oauth2.dev

invalid_request

IETF

Registry Context

An OAuth error code indicating that a request is missing required information, contains invalid, unsupported, repeated, or conflicting parameters or credentials, or is otherwise malformed.

Technical Summary

The `invalid_request` error value is defined for RFC 6749 authorization code, implicit grant, and token error responses. RFC 6750 additionally registers it for bearer-token resource access error responses.

When Used

Used by an authorization server for malformed authorization or token requests, and by a resource server for malformed bearer-token requests, including requests that use more than one method to carry an access token.

Normative Requirements

Authorization servers

MUST NOT
5
  1. RFC 6749 - Section 4.1.2.1

    Automatically redirect the user-agent to the invalid redirect URI..

    Condition: When an authorization code request fails because the redirect URI is missing, invalid, or mismatched, or because the client identifier is missing or invalid.

    MUST NOT automatically redirect the user-agent to the invalid redirection URI

  2. RFC 6749 - Section 4.1.2.1

    Include characters outside `%x20-21 / %x23-5B / %x5D-7E` in the `error` parameter..

    Condition: When returning an authorization code grant error response.

    Values for the "error" parameter MUST NOT include characters outside the set

  3. RFC 6749 - Section 4.2.2.1

    Automatically redirect the user-agent to the invalid redirect URI..

    Condition: When an implicit grant request fails because the redirect URI is missing, invalid, or mismatched, or because the client identifier is missing or invalid.

    MUST NOT automatically redirect the user-agent to the invalid redirection URI

  4. RFC 6749 - Section 4.2.2.1

    Include characters outside `%x20-21 / %x23-5B / %x5D-7E` in the `error` parameter..

    Condition: When returning an implicit grant error response.

    Values for the "error" parameter MUST NOT include characters outside the set

  5. RFC 6749 - Section 5.2

    Include characters outside `%x20-21 / %x23-5B / %x5D-7E` in the `error` parameter..

    Condition: When returning a token error response.

    Values for the "error" parameter MUST NOT include characters outside the set

REQUIRED
5
  1. RFC 6749 - Section 4.1.2.1

    Include a single ASCII `error` code, for which `invalid_request` is a defined value..

    Condition: When returning an authorization code grant error response through a valid redirect URI.

    error REQUIRED. A single ASCII [USASCII] error code from the following

  2. RFC 6749 - Section 4.1.2.1

    Return the exact `state` value received from the client..

    Condition: When the authorization code request contained a `state` parameter.

    state REQUIRED if a "state" parameter was present in the client authorization request

  3. RFC 6749 - Section 4.2.2.1

    Include a single ASCII `error` code, for which `invalid_request` is a defined value..

    Condition: When returning an implicit grant error response through a valid redirect URI.

    error REQUIRED. A single ASCII [USASCII] error code from the following

  4. RFC 6749 - Section 4.2.2.1

    Return the exact `state` value received from the client..

    Condition: When the implicit grant request contained a `state` parameter.

    state REQUIRED if a "state" parameter was present in the client authorization request

  5. RFC 6749 - Section 5.2

    Include a single ASCII `error` code, for which `invalid_request` is a defined value..

    Condition: When returning a token error response.

    error REQUIRED. A single ASCII [USASCII] error code from the following

SHOULD
2
  1. RFC 6749 - Section 4.1.2.1

    Inform the resource owner of the error..

    Condition: When an authorization code request fails because the redirect URI is missing, invalid, or mismatched, or because the client identifier is missing or invalid.

    the authorization server SHOULD inform the resource owner of the error

  2. RFC 6749 - Section 4.2.2.1

    Inform the resource owner of the error..

    Condition: When an implicit grant request fails because the redirect URI is missing, invalid, or mismatched, or because the client identifier is missing or invalid.

    the authorization server SHOULD inform the resource owner of the error

Resource servers

SHOULD
1
  1. RFC 6750 - Section 3.1

    Respond with HTTP 400 (Bad Request)..

    Condition: When reporting `invalid_request` for a bearer-token resource request.

    The resource server SHOULD respond with the HTTP 400 (Bad Request) status code.

Registrant

MUST NOT
1
  1. RFC 6749 - Section 11.4.1

    Include characters outside `%x20-21 / %x23-5B / %x5D-7E` in an error name..

    Condition: When registering an OAuth extensions error name.

    Values for the error name MUST NOT include characters outside the set

Validation Guidance

error

Verify the registered error name is exactly `invalid_request` and contains only permitted ASCII characters.

error

Verify authorization code and implicit grant error responses include `error=invalid_request` only when the request is missing a required parameter, contains an invalid or repeated parameter, or is otherwise malformed.

error

Verify an authorization error response does not redirect to a missing, invalid, or mismatched redirect URI.

error

Verify an authorization error response returns the exact request `state` value when one was supplied.

error

Verify token error responses include `invalid_request` as the required `error` value only for the malformed-request conditions defined by RFC 6749 Section 5.2.

error

Verify RFC 6749 authorization and token error values contain only characters from `%x20-21 / %x23-5B / %x5D-7E`.

error

Verify RFC 6749 token error responses use HTTP 400 unless another status is specified.

warning

Verify bearer resource responses using `invalid_request` return HTTP 400.

Security Notes

RFC 9700 - Section 2.1.2

RFC 9700 advises clients not to use the implicit grant or other response types that issue access tokens in authorization responses unless token-injection and leakage risks are mitigated.

Reference

Details

Entry Id
invalid_request
Name
invalid_request
Usage Location
authorization endpoint, token endpoint, resource access error response
Protocol Extension
OAuth 2.0 Authorization Framework, bearer access token type
Change Controller
IETF
Reference
RFC6749, RFC6750