Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Section 4.1.2.1 Error Response is unclear on how to handle an Invalid Authorization Endpoint request #184

Open
dfcoffin opened this issue Jul 26, 2024 · 0 comments

Comments

@dfcoffin
Copy link

dfcoffin commented Jul 26, 2024

The first paragraph of Section 4.1.2.1. Error Response indicates that the authorization server SHOULD inform the resource owner if an invalid or malformed request is attempted but does not indicate how this should be done. It also states the authorization server MUST NOT automatically redirect the user-agent to the invalid redirection URI but does not indicate what to respond to the requestor other than in an example at the bottom of the section, which displayed an example of an "access_denied" response with "client.example.com" as the host value.

I have seen implementations that send the "access_denied" as a 302 response using the redirect_uri value as the host element of the "Location" header in place of client.example.com. They also want to use status code 400 for all other errors based on Section 5.2. Error Response of RFC 6749.

Should the titles of the Error Response sections include the referenced Endpoint? For example, "4.1.2.1. Authorization Error Response" and "5.2. Token Error Response"?

Should the Authorization Endpoint and the Token Endpoint use the same status code for errors (i.e., 400 with the error in the body), which would simplify Error Response and eliminate the possibility of transmitting information to the redirect_uri value?

# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant