>> 3. I believe that section 5.2 is ambiguous as to the error code that should >> be >> returned from the token endpoint when the client credentials are valid, >> when the client is authorized to use the authorization code grant type in >> general, but when the authorization code supplied is not valid for the >> client. I >> could see unauthorized_client being right, but the wording of the section >> doesn't include the exact case above. Please clarify. > > Why not 'invalid_grant'? If I understand your use case, the client is trying > to use a code issued to another client, which makes the code invalid.
It wasn't clear to me, when combining the last paragraph in section 4.1.3 with section 5.2 that the code not matching the client meant that the code was invalid. While you intend the term "invalid" in the context of a code/grant (in, e.g. Section 5.2) to be a general catch-all for errors, I missed that when reading the document. Perhaps a quick nod to this concept somewhere in either section 1.4 or 5.2 might have helped me out. Thanks for the other answers - quite clear. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
