- changed status to open
when to use invalid_request_object error
Issue #1186
resolved
Can the WG clarify when they expect invalid_request_object to be used please?
https://openid.bitbucket.io/connect/openid-connect-core-1_0.html#AuthError and https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-28#section-7 both say:
invalid_request_object
The
requestparameter contains an invalid Request Object.
Questions are:
- Can invalid_request_object be returned when the RP used request_uri parameter (i.e. not request as is explicitly mentioned in the text)
- Can invalid_request_object be returned when the object itself is valid (signature is okay, aud/iss okay, not expired) but, e.g., the OP doesn’t like the redirect_uri contained in it
https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-28#section-6 seems to explicitly say the answer to '1' is yes:
If signature validation fails, the Authorization Server MUST return
an "invalid_request_object" error.
Some guidance on what is preferred and what is allowed (for certification purposes) would be appreciated please. Related to https://gitlab.com/openid/conformance-suite/-/issues/815
Comments (3)
-
-
Yes, it was related to https://gitlab.com/openid/conformance-suite/-/issues/815
We made some changes to the FAPI-RW PAR conformance tests to accept a wider range of errors I think.
-
- changed status to resolved
Necessary changes were made into the conformance test suite.
- Log in to comment
I believe the intent of
invalid_request_objectis to convey a problem with the Request Object itself - not problems with the request parameters contained in it, which would likely result in different errors.Is there a specific certification issue or question that relates to this?