[Openid-specs-ab] Issue #1023: Clarify that returning errors to the client is a MUST (openid/connect)
issues-reply at bitbucket.org
Sun Mar 18 21:44:54 UTC 2018
New issue 1023: Clarify that returning errors to the client is a MUST
As discussed with Mike Jones/John Bradley, the language in section 220.127.116.11 Authentication Error Response ( http://openid.net/specs/openid-connect-core-1_0.html#AuthError ) is currently:
> If the End-User denies the request or the End-User authentication fails, the OP (Authorization Server) informs the RP (Client) by using the Error Response parameters defined in Section 18.104.22.168 of OAuth 2.0 [RFC6749]. (HTTP errors unrelated to RFC 6749 are returned to the User Agent using the appropriate HTTP status code.)
The language should probably be updated to a MUST, and I think the "If the End-User denies the request or the End-User authentication fails" part needs more clarity as the spec then goes on to define errors like invalid_request_object - some implementors have interpreted this to mean that they are not required to return invalid_request_object errors to the client (and can instead show an error to the user).
More information about the Openid-specs-ab