<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><br class=""><div><blockquote type="cite" class=""><div class="">On 26 Mar 2017, at 22:16, William Denniss <<a href="mailto:wdenniss@google.com" class="">wdenniss@google.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class="">Brian pointed me in the right direction. Client was registering with client_secret_post, but then sending basic.<div class=""><br class=""><div class="">I think the test OP should return HTTP 400 for this error, and use the standard "invalid_client" OAuth <a href="https://tools.ietf.org/html/rfc6749#section-5.2" class="">error</a>.</div></div></div></div></blockquote><div><br class=""></div>I agree, it should. Don’t know now why it doesn’t.</div><div>Will fix ASAP.</div><div><br class=""><blockquote type="cite" class=""><div class=""><div class="gmail_extra"><br class=""><div class="gmail_quote">On Sun, Mar 26, 2017 at 3:03 PM, William Denniss <span dir="ltr" class=""><<a href="mailto:wdenniss@google.com" target="_blank" class="">wdenniss@google.com</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr" class=""><div class="">While running the <b class="">rp-response_type-code</b> test in AppAuth, I'm seeing the following error while exchanging the authorization code:</div><div class=""><br class=""></div><div class="">HTTP 200</div><div class="">{</div><div class="">    error = "incorrect_behavior";</div><div class="">    "error_description" = "Failed to verify client";</div><div class="">}</div><div class=""><br class=""></div><div class="">What does this error mean? It doesn't appear to be a standard error.</div><div class=""><br class=""></div><div class="">Also, the testing server should return HTTP 400 for errors <a href="https://tools.ietf.org/html/rfc6749#section-5.2" target="_blank" class="">per the spec</a>, not HTTP 200 for errors.</div><div class=""><br class=""></div><div class="">Where is the source code of the tests? Can that location be linked in <a href="http://openid.net/certification/rp_testing/" target="_blank" class="">http://openid.net/<wbr class="">certification/rp_testing/</a> ?</div><span class="HOEnZb"><font color="#888888" class=""><div class=""><br class=""></div><div class=""><div class="">William</div></div></font></span></div>
</blockquote></div><br class=""></div>
</div></blockquote></div><br class=""></body></html>