Skip to content

Use standard error response for failed mTLS auth #2079

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 27, 2025
Merged

Use standard error response for failed mTLS auth #2079

merged 1 commit into from
Jun 27, 2025

Conversation

@josephdecock
Copy link
Member

@josephdecock josephdecock commented Jun 27, 2025

When the mtls middleware fails to validate the incoming client
certificate, or if no certificate is presented, it now returns an HTTP
400 response, and includes the standardized json error:

{
   "error": "invalid_client",
   "error_description": "mTLS authentication failed"
 }

This conforms to RFC 8705:

If no certificate is presented, or that which is presented doesn't
match that which is expected for the given client_id, the
authorization server returns a normal OAuth 2.0 error response per
Section 5.2 of [RFC6749] with the invalid_client error code to
indicate failed client authentication.

@josephdecock
Use standard error response for failed mTLS auth
63b4d9e 
When the mtls middleware fails to validate the incoming client
certificate, or if no certificate is presented, it now returns an HTTP
400 response, and includes the standardized json error:
```
{
   "error": "invalid_client",
   "error_description": "mTLS authentication failed"
 }
 ```

 This conforms to RFC 8705:
> If no certificate is presented, or that which is presented doesn't
> match that which is expected for the given client_id, the
> authorization server returns a normal OAuth 2.0 error response per
> Section 5.2 of [RFC6749] with the invalid_client error code to
> indicate failed client authentication.

This commit also adds unit test coverage to the mTLS middleware.
@josephdecock josephdecock requested a review from bhazen as a code owner June 27, 2025 13:27
@josephdecock josephdecock added this to the is-7.3.0 milestone Jun 27, 2025
@josephdecock josephdecock added the area/products/identity-server Related to Identity Server label Jun 27, 2025
@josephdecock josephdecock self-assigned this Jun 27, 2025
@josephdecock josephdecock merged commit 93cdf64 into main Jun 27, 2025
17 of 18 checks passed
@josephdecock josephdecock deleted the jmdc/mtls-error-messages branch June 27, 2025 16:36
This was referenced Sep 7, 2025
Closed
Closed
Closed
This was referenced Sep 15, 2025
Closed
Open
Open
Open
This was referenced Sep 29, 2025
Open
Open
Open
Open
Open
Open
Open
Open
Open
@dependabot dependabot bot mentioned this pull request Oct 6, 2025
Open
This was referenced Oct 13, 2025
Open
Open
Open
@dependabot dependabot bot mentioned this pull request Oct 27, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bhazen bhazen bhazen approved these changes

Assignees

@josephdecock josephdecock

Labels

area/products/identity-server Related to Identity Server

Projects

None yet

Milestone

is-7.3.0

Development

Successfully merging this pull request may close these issues.

3 participants

@josephdecock @bhazen