Hi, In IS-5.4.1 if there is no client authentication in the token request, we are giving the error code *unsupported_client_authentication_method*. According to the spec[1], if there is no client authentication or unsupported client authentication, it will fall under "invalid_client".
invalid_client Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the "Authorization" request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code and include the "WWW-Authenticate" response header field matching the authentication scheme used by the client. According to the spec, there is no standard error code like *unsupported_client_authentication_method. *Is there any specific reason to introduce a new error code *unsupported_client_authentication_method *in IS5.4.1?. Example:- request:- curl -H -k -d "grant_type=client_credentials" -H "Content-Type:application/x-www-form-urlencoded" https://localhost:9443/oauth2/token -k response:- {"error_description":"Unsupported Client Authentication Method!","error":"unsupported_client_authentication_method"} Please correct me if I'm wrong. [1] https://tools.ietf.org/html/rfc6749#section-5.2 Thanks, Nila. -- Nilasini Thirunavukkarasu Software Engineer - WSO2 Email : nilas...@wso2.com Mobile : +94775241823 Web : http://wso2.com/ <http://wso2.com/signature>
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev