Closed
Description
Before reporting an issue
- I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
oidc
Describe the bug
According to Section 5.2 of RFC 6749, Keycloak needs to return "invalid_request" or "invalid_grant" from Token Endpoint without DPOP proof.
However, the current Keycloak returns "invalid_dpop_proof".
Version
26.0.5
Regression
- The issue is a regression
Expected behavior
A client that is required to send DPoP Proof sends a token request or token refresh request without DPoP Proof.
We expect that Keycloak returns an error "invalid_request"
Actual behavior
Keycloak returns an error "invalid_dpop_proof".
How to Reproduce?
A client that is required to send DPoP Proof sends a token request or token refresh request without DPoP Proof.
Anything else?
This issue need to be resolved to pass the latest version of FAPI 2.0 specification.
keycloak/kc-sig-fapi#649
keycloak/kc-sig-fapi#655