[Openid-specs-fapi] Issue #376: Grant Management API error responses (openid/fapi)
panva
issues-reply at bitbucket.org
Thu Feb 18 10:38:22 UTC 2021
New issue 376: Grant Management API error responses
https://bitbucket.org/openid/fapi/issues/376/grant-management-api-error-responses
Filip Skokan:
The section only speaks of status codes, not the whole responses \(i.e. actual error codes suited for the different scenarios\)
Furthermore:
> If the resource URL is unknown, the authorization server responds with HTTP status code 400.
We should not dictate authorization server’s behaviour when non-existent endpoints \(resource URLs\) are accessed. If that is what this line intends to target that is.
> If the client is not authorized to perform a call, the authorization server responds with HTTP status code 403.
I can’t see a scenario where this would happen. Given that access to this API is gated by an access token it’s in the step that issues that access token that a client would get a rejection to that access token request.
> If the request lacks a valid access token, the authorization server responds with HTTP status code 401.
With an error code `invalid_token` i assume?
More information about the Openid-specs-fapi
mailing list