Closed mpalmer closed 3 years ago
There are other places in RFC8555 which much more clearly indicate that status 401 and/or urn:ietf:params:acme:error:unauthorized
must be used:
Section 7.3.6:
If a server receives a POST or POST-as-GET from a deactivated account, it MUST return an error response with status code 401 (Unauthorized) and type "urn:ietf:params:acme:error:unauthorized".
Similarly, immediately adjacent to section 6.4, the return codes of other forms of invalid JWKs are also very specific:
Section 6.2:
If the client sends a JWS signed with an algorithm that the server does not support, then the server MUST return an error with status code 400 (Bad Request) and type "urn:ietf:params:acme:error:badSignatureAlgorithm".
If the server supports the signature algorithm "alg" but either does not support or chooses to reject the public key "jwk", then the server MUST return an error with status code 400 (Bad Request) and type "urn:ietf:params:acme:error:badPublicKey".
So I think it is appropriate to conclude that the RFC does not in fact require status code 401 and problem type ...:unauthorized
. As such, I think it is better to prioritize uniformity with surrounding code, and stick with the "malformed" response for all violations which are caught by our JWK integrity checker.
I've just noticed that sending a deliberately-mangled request that contains an incorrect
url
parameter in the protected header provides a very helpful error message, but not the problem type mandated by the spec:The Fine Spec says:
I assume this means that the type of the error response should be
urn:ietf:params:acme:error:unauthorized
; whether thestatus
should be401
as well I'm not quite as confident about.