[Openid-specs-ab] RP Testing: "incorrect_behavior" during token exchange

Roland Hedberg roland at catalogix.se
Mon Mar 27 14:53:40 UTC 2017

> On 26 Mar 2017, at 22:16, William Denniss <wdenniss at google.com> wrote:
> Brian pointed me in the right direction. Client was registering with client_secret_post, but then sending basic.
> I think the test OP should return HTTP 400 for this error, and use the standard "invalid_client" OAuth error <https://tools.ietf.org/html/rfc6749#section-5.2>.

I agree, it should. Don’t know now why it doesn’t.
Will fix ASAP.

> On Sun, Mar 26, 2017 at 3:03 PM, William Denniss <wdenniss at google.com <mailto:wdenniss at google.com>> wrote:
> While running the rp-response_type-code test in AppAuth, I'm seeing the following error while exchanging the authorization code:
> HTTP 200
> {
>     error = "incorrect_behavior";
>     "error_description" = "Failed to verify client";
> }
> What does this error mean? It doesn't appear to be a standard error.
> Also, the testing server should return HTTP 400 for errors per the spec <https://tools.ietf.org/html/rfc6749#section-5.2>, not HTTP 200 for errors.
> Where is the source code of the tests? Can that location be linked in http://openid.net/certification/rp_testing/ <http://openid.net/certification/rp_testing/> ?
> William

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20170327/ac30b843/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20170327/ac30b843/attachment.asc>

More information about the Openid-specs-ab mailing list