[Openid-specs-mobile-profile] Issue #218: Overstrict requirements on invalid_client error being http 401 (openid/mobile)
josephheenan
issues-reply at bitbucket.org
Wed Feb 28 21:13:00 UTC 2024
New issue 218: Overstrict requirements on invalid_client error being http 401
https://bitbucket.org/openid/mobile/issues/218/overstrict-requirements-on-invalid_client
Joseph Heenan:
[https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1\_0.html#rfc.section.13](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html#rfc.section.13) says that `invalid_client` should be used with a 401 status code, but 401 requires a WWW-Authenticate header which is not applicable for all client authentication schemes.
[https://www.rfc-editor.org/rfc/rfc6749#section-5.2](https://www.rfc-editor.org/rfc/rfc6749#section-5.2) allows both a 400 or a 401 with a WWW-Authenticate in this case. It’d seem reasonable for CIBA to do the same.
More information about the Openid-specs-mobile-profile
mailing list