Credential Error Response Underspecified

The Credential Error Response in draft -13 OpenID4VCI points to RFC6750 saying “additional clarifications are provided for the following parameters already defined in section 3.1 of [RFC6750]:” RFC6750 defines error parameters to returned as part of the WWW-Authenticate header. The section and the next then have examples showing the Credential Error Response as JSON in the response body. Two different things - access token errors and credential issuance errors - are mixed up here and not actually defined. But implied in a contradictory way.

The access token errors and credential issuance errors need to be treated separately. And the credential issuance error response needs to actually be defined. Access token errors should be treated as just any normal OAuth protected resource would.

‌

Comments (3)