[Openid-specs-ab] Issue #1023: Clarify that returning errors to the client is a MUST (openid/connect)

Joseph Heenan issues-reply at bitbucket.org
Sun Mar 18 21:44:54 UTC 2018


New issue 1023: Clarify that returning errors to the client is a MUST
https://bitbucket.org/openid/connect/issues/1023/clarify-that-returning-errors-to-the

Joseph Heenan:

As discussed with Mike Jones/John Bradley, the language in section 3.1.2.6  Authentication Error Response ( http://openid.net/specs/openid-connect-core-1_0.html#AuthError )  is currently:

> If the End-User denies the request or the End-User authentication fails, the OP (Authorization Server) informs the RP (Client) by using the Error Response parameters defined in Section 4.1.2.1 of OAuth 2.0 [RFC6749]. (HTTP errors unrelated to RFC 6749 are returned to the User Agent using the appropriate HTTP status code.)

The language should probably be updated to a MUST, and I think the "If the End-User denies the request or the End-User authentication fails" part needs more clarity as the spec then goes on to define errors like invalid_request_object - some implementors have interpreted this to mean that they are not required to return invalid_request_object errors to the client (and can instead show an error to the user).




More information about the Openid-specs-ab mailing list