invalid_
Registry Context
OAuth 2.0 token endpoint error code for an invalid authorization grant or refresh token.
Technical Summary
Registered OAuth 2.0 error code used in token endpoint error responses. RFC 6749 defines it for cases where the authorization grant or refresh token is invalid, expired, revoked, mismatched to the redirection URI, or issued to another client.
When Used
When the provided authorization grant or refresh token fails validation for the reasons listed in RFC 6749.
Normative Requirements
Authorization servers
RFC 6749 - Section 4.1.3
Verify that the authorization code is valid before proceeding with the token request..
Condition: for an authorization code grant access token request
"verify that the authorization code is valid"
RFC 6749 - Section 6
Return an error response as described in Section 5.2..
Condition: if a refresh request failed verification or is invalid
"If the request failed verification or is invalid, the authorization server returns an error response"
RFC 6749 - Section 5.2
Include an `error` parameter in token endpoint error responses, and the value must be a single ASCII error code chosen from the registered set that includes `invalid_grant`..
Condition: when returning an access-token error response
"error REQUIRED. A single ASCII [USASCII] error code from the following"
Validation Guidance
Reject or flag any token endpoint error value that is not a single ASCII error code from the RFC 6749 set.
Treat invalid or failed refresh-token verification as an error response path under RFC 6749 Section 5.2.
Ensure authorization code validation happens before token issuance.
Reference
Details
- Entry Id
invalid_grant - Name
invalid_grant - Usage Location
token endpoint- Protocol Extension
OAuth 2.0 Authorization Framework- Change Controller
IETF- Reference
RFC6749