb5iiDBUNUU7OSHLF8xjJ43T04WMHPKRgPJhOAf4yyvLc/FbKhoFm oPI86wOAhtu/oNOsecrnRErtn5SEqoHVLmNU0u+6oyCAAjr3WppOSZMcJ4aKltCiXB0p/PDF/tN 9lsFqPpw=
X-Received: by 10.107.17.5 with SMTP id z5mr1931216ioi.35.1503487258228; Wed, 23 Aug 2017 04:20:58 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.2.73.29 with HTTP; Wed, 23 Aug 2017 04:20:27 -0700 (PDT)
In-Reply-To: <ae66fedc-6ddb-572f-6c08-1c99fd1d75ba@connect2id.com>
References: <ae66fedc-6ddb-572f-6c08-1c99fd1d75ba@connect2id.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 23 Aug 2017 05:20:27 -0600
Message-ID: <CA+k3eCS5E0=R4N83T_XM+V1s8snAZxn-VOh-Lsi0qStgZVRrWg@mail.gmail.com>
To: Vladimir Dzhuvinov <vladimir@connect2id.com>
Cc: IETF oauth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="001a113ed74ef3a3f3055769e768"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/VzLQEyqq0e18kdZLBTLnozBxxok>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-mtls-03: resource server error code
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Aug 2017 11:21:02 -0000
"invalid_token" according to the last paragraph of https://tools.ietf.org/html/draft-ietf-oauth-mtls-03#section-3 which says that the RS, 'MUST verify that the certificate matches the certificate associated with the access token. If they do not match, the resource access attempt MUST be rejected with an error per [RFC6750] using an HTTP 401 status code and the "invalid_token" error code.' On Sun, Aug 13, 2017 at 9:00 AM, Vladimir Dzhuvinov <vladimir@connect2id.com > wrote: > Hello, > > Implementing mTLS on the RS side raised the following question: > > What error code should the RS return if the x5t#S256 bound to the access > token token doesn't match the hash of the submitted client certificate? > > Here are the error codes already defined in "bearer token usage": > > https://tools.ietf.org/html/rfc6750#section-3.1 > > Thanks, > Vladimir > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > -- *CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.*
- [OAUTH-WG] draft-ietf-oauth-mtls-03: resource ser… Vladimir Dzhuvinov
- Re: [OAUTH-WG] draft-ietf-oauth-mtls-03: resource… Brian Campbell