Hi All, The spec[1] has the below content.
Unless the Redirection URI is invalid, the Authorization Server returns the > Client to the Redirection URI specified in the Authorization Request with > the appropriate error and state parameters. Other parameters SHOULD NOT be > returned. Here they have mentioned "SHOULD NOT" which means according to [2] SHOULD NOT - This phrase, or the phrase "NOT RECOMMENDED" mean that > there may exist valid reasons in particular circumstances when the > particular behavior is acceptable or even useful, but the full > implications should be understood and the case carefully weighed > before implementing any behavior described with this label. Will it be a spec violation if we return more attributes in the error message? Moreover, we got OIDC spec compliancy, and when we were running the test suite there were no test failures for this matter even though we return some additional claims in the error response. We have developed oidc session management as well and we are returning the session_state in the error response as recommended in the spec[3]. If it is not recommended to send more attributes in the error response what is the recommended way to handle the session_state parameter in an error response? Thank You. Hasini [1] - https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.3.1.2.6 [2] - https://tools.ietf.org/html/rfc2119 [3] - https://openid.net/specs/openid-connect-session-1_0.html -- *Hasini Witharana* Graduate | Department of Computer Science and Engineering University of Moratuwa Linkedin <https://www.linkedin.com/in/hasini-witharana-185785109/>
_______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
