access_ denied
Registry Context
The resource owner or authorization server denied the authorization request.
Technical Summary
RFC 6749 defines `access_denied` as an `error` value in authorization code and implicit grant error responses. OAuth extension error names and authorization-response `error` values are restricted to specified ASCII character sets.
When Used
In an authorization error response when the resource owner or authorization server denied the request. RFC 9700 advises clients not to use the implicit grant unless its token-injection and leakage risks are mitigated.
Normative Requirements
Clients
RFC 9700 - Section 2.1.2
use the implicit grant or another response type that issues access tokens in the authorization response..
Condition: Unless access-token injection is prevented and the identified token-leakage vectors are mitigated.
Clients SHOULD NOT use the implicit grant (response type token) or other response types issuing access tokens in the authorization response, unless access token injection in the authorization response is prevented and the aforementioned token leakage vectors are mitigated.
Authorization servers
RFC 6749 - Section 4.1.2.1
include characters outside `%x20-21 / %x23-5B / %x5D-7E` in the `error` parameter..
Condition: In an authorization code grant error response.
Values for the "error" parameter MUST NOT include characters outside the set %x20-21 / %x23-5B / %x5D-7E.
RFC 6749 - Section 4.2.2.1
include characters outside `%x20-21 / %x23-5B / %x5D-7E` in the `error` parameter..
Condition: In an implicit grant error response.
Values for the "error" parameter MUST NOT include characters outside the set %x20-21 / %x23-5B / %x5D-7E.
RFC 6749 - Section 4.1.2.1
include a single ASCII `error` code in the authorization code grant error response..
Condition: When informing the client of an authorization error through the redirection URI.
error REQUIRED. A single ASCII [USASCII] error code from the following:
RFC 6749 - Section 4.2.2.1
include a single ASCII `error` code in the implicit grant error response..
Condition: When informing the client of an authorization error through the redirection URI.
error REQUIRED. A single ASCII [USASCII] error code from the following:
Registry entry error name
RFC 6749 - Section 11.4.1
include characters outside the permitted ASCII set `%x20-21 / %x23-5B / %x5D-7E`..
Condition: When registering an OAuth extension error name.
Values for the error name MUST NOT include characters outside the set %x20-21 / %x23-5B / %x5D-7E.
Validation Guidance
Reject registered error names containing characters outside `%x20-21 / %x23-5B / %x5D-7E`.
For an authorization code grant error redirect, require one ASCII `error` value and reject values outside the permitted character set.
For an implicit grant error redirect, require one ASCII `error` value and reject values outside the permitted character set.
Interpret `access_denied` as indicating that the resource owner or authorization server denied the request.
Flag client use of the implicit grant unless access-token injection and leakage risks are mitigated.
Security Notes
RFC 9700 - Section 2.1.2
The implicit grant exposes access tokens in authorization responses and is vulnerable to token leakage and replay. RFC 9700 advises clients against using it unless the stated risks are mitigated.
Reference
Details
- Entry Id
access_denied - Name
access_denied - Usage Location
authorization endpoint- Protocol Extension
OAuth 2.0 Authorization Framework- Change Controller
IETF- Reference
RFC6749