[Openid-specs-fapi] Issue #376: Grant Management API error responses (openid/fapi)

panva issues-reply at bitbucket.org
Thu Feb 18 10:38:22 UTC 2021


New issue 376: Grant Management API error responses
https://bitbucket.org/openid/fapi/issues/376/grant-management-api-error-responses

Filip Skokan:

The section only speaks of status codes, not the whole responses \(i.e. actual error codes suited for the different scenarios\)

Furthermore:

> If the resource URL is unknown, the authorization server responds with HTTP status code 400.

We should not dictate authorization server’s behaviour when non-existent endpoints \(resource URLs\) are accessed. If that is what this line intends to target that is.

> If the client is not authorized to perform a call, the authorization server responds with HTTP status code 403.

I can’t see a scenario where this would happen. Given that access to this API is gated by an access token it’s in the step that issues that access token that a client would get a rejection to that access token request.

> If the request lacks a valid access token, the authorization server responds with HTTP status code 401.

With an error code `invalid_token` i assume?




More information about the Openid-specs-fapi mailing list