Overstrict requirements on invalid_client error being http 401
Issue #218
new
https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html#rfc.section.13 says that invalid_client
should be used with a 401 status code, but 401 requires a WWW-Authenticate header which is not applicable for all client authentication schemes - in particular not the ones used by FAPI, private_key_jwt or mtls client auth.
https://www.rfc-editor.org/rfc/rfc6749#section-5.2 allows both a 400 or a 401 with a WWW-Authenticate in this case. It’d seem reasonable for CIBA to do the same.
Comments (4)
-
reporter -
reporter - edited description
-
It does seem reasonable. CIBA probably should have more explicitly allowed for both a 400 or a 401 with
invalid_client
-
I agree, the proposed change seems reasonable.
- Log in to comment
Related to a query received by certification team: https://gitlab.com/openid/conformance-suite/-/issues/1311