invalid_ target
Registry Context
An OAuth error code indicating that a requested resource is invalid, missing, unknown, or malformed.
Technical Summary
RFC 8707 defines `invalid_target` for problems with resources requested through the `resource` parameter, including invalid resource-and-scope combinations. An authorization server may also use it when required resource indicators are omitted.
When Used
In authorization endpoint error responses and token endpoint error responses involving the `resource` parameter. Although its registry usage location includes implicit grant error responses, RFC 9700 recommends that clients avoid the implicit grant except under specified mitigations.
Normative Requirements
Clients
RFC 8707 - Section 2
include a fragment component in a `resource` parameter URI..
The URI MUST NOT include a fragment component.
RFC 8707 - Section 2
use an absolute URI as each `resource` parameter value..
Condition: when including the `resource` parameter.
Its value MUST be an absolute URI
RFC 8707 - Section 2
include a query component in a `resource` parameter URI..
Condition: except where a query component is useful and necessary as part of the resource identifier.
It SHOULD NOT include a query component
RFC 9700 - Section 2.1.2
use the implicit grant or another response type that issues access tokens in the authorization response..
Condition: unless access-token injection is prevented and the identified token-leakage vectors are mitigated.
clients SHOULD NOT use the implicit grant
RFC 9700 - Section 2.1.2
use the authorization code response type or another response type that issues access tokens in the token response instead of the implicit grant..
Clients SHOULD instead use the response type code
Authorization servers
RFC 8707 - Section 2.1
require clients to specify the resource or resources they intend to access..
the authorization server MAY require clients to specify the resource(s) they intend to access
RFC 8707 - Section 2.1
fail a request that omits the `resource` parameter with an `invalid_target` error..
Condition: when the server requires clients to specify the resources they intend to access.
MAY fail requests that omit the parameter with an invalid_target error
Validation Guidance
Allow an authorization server that requires explicit resource indicators to reject an omitted `resource` parameter with `invalid_target`; this behavior is optional.
Reject or flag any `resource` value that is not an absolute URI.
Reject any `resource` URI containing a fragment component.
Warn when a `resource` URI contains a query component unless the query is necessary to identify or scope the resource.
For unparsable, unacceptable, unknown, or invalid resource values, verify that the authorization server returns `invalid_target`; RFC 8707 expresses this error-handling advice using lowercase prose rather than a BCP 14 requirement.
When evaluating implicit-grant usage, verify that the RFC 9700 exception conditions are satisfied; otherwise clients should use a flow that returns access tokens from the token endpoint.
Security Notes
RFC 9700 - Section 2.1.2
The implicit grant and other response types that issue access tokens in authorization responses are vulnerable to access-token leakage and replay. Clients should avoid them unless injection and leakage risks are mitigated.
Reference
Details
- Entry Id
invalid_target - Name
invalid_target - Usage Location
implicit grant error response, token error response- Protocol Extension
resource parameter- Change Controller
IESG- Reference
RFC8707