Skip to content

fix using use_attestation_challenge error parameter code for missing … #132

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
mickrau wants to merge 2 commits into from
Closed

fix using use_attestation_challenge error parameter code for missing … #132

mickrau wants to merge 2 commits into from

Conversation

@mickrau
Copy link

@mickrau mickrau commented Jul 11, 2025

solves #131

panva
panva reviewed Jul 12, 2025
View reviewed changes
draft-ietf-oauth-attestation-based-client-auth.md
3. The signature of the Client Attestation PoP JWT obtained from the OAuth-Client-Attestation-PoP HTTP header verifies with the Client Instance Key contained in the `cnf` claim of the Client Attestation JWT obtained from the OAuth-Client-Attestation HTTP header.

An error parameter according to Section 3 of {{RFC6750}} SHOULD be included to indicate why a request was declined. If the Client Attestation is absent or not using an expected server-provided challenge, the value `use_attestation_challenge` can be used to indicate that an attestation with a server-provided challenge was expected. If the attestation and proof of possession was present but could not be successfully verified, the value `invalid_client_attestation` is used.
An error parameter according to Section 3 of {{RFC6750}} SHOULD be included to indicate why a request was declined. If the Client Attestation is not using an expected server-provided challenge, the value `use_attestation_challenge` can be used to indicate that an attestation with a server-provided challenge was expected. If the attestation and proof of possession was present but could not be successfully verified, the value `invalid_client_attestation` is used.
Copy link
Member

@panva panva Jul 12, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
An error parameter according to Section 3 of {{RFC6750}} SHOULD be included to indicate why a request was declined. If the Client Attestation is not using an expected server-provided challenge, the value `use_attestation_challenge` can be used to indicate that an attestation with a server-provided challenge was expected. If the attestation and proof of possession was present but could not be successfully verified, the value `invalid_client_attestation` is used.
When validation errors are encountered the following error codes are defined for use in either Authorization Server authenticated endpoint error responses or Resource Server error responses.
- `use_attestation_challenge` MUST be used when the Client Attestation PoP JWT is not using an expected server-provided challenge. When used this error code MUST be accompanied by the `OAuth-Client-Attestation-Challenge` HTTP header field parameter (as described in [](#challenge-header)).
- `invalid_client_attestation` MAY be used if the attestation or its proof of possession could not be successfully verified.

Copy link
Member

@panva panva Jul 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And change

## Providing Challenges on Previous Responses

to

## Providing Challenges on Previous Responses {#challenge-header}

Copy link
Member

@panva panva Jul 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am making this suggestion because a) this section is referenced from Token and PAR endpoint sections and linking 6750 error handling is invalid.

Making use_attestation_challenge a MUST use when challenge validations fail just makes sense and having to have it accompanied by OAuth-Client-Attestation-Challenge as well. I don't mind defining invalid_client_attestation but only as a MAY because on the AS authenticated endpoints the convention is already invalid_client for client authentication failures.

Copy link
Member

@panva panva Jul 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've opened #135 as an alternative to this PR with all suggestions applied.

@tplooker
Copy link
Collaborator

tplooker commented Jul 13, 2025

Thanks @mickrau, although I'm in favour of #135 here which builds on this PR and provides a little more clarity around when these errors should be returned.

@c2bo c2bo mentioned this pull request Jul 30, 2025
Merged
@c2bo
Copy link
Member

c2bo commented Aug 12, 2025

Closing since #135 was merged

@c2bo c2bo closed this Aug 12, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@c2bo c2bo c2bo approved these changes

@paulbastian paulbastian paulbastian approved these changes

@tplooker tplooker Awaiting requested review from tplooker tplooker is a code owner

+1 more reviewer

@panva panva panva left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@mickrau @tplooker @c2bo @panva @paulbastian