oauth2.dev

invalid_client

IETF

Registry Context

`invalid_client` is the OAuth error code for failed client authentication.

Technical Summary

RFC 6749 section 5.2 defines `invalid_client` as a registered `error` value in token endpoint error responses and specifies HTTP 401 / `WWW-Authenticate` handling when the client authenticated with the `Authorization` header.

When Used

When the authorization server rejects client authentication at the token endpoint.

Normative Requirements

Authorization servers

MUST NOT
1

  1. RFC 6749 - Section 5.2

    include characters outside the permitted ASCII set in the `error` parameter value.

    Condition: when serializing the `error` parameter

    MUST NOT include characters outside

MUST
2

  1. RFC 6749 - Section 5.2

    use `invalid_client` as the `error` value for client authentication failures.

    Condition: when generating a token endpoint error response for client authentication failure

    invalid_client Client authentication failed

  2. RFC 6749 - Section 5.2

    respond with HTTP 401 Unauthorized and include a `WWW-Authenticate` response header field matching the authentication scheme used by the client.

    Condition: if the client attempted to authenticate via the `Authorization` request header field

    MUST respond with HTTP 401 and include WWW-Authenticate

MAY
1

  1. RFC 6749 - Section 5.2

    return HTTP 401 Unauthorized to indicate which HTTP authentication schemes are supported.

    Condition: when reporting `invalid_client`

    MAY return an HTTP 401

Validation Guidance

error

Verify `error` is set to `invalid_client` only for client authentication failures.

error

Verify the `error` value contains only permitted ASCII characters.

error

If the client authenticated via the `Authorization` header, verify the response status is 401 and `WWW-Authenticate` is present.

info

If using 401 to signal supported authentication schemes, verify the response is still a valid `invalid_client` error response.

Reference

RFC6749

Details

Entry Id
invalid_client
Name
invalid_client
Usage Location
token endpoint, authorization endpoint
Protocol Extension
OAuth 2.0 Authorization Framework
Change Controller
IETF
Reference
RFC6749