oauth2.dev

unauthorized_client

IETF

Registry Context

OAuth error code used when the client is not allowed to use the relevant authorization method or grant.

Technical Summary

RFC6749 defines `unauthorized_client` in the authorization code and implicit grant error-response lists, and also defines the same code for token endpoint error responses when the authenticated client is not authorized to use the grant type.

When Used

Authorization code and implicit grant error responses; RFC6749 also defines the code for token endpoint errors when the authenticated client is not authorized to use the grant type.

Normative Requirements

Authorization servers

MUST NOT
1

  1. RFC 6749 - Section 5.2

    include characters outside the RFC6749 allowed character set in `error` parameter values.

    Condition: when serializing `error` values such as `unauthorized_client`

    Values for the "error" parameter MUST NOT include characters outside the set %x20-21 / %x23-5B / %x5D-7E.

MUST
3

  1. RFC 6749 - Section 4.1.2.1

    use `unauthorized_client` as the `error` code in authorization code grant error responses.

    Condition: when the request fails for reasons other than a missing or invalid redirection URI and the client is not authorized to request an authorization code using this method

    unauthorized_client The client is not authorized to request an authorization code using this method.

  2. RFC 6749 - Section 4.1.2.1

    emit the `error` parameter as a single ASCII error code from the RFC6749 error-code list.

    Condition: when generating an authorization error response that can carry `unauthorized_client`

    error REQUIRED. A single ASCII [USASCII] error code from the following:

  3. RFC 6749 - Section 4.2.2.1

    use `unauthorized_client` as the `error` code in implicit grant error responses.

    Condition: when the request fails for reasons other than a missing or invalid redirection URI and the client is not authorized to request an access token using this method

    unauthorized_client The client is not authorized to request an access token using this method.

Validation Guidance

error

Accept `unauthorized_client` only in RFC6749 authorization-code error responses for the method-not-authorized case.

error

Accept `unauthorized_client` only in RFC6749 implicit-grant error responses for the method-not-authorized case.

error

Require `error` to be one of the RFC6749 listed ASCII error codes.

error

Reject `error` values containing characters outside the RFC6749 allowed set.

Reference

RFC6749

Details

Entry Id
unauthorized_client
Name
unauthorized_client
Usage Location
authorization endpoint, token endpoint
Protocol Extension
OAuth 2.0 Authorization Framework
Change Controller
IETF
Reference
RFC6749