Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-12149

Need to change error response from invalid_grant to unauthorized_client

    Details

    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      RH-SSO server returns the invalid_grant error response when a client sent requests with grant_type=password when the Direct Access Grant is disabled.

      According to RFC6749, it seems to be better to return the unauthorized_client error response.

      5.2. Error Response

      The authorization server responds with an HTTP 400 (Bad Request)
      status code (unless specified otherwise) and includes the following
      parameters with the response:

      error
      REQUIRED. A single ASCII [USASCII] error code from the
      following:
      ...
      invalid_grant
      The provided authorization grant (e.g., authorization
      code, resource owner credentials) or refresh token is
      invalid, expired, revoked, does not match the redirection
      URI used in the authorization request, or was issued to
      another client.

      unauthorized_client
      The authenticated client is not authorized to use this
      authorization grant type.

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                yoshiyuki_tabata 義之 田畑
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: