[Openid-specs-mobile-profile] Issue #94: use invalid_grant rather than unknown_auth_req_id in CIBA (openid/mobile)

Brian Campbell issues-reply at bitbucket.org
Mon Oct 1 21:31:38 UTC 2018

New issue 94: use invalid_grant rather than unknown_auth_req_id in CIBA

Brian Campbell:

OAuth  has the ```invalid_grant``` error status code, which is already sufficient for the "OP doesn't know the auth_req_id that the Client is asking for" case that CIBA currently has the new ```unknown_auth_req_id``` error code for.

I'd suggest that CIBA just use what's already provided by the OAuth 2.0 Authorization Framework. With the benefit of not needing to do an IANA registration per issue #86 
from https://tools.ietf.org/html/rfc6749?#section-5.2
               The provided authorization grant (e.g., authorization
               code, resource owner credentials) or refresh token is
               invalid, expired, revoked, does not match the redirection
               URI used in the authorization request, or was issued to
               another client.

More information about the Openid-specs-mobile-profile mailing list