oauth2.dev

invalid_software_statement

IETF

Registry Context

Error code for a client registration failure caused by an invalid software statement.

Technical Summary

Registered OAuth extension error value used by the dynamic client registration error response when a software statement is invalid. The response is a 400 JSON error object, and the software statement itself must satisfy RFC 7591 validation requirements.

When Used

When a client registration request includes a software statement that does not satisfy RFC 7591 validation requirements.

Normative Requirements

Authorization servers

MUST
2

  1. RFC 7591 - Section 3.2.2

    include an error member in the JSON error response, and the value must be a single ASCII error code string..

    Condition: When returning a registration error response.

    error REQUIRED. Single ASCII error code string.

  2. RFC 7591 - Section 3.2.2

    ignore any other members in the error object that are not understood..

    Condition: If additional members are present in the error response.

    MUST be ignored

SHALL
1

  1. RFC 7591 - Section 3.2.2

    return an HTTP 400 status code for a registration error condition, unless otherwise specified..

    Condition: When a registration error condition occurs.

    returns an HTTP 400 status code

software statement

MUST
2

  1. RFC 7591 - Section 2.3

    be digitally signed or MACed using JSON Web Signature (JWS)..

    Condition: When presented to the authorization server as part of a client registration request.

    MUST be digitally signed or MACed

  2. RFC 7591 - Section 2.3

    contain an "iss" (issuer) claim denoting the party attesting to the claims in the software statement..

    Condition: When presented to the authorization server as part of a client registration request.

    MUST contain an "iss" claim

Validation Guidance

error

Verify the registration error response uses HTTP 400 unless the protocol specifies a different status.

error

Verify the response body includes an `error` member whose value is a single ASCII error code string.

info

Ignore unrecognized members in the error response object.

error

Treat a presented software statement as invalid if it is not JWS-signed or MACed.

error

Treat a presented software statement as invalid if it does not contain an `iss` claim.

Security Notes

RFC 7591 - Section 2.3

Software statements carry attested client metadata and are security-sensitive; RFC 7591 requires JWS/MAC protection and an issuer claim.

Reference

RFC7591 - Section 3.2.2

Details

Entry Id
invalid_software_statement
Name
invalid_software_statement
Usage Location
registration endpoint
Protocol Extension
Dynamic Client Registration
Change Controller
IETF
Reference
RFC7591 - Section 3.2.2