[Openid-specs-ab] RP Testing: "incorrect_behavior" during token exchange

William Denniss wdenniss at google.com
Sun Mar 26 20:16:16 UTC 2017


Brian pointed me in the right direction. Client was registering
with client_secret_post, but then sending basic.

I think the test OP should return HTTP 400 for this error, and use the
standard "invalid_client" OAuth error
<https://tools.ietf.org/html/rfc6749#section-5.2>.


On Sun, Mar 26, 2017 at 3:03 PM, William Denniss <wdenniss at google.com>
wrote:

> While running the *rp-response_type-code* test in AppAuth, I'm seeing the
> following error while exchanging the authorization code:
>
> HTTP 200
> {
>     error = "incorrect_behavior";
>     "error_description" = "Failed to verify client";
> }
>
> What does this error mean? It doesn't appear to be a standard error.
>
> Also, the testing server should return HTTP 400 for errors per the spec
> <https://tools.ietf.org/html/rfc6749#section-5.2>, not HTTP 200 for
> errors.
>
> Where is the source code of the tests? Can that location be linked in
> http://openid.net/certification/rp_testing/ ?
>
> William
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20170326/1f09b83a/attachment.html>


More information about the Openid-specs-ab mailing list