[Openid-specs-ab] Correct authorisation error code when client isn't registered / bad client ID?
bcampbell at pingidentity.com
Thu Nov 15 16:07:06 UTC 2012
I believe that in that case the text in the first paragraph of that section
tacks precedence and no code is used.
"If the request fails due to a missing, invalid, or mismatching
redirection URI, *or if the client identifier is missing or invalid,
the authorization server SHOULD inform the resource owner of the
error and MUST NOT automatically redirect the user-agent to the
invalid redirection URI.*"
My implementation just returns a 400 directly in that situation with a
message that says, "Unknown or invalid client_id"
On Thu, Nov 15, 2012 at 2:17 AM, Vladimir Dzhuvinov / NimbusDS <
vladimir at nimbusds.com> wrote:
> Hi guys,
> Which code should be returned when the OP receives an authorisation
> request from a client ID that is invalid or hasn't been registered?
> I see two choices, according to
> 1. unauthorized_client : The client is not authorized to request an
> access token using this method.
> 2. access_denied : The resource owner or authorization server denied the
> Which code is the correct one for this case?
> Vladimir Dzhuvinov : www.NimbusDS.com : vladimir at nimbusds.com
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab