[Openid-specs-fapi] Issue #719: Error codes for HTTP Message Signatures-related errors (openid/fapi)
Takahiko Kawasaki
issues-reply at bitbucket.org
Mon Sep 30 23:52:50 UTC 2024
New issue 719: Error codes for HTTP Message Signatures-related errors
https://bitbucket.org/openid/fapi/issues/719/error-codes-for-http-message-signatures
Takahiko Kawasaki:
It may be worth considering defining new error codes for HTTP message signature verification errors.
[RFC 9449 OAuth 2.0 Demonstrating Proof of Possession \(DPoP\)](https://www.rfc-editor.org/rfc/rfc9449.html) has defined `invalid_dpop_proof` and `use_dpop_nonce` error codes for DPoP-related errors. Similarly, OAuth-aware applications using HTTP Message Signatures may want dedicated error codes for HTTP Message Signatures-related errors. For example, `invalid_http_message_signature`.
Without such dedicated error codes, the userinfo endpoint implementation I’m working on will eventually return `invalid_request`, as there doesn’t seem to be any more appropriate error code among the currently available ones.
More information about the Openid-specs-fapi
mailing list