Hi James, > On 11. Jun 2019, at 17:53, James Howe <jmh...@cam.ac.uk> wrote: > > Unless I'm mistaken, RFC 7009 doesn't specify the error response when the > request is from a different client to the issuer. > > Section 2.1: >> If this validation fails, the request is refused and the client is informed >> of the error by the authorization server as described below. > > The only relevant description below I can see is in Section 2.2.1: >> The error presentation conforms to the definition in Section 5.2 of >> [RFC6749]. > > However none of the error codes there seem to be applicable. > unauthorized_client appears to be the closest, although there is no grant > type involved. >> The authenticated client is not authorized to use this authorization grant >> type. > > What is the intention here?
Since RFC 6749 does not utilise HTTPS status code 403 (which would be appropriate), the AS should respond with unauthorized_client as you suggested. kind regards, Torsten. > > ---- > James Howe > Senior IT Developer > Department of Engineering > University of Cambridge > +44 1223 748536 > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
