[Openid-specs-mobile-profile] Issue #156: Possible oddity in token endpoint http status code for 'access_denied' error (openid/mobile)

[Joseph at bitbucket.org]

New issue 156: Possible oddity in token endpoint http status code for 'access_denied' error
https://bitbucket.org/openid/mobile/issues/156/possible-oddity-in-token-endpoint-http

Joseph Heenan:

[https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1\_0-02.html#token\_error\_response](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0-02.html#token_error_response) defined the additional ‘access\_denied’ error, which basically says use the definition from device flow, i.e. [https://tools.ietf.org/html/draft-ietf-oauth-device-flow-13#section-3.5](https://tools.ietf.org/html/draft-ietf-oauth-device-flow-13#section-3.5)

‌

Both defer back to [https://tools.ietf.org/html/rfc6749#section-5.2](https://tools.ietf.org/html/rfc6749#section-5.2) :

> The authorization server responds with an HTTP 400 \(Bad Request\)  
> status code \(unless specified otherwise\) and includes the following  
> parameters with the response: <…>

so my reading \(and Authlete’s\) is that an access\_denied error should be returned with a 400 result from the token endpoint, as there’s nothing anywhere that obviously says otherwise.

‌

This is odd in comparison to the backchannel authentication endpoint, [https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1\_0-02.html#rfc.section.13](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0-02.html#rfc.section.13) which explicitly calls out that in that case a 403:

‌

> HTTP 403 Forbidden
>
> access\_denied

‌

It seems weird to have an access denied error return 400 from the token endpoint but 403 from the back channel authentication endpoint.

I’d probably veer towards explicitly making it a 403 in both cases \(as long as the device flow folks agree\).