[Openid-specs-ab] Issue #1121: Client Authentication error (openid/connect)
jolivasf
issues-reply at bitbucket.org
Thu Oct 24 10:24:57 UTC 2019
New issue 1121: Client Authentication error
https://bitbucket.org/openid/connect/issues/1121/client-authentication-error
Jorge Oliva:
Hi, and implementation question
Reading Section 9 of [openid](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication) and also the reference [OAuth Assertion Framework ](https://tools.ietf.org/html/draft-ietf-oauth-assertions-18#section-4.2.1)I'm not sure about what error should an OP return when there are a fail in the credential that has been sent to the OP, for example, an RP sent a request to the /token endpoint using as authentication method ‘private\_key\_jwt' and the jwt that is sent don't contain the mandatory field 'sub’ in the payload \(as described in Section 9 of [openid](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication)\) what error should the OP return in this case?
**Option 1**: following the [OAuth Assertion Framework](https://tools.ietf.org/html/draft-ietf-oauth-assertions-18#section-4.2.1) i would say:
```
HTTP/1.1 400 Bad Request
Content-Type: application/json
Cache-Control: no-store
{
"error":"invalid_client"
"error_description":"assertion format incorrect"
}
```
**Option 2**: following [oAuth](https://tools.ietf.org/html/rfc6749#section-5.2) i would say
```
HTTP/1.1 400 Bad Request
Content-Type: application/json
Cache-Control: no-store
{
"error":"invalid_request"
"error_description":"assertion format incorrect"
}
```
**Option 3:** And in my opinion should be a
```
HTTP/1.1 401 Unauthorized
Content-Type: application/json
Cache-Control: no-store
{
"error":"invalid_client"
"error_description":"assertion format incorrect"
}
```
Best Regards.
More information about the Openid-specs-ab
mailing list