Re: [OAUTH-WG] RFC 8705 (oauth-mtls): RS error code for missing client certificate

Justin Richer <> Wed, 10 November 2021 15:24 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 05EDB3A0DB6; Wed, 10 Nov 2021 07:24:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.496
X-Spam-Status: No, score=-1.496 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.4, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 2NsNjngZUESu; Wed, 10 Nov 2021 07:24:00 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D65543A0D7B; Wed, 10 Nov 2021 07:23:59 -0800 (PST)
Received: from ( []) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by (8.14.7/8.12.4) with ESMTP id 1AAFNuQa001648 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 10 Nov 2021 10:23:57 -0500
From: Justin Richer <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_08B2E38F-CE0D-444C-8D05-6FF2B66A6FE5"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.\))
Date: Wed, 10 Nov 2021 10:23:55 -0500
In-Reply-To: <>
Cc: oauth <>
To: Dmitry Telegin <>
References: <> <>
X-Mailer: Apple Mail (2.3654.
Archived-At: <>
Subject: Re: [OAUTH-WG] RFC 8705 (oauth-mtls): RS error code for missing client certificate
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 10 Nov 2021 15:24:04 -0000

This is just my interpretation, but this feels more like invalid token, because you’re not presenting all of the material required for the token itself. The DPoP draft has added “invalid_dpop_proof” as an error code, which I think is even better, but the MTLS draft is missing such an element and that is arguably a mistake in the document. The MTLS draft also re-uses “Bearer” as a token header, which is also a mistake in my opinion. 

But given the codes available, “invalid_token” seems to fit better because you aren’t messing up the request _to the resource_ itself, you’re messing up the token presentation.

 — Justin

> On Nov 10, 2021, at 10:17 AM, Dmitry Telegin <> wrote:
> Any updates on this one? The missing certificate case looks more like "invalid_request" to me:
> invalid_request
>          The request is missing a required parameter, includes an
>          unsupported parameter or parameter value, repeats the same
>          parameter, uses more than one method for including an access
>          token, or is otherwise malformed.  The resource server SHOULD
>          respond with the HTTP 400 (Bad Request) status code.
> On Fri, Sep 24, 2021 at 2:23 AM Dmitry Telegin < <>> wrote:
> From the document:
>    The protected resource MUST obtain, from its TLS implementation
>    layer, the client certificate used for mutual TLS and MUST verify
>    that the certificate matches the certificate associated with the
>    access token.  If they do not match, the resource access attempt MUST
>    be rejected with an error, per [RFC6750 <>], using an HTTP 401 status
>    code and the "invalid_token" error code.
> Should the same error code be used in the case when the resource failed to obtain a certificate from the TLS layer? This could happen, for example, if the TLS stack has been misconfigured (e.g. verify-client="REQUESTED" instead of "REQUIRED" for Undertow), and the user agent provided no certificate.
> Thanks,
> Dmitry
> _______________________________________________
> OAuth mailing list