Unless I'm mistaken, RFC 7009 doesn't specify the error response when the request is from a different client to the issuer.
Section 2.1: > If this validation fails, the request is refused and the client is informed > of the error by the authorization server as described below. The only relevant description below I can see is in Section 2.2.1: > The error presentation conforms to the definition in Section 5.2 of [RFC6749]. However none of the error codes there seem to be applicable. unauthorized_client appears to be the closest, although there is no grant type involved. > The authenticated client is not authorized to use this authorization grant > type. What is the intention here? ---- James Howe Senior IT Developer Department of Engineering University of Cambridge +44 1223 748536 _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
