use invalid_grant rather than unknown_auth_req_id in CIBA
Issue #94
resolved
OAuth has the invalid_grant
error status code, which is already sufficient for the "OP doesn't know the auth_req_id that the Client is asking for" case that CIBA currently has the new unknown_auth_req_id
error code for.
I'd suggest that CIBA just use what's already provided by the OAuth 2.0 Authorization Framework. With the benefit of not needing to do an IANA registration per issue #86
from https://tools.ietf.org/html/rfc6749?#section-5.2
invalid_grant
The provided authorization grant (e.g., authorization
code, resource owner credentials) or refresh token is
invalid, expired, revoked, does not match the redirection
URI used in the authorization request, or was issued to
another client.
Comments (5)
-
-
-
assigned issue to
-
assigned issue to
-
Agree!
-
Account Deleted Sounds like the right approach to me as well.
-
- changed status to resolved
merged pull request
#26 - Log in to comment
I agree, I'll pick this up in a PR I'm making around error responses.