While probably not terribly important from an interoperability perspective, I agree that does seem like an omission.
I took a quick look at our implementation and bad requests to the device authorization endpoint will indeed return what is a standard OAuth 2.0 error response normally from the token endpoint with invalid_client or invalid_scope error codes. And a little bit of poking at Google's device authorization endpoint suggests it behaves similarly. I suspect it's pretty typical. On Fri, Mar 8, 2019 at 5:28 AM Emond Papegaaij <emond.papega...@gmail.com> wrote: > Dear all, > > I'm working on an implementation of the OAuth 2.0 Device Flow for > Browserless > and Input Constrained Devices and noticed a possible omission in the spec.. > Section 3.2 describes the Device Authorization Response, but only the > success > response is specified, not the error response. I would have expected a > standard OAuth 2.0 error response, probably with the following error > codes: > invalid_request, invalid_client and invalid_scope. > > Best regards, > Emond Papegaaij > Topicus KeyHub > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
