oauth2.dev

access_denied

IETF

Registry Context

The resource owner or authorization server denied the authorization request.

Technical Summary

RFC 6749 defines `access_denied` as an `error` value in authorization code and implicit grant error responses. OAuth extension error names and authorization-response `error` values are restricted to specified ASCII character sets.

When Used

In an authorization error response when the resource owner or authorization server denied the request. RFC 9700 advises clients not to use the implicit grant unless its token-injection and leakage risks are mitigated.

Normative Requirements

Clients

SHOULD NOT
1
  1. RFC 9700 - Section 2.1.2

    use the implicit grant or another response type that issues access tokens in the authorization response..

    Condition: Unless access-token injection is prevented and the identified token-leakage vectors are mitigated.

    Clients SHOULD NOT use the implicit grant (response type token) or other response types issuing access tokens in the authorization response, unless access token injection in the authorization response is prevented and the aforementioned token leakage vectors are mitigated.

Authorization servers

MUST NOT
2
  1. RFC 6749 - Section 4.1.2.1

    include characters outside `%x20-21 / %x23-5B / %x5D-7E` in the `error` parameter..

    Condition: In an authorization code grant error response.

    Values for the "error" parameter MUST NOT include characters outside the set %x20-21 / %x23-5B / %x5D-7E.

  2. RFC 6749 - Section 4.2.2.1

    include characters outside `%x20-21 / %x23-5B / %x5D-7E` in the `error` parameter..

    Condition: In an implicit grant error response.

    Values for the "error" parameter MUST NOT include characters outside the set %x20-21 / %x23-5B / %x5D-7E.

REQUIRED
2
  1. RFC 6749 - Section 4.1.2.1

    include a single ASCII `error` code in the authorization code grant error response..

    Condition: When informing the client of an authorization error through the redirection URI.

    error REQUIRED. A single ASCII [USASCII] error code from the following:

  2. RFC 6749 - Section 4.2.2.1

    include a single ASCII `error` code in the implicit grant error response..

    Condition: When informing the client of an authorization error through the redirection URI.

    error REQUIRED. A single ASCII [USASCII] error code from the following:

Registry entry error name

MUST NOT
1
  1. RFC 6749 - Section 11.4.1

    include characters outside the permitted ASCII set `%x20-21 / %x23-5B / %x5D-7E`..

    Condition: When registering an OAuth extension error name.

    Values for the error name MUST NOT include characters outside the set %x20-21 / %x23-5B / %x5D-7E.

Validation Guidance

error

Reject registered error names containing characters outside `%x20-21 / %x23-5B / %x5D-7E`.

error

For an authorization code grant error redirect, require one ASCII `error` value and reject values outside the permitted character set.

error

For an implicit grant error redirect, require one ASCII `error` value and reject values outside the permitted character set.

error

Interpret `access_denied` as indicating that the resource owner or authorization server denied the request.

warning

Flag client use of the implicit grant unless access-token injection and leakage risks are mitigated.

Security Notes

RFC 9700 - Section 2.1.2

The implicit grant exposes access tokens in authorization responses and is vulnerable to token leakage and replay. RFC 9700 advises clients against using it unless the stated risks are mitigated.

Reference

Details

Entry Id
access_denied
Name
access_denied
Usage Location
authorization endpoint
Protocol Extension
OAuth 2.0 Authorization Framework
Change Controller
IETF
Reference
RFC6749