Changed 'invalid_grand' to:
The provided authorization grant is invalid, expired,
revoked, does not match the
redirection URI used in the authorization request, or was
issued to another client.
EHL
> -----Original Message-----
> From: Mark Kent [mailto:[email protected]]
> Sent: Thursday, March 24, 2011 4:43 PM
> To: Eran Hammer-Lahav; [email protected]
> Subject: Re: draft-ietf-oauth-v2-13 comments
>
> >> 3. I believe that section 5.2 is ambiguous as to the error code that
> >> should be returned from the token endpoint when the client
> >> credentials are valid, when the client is authorized to use the
> >> authorization code grant type in general, but when the authorization
> >> code supplied is not valid for the client. I could see
> >> unauthorized_client being right, but the wording of the section
> >> doesn't include the exact case above. Please clarify.
> >
> > Why not 'invalid_grant'? If I understand your use case, the client is
> > trying to use a code issued to another client, which makes the code invalid.
>
> It wasn't clear to me, when combining the last paragraph in section 4.1.3 with
> section 5.2 that the code not matching the client meant that the code was
> invalid. While you intend the term "invalid" in the context of a code/grant
> (in,
> e.g. Section 5.2) to be a general catch-all for errors, I missed that when
> reading the document. Perhaps a quick nod to this concept somewhere in
> either section 1.4 or 5.2 might have helped me out.
>
> Thanks for the other answers - quite clear.
>
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
