openid / mobile / issues / #218 - Overstrict requirements on invalid_client error being http 401 — Bitbucket

Issue #218 new

Joseph Heenan created an issue 2024-02-28

https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html#rfc.section.13 says that invalid_client should be used with a 401 status code, but 401 requires a WWW-Authenticate header which is not applicable for all client authentication schemes - in particular not the ones used by FAPI, private_key_jwt or mtls client auth.

https://www.rfc-editor.org/rfc/rfc6749#section-5.2 allows both a 400 or a 401 with a WWW-Authenticate in this case. It’d seem reasonable for CIBA to do the same.

‌

Comments (4)

Joseph Heenan reporter
Related to a query received by certification team: https://gitlab.com/openid/conformance-suite/-/issues/1311
- 2024-02-28T21:14:43+00:00
Joseph Heenan reporter
- edited description
- 2024-02-28T21:30:16+00:00
Brian Campbell
It does seem reasonable. CIBA probably should have more explicitly allowed for both a 400 or a 401 with invalid_client
- 2024-02-28T21:40:49+00:00
Bjorn Hjelm
I agree, the proposed change seems reasonable.
- 2024-03-12T17:18:22+00:00
Log in to comment

Assignee: –

Type: bug

Priority: major

Status: new

Component: CIBA

Milestone: Errata

Votes: 0

Watchers: 2

Jira Software: the preferred issue tracker for Bitbucket. Join the team!