[Openid-specs-ab] RP Testing: "incorrect_behavior" during token exchange

William Denniss wdenniss at google.com
Sun Mar 26 20:16:16 UTC 2017

Brian pointed me in the right direction. Client was registering
with client_secret_post, but then sending basic.

I think the test OP should return HTTP 400 for this error, and use the
standard "invalid_client" OAuth error

On Sun, Mar 26, 2017 at 3:03 PM, William Denniss <wdenniss at google.com>

> While running the *rp-response_type-code* test in AppAuth, I'm seeing the
> following error while exchanging the authorization code:
> HTTP 200
> {
>     error = "incorrect_behavior";
>     "error_description" = "Failed to verify client";
> }
> What does this error mean? It doesn't appear to be a standard error.
> Also, the testing server should return HTTP 400 for errors per the spec
> <https://tools.ietf.org/html/rfc6749#section-5.2>, not HTTP 200 for
> errors.
> Where is the source code of the tests? Can that location be linked in
> http://openid.net/certification/rp_testing/ ?
> William
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20170326/1f09b83a/attachment.html>

More information about the Openid-specs-ab mailing list