Archived 2022.11.20. Content moved to error scenarios and responses
Question
What is the appropriate error response, when client authentication occurs against the token endpoint and the sub
claim on the client assertion is missing or does not match the client?
Answer
The DSB expects the most appropriate response is to return 400: invalid_client in the body. This is indicated if an unknown client is encountered on the sub
claim.
An alternative is to return 400: unauthorized_client in the body. This is suggested by:
RFC 6749 Section 5.2
unauthorized_client
The authenticated client is not authorized to use this authorization grant type.
This may be a security choice to limit leakage of security context, where a malicious user seeks to inject an invalid sub
.
See:
Comments
0 comments
Please sign in to leave a comment.