[Openid-specs-mobile-profile] Issue #156: Possible oddity in token endpoint http status code for 'access_denied' error (openid/mobile)

Joseph at bitbucket.org Joseph at bitbucket.org
Thu May 23 15:40:26 UTC 2019

New issue 156: Possible oddity in token endpoint http status code for 'access_denied' error

Joseph Heenan:

[https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1\_0-02.html#token\_error\_response](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0-02.html#token_error_response) defined the additional ‘access\_denied’ error, which basically says use the definition from device flow, i.e. [https://tools.ietf.org/html/draft-ietf-oauth-device-flow-13#section-3.5](https://tools.ietf.org/html/draft-ietf-oauth-device-flow-13#section-3.5)


Both defer back to [https://tools.ietf.org/html/rfc6749#section-5.2](https://tools.ietf.org/html/rfc6749#section-5.2) :

> The authorization server responds with an HTTP 400 \(Bad Request\)  
> status code \(unless specified otherwise\) and includes the following  
> parameters with the response: <…>

so my reading \(and Authlete’s\) is that an access\_denied error should be returned with a 400 result from the token endpoint, as there’s nothing anywhere that obviously says otherwise.


This is odd in comparison to the backchannel authentication endpoint, [https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1\_0-02.html#rfc.section.13](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0-02.html#rfc.section.13) which explicitly calls out that in that case a 403:


> HTTP 403 Forbidden
> access\_denied


It seems weird to have an access denied error return 400 from the token endpoint but 403 from the back channel authentication endpoint.

I’d probably veer towards explicitly making it a 403 in both cases \(as long as the device flow folks agree\).

More information about the Openid-specs-mobile-profile mailing list