oauth2.dev

invalid_target

IESG

Registry Context

An OAuth error code indicating that a requested resource is invalid, missing, unknown, or malformed.

Technical Summary

RFC 8707 defines `invalid_target` for problems with resources requested through the `resource` parameter, including invalid resource-and-scope combinations. An authorization server may also use it when required resource indicators are omitted.

When Used

In authorization endpoint error responses and token endpoint error responses involving the `resource` parameter. Although its registry usage location includes implicit grant error responses, RFC 9700 recommends that clients avoid the implicit grant except under specified mitigations.

Normative Requirements

Clients

MUST NOT
1
  1. RFC 8707 - Section 2

    include a fragment component in a `resource` parameter URI..

    The URI MUST NOT include a fragment component.

MUST
1
  1. RFC 8707 - Section 2

    use an absolute URI as each `resource` parameter value..

    Condition: when including the `resource` parameter.

    Its value MUST be an absolute URI

SHOULD NOT
2
  1. RFC 8707 - Section 2

    include a query component in a `resource` parameter URI..

    Condition: except where a query component is useful and necessary as part of the resource identifier.

    It SHOULD NOT include a query component

  2. RFC 9700 - Section 2.1.2

    use the implicit grant or another response type that issues access tokens in the authorization response..

    Condition: unless access-token injection is prevented and the identified token-leakage vectors are mitigated.

    clients SHOULD NOT use the implicit grant

SHOULD
1
  1. RFC 9700 - Section 2.1.2

    use the authorization code response type or another response type that issues access tokens in the token response instead of the implicit grant..

    Clients SHOULD instead use the response type code

Authorization servers

MAY
2
  1. RFC 8707 - Section 2.1

    require clients to specify the resource or resources they intend to access..

    the authorization server MAY require clients to specify the resource(s) they intend to access

  2. RFC 8707 - Section 2.1

    fail a request that omits the `resource` parameter with an `invalid_target` error..

    Condition: when the server requires clients to specify the resources they intend to access.

    MAY fail requests that omit the parameter with an invalid_target error

Validation Guidance

info

Allow an authorization server that requires explicit resource indicators to reject an omitted `resource` parameter with `invalid_target`; this behavior is optional.

error

Reject or flag any `resource` value that is not an absolute URI.

error

Reject any `resource` URI containing a fragment component.

warning

Warn when a `resource` URI contains a query component unless the query is necessary to identify or scope the resource.

warning

For unparsable, unacceptable, unknown, or invalid resource values, verify that the authorization server returns `invalid_target`; RFC 8707 expresses this error-handling advice using lowercase prose rather than a BCP 14 requirement.

warning

When evaluating implicit-grant usage, verify that the RFC 9700 exception conditions are satisfied; otherwise clients should use a flow that returns access tokens from the token endpoint.

Security Notes

RFC 9700 - Section 2.1.2

The implicit grant and other response types that issue access tokens in authorization responses are vulnerable to access-token leakage and replay. Clients should avoid them unless injection and leakage risks are mitigated.

Reference

Details

Entry Id
invalid_target
Name
invalid_target
Usage Location
implicit grant error response, token error response
Protocol Extension
resource parameter
Change Controller
IESG
Reference
RFC8707