[Openid-specs-ab] Issue #1186: when to use invalid_request_object error (openid/connect)

josephheenan issues-reply at bitbucket.org
Tue Sep 8 11:01:34 UTC 2020


New issue 1186: when to use invalid_request_object error
https://bitbucket.org/openid/connect/issues/1186/when-to-use-invalid_request_object-error

Joseph Heenan:

Can the WG clarify when they expect invalid\_request\_object to be used please?

‌

[https://openid.bitbucket.io/connect/openid-connect-core-1\_0.html#AuthError](https://openid.bitbucket.io/connect/openid-connect-core-1_0.html#AuthError) and [https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-28#section-7](https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-28#section-7) both say:

> invalid\_request\_object
>
> The `request` parameter contains an invalid Request Object.

Questions are:

1. Can invalid\_request\_object be returned when the RP used request\_uri parameter \(i.e. not request as is explicitly mentioned in the text\)
2. Can invalid\_request\_object be returned when the object itself is valid \(signature is okay, aud/iss okay, not expired\) but, e.g., the OP doesn’t like the redirect\_uri contained in it

‌

[https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-28#section-6](https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-28#section-6) seems to explicitly say the answer to '1' is yes:

```
If signature validation fails, the Authorization Server MUST return
an "invalid_request_object" error.
```

‌

Some guidance on what is preferred and what is allowed \(for certification purposes\) would be appreciated please. Related to [https://gitlab.com/openid/conformance-suite/-/issues/815](https://gitlab.com/openid/conformance-suite/-/issues/815)




More information about the Openid-specs-ab mailing list