[Openid-specs-ab] Correct authorisation error code when client isn't registered / bad client ID?

Brian Campbell bcampbell at pingidentity.com
Thu Nov 15 16:07:06 UTC 2012

I believe that in that case the text in the first paragraph of that section
tacks precedence and no code is used.

   "If the request fails due to a missing, invalid, or mismatching
   redirection URI, *or if the client identifier is missing or invalid,
   the authorization server SHOULD inform the resource owner of the
   error and MUST NOT automatically redirect the user-agent to the
   invalid redirection URI.*"

My implementation just returns a 400 directly in that situation with a
message that says, "Unknown or invalid client_id"

On Thu, Nov 15, 2012 at 2:17 AM, Vladimir Dzhuvinov / NimbusDS <
vladimir at nimbusds.com> wrote:

> Hi guys,
> Which code should be returned when the OP receives an authorisation
> request from a client ID that is invalid or hasn't been registered?
> I see two choices, according to
> http://tools.ietf.org/html/rfc6749#section-
> 1. unauthorized_client : The client is not authorized to request an
> access token using this method.
> 2. access_denied : The resource owner or authorization server denied the
> request.
> Which code is the correct one for this case?
> Thanks,
> Vladimir
> --
> Vladimir Dzhuvinov : www.NimbusDS.com : vladimir at nimbusds.com
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20121115/c3b88a26/attachment.html>

More information about the Openid-specs-ab mailing list