[Openid-specs-ab] Issue #1121: Client Authentication error (openid/connect)

jolivasf issues-reply at bitbucket.org
Thu Oct 24 10:24:57 UTC 2019


New issue 1121: Client Authentication error
https://bitbucket.org/openid/connect/issues/1121/client-authentication-error

Jorge Oliva:

Hi, and implementation question

Reading Section 9 of [openid](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication) and also the reference [OAuth Assertion Framework ](https://tools.ietf.org/html/draft-ietf-oauth-assertions-18#section-4.2.1)I'm not sure about what error should an OP return when there are a fail in the credential that has been sent to the OP, for example, an RP sent a request to the /token endpoint using as authentication method ‘private\_key\_jwt' and the jwt that is sent don't contain the mandatory field 'sub’ in the payload \(as described in Section 9 of [openid](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication)\) what error should the OP return in this case?

**Option 1**: following the [OAuth Assertion Framework](https://tools.ietf.org/html/draft-ietf-oauth-assertions-18#section-4.2.1) i would say:

```
HTTP/1.1 400 Bad Request
Content-Type: application/json
Cache-Control: no-store

{
  "error":"invalid_client"
  "error_description":"assertion format incorrect"
}
```

**Option 2**: following [oAuth](https://tools.ietf.org/html/rfc6749#section-5.2)  i would say

```
HTTP/1.1 400 Bad Request
Content-Type: application/json
Cache-Control: no-store

{
  "error":"invalid_request"
  "error_description":"assertion format incorrect"
}
```

**Option 3:** And in my opinion should be a  

```
HTTP/1.1 401 Unauthorized
Content-Type: application/json
Cache-Control: no-store

{
  "error":"invalid_client"
  "error_description":"assertion format incorrect"
}
```

‌

Best Regards.




More information about the Openid-specs-ab mailing list