Document OAuth token-endpoint error codes and statuses#1025
Merged
Conversation
The token endpoint (POST /v2/oauth/access_token) now returns RFC 6749 aligned error codes and statuses on the failure paths: - invalid_grant (400) for an unknown or expired code, or a client_id that does not match the grant. - invalid_client (401) when client authentication fails, for example an incorrect client_secret. - invalid_request (400) for an unsupported grant_type or a redirect_uri or state that does not match the authorization request. Add an Error Responses section to the OAuth guide and a 401 response, plus an updated 400 description, to the OpenAPI definition. The 200 happy path is unchanged.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Documents the observable error-code and status changes to the OAuth token endpoint (
POST /v2/oauth/access_token).The error/status are:
invalid_grant(400): the authorizationcodeis unknown or expired, or it was not issued to the suppliedclient_id(previouslyinvalid_request/ 400).invalid_client(401): client authentication failed, for example an incorrectclient_secret(previouslyinvalid_request/ 400; the 401 status is new for this endpoint).invalid_request(400): unsupportedgrant_type, or aredirect_uri/statethat does not match the authorization request (unchanged).The
200happy-path response is bit-identical, so no fixture changes were needed.