> On 8 Sep 2025, at 11:46, Zsolt Parragi <[email protected]> wrote: > >> AFAICT adding this would not violate the RFC but it is "NOT RECOMMENDED". > > I didn't test Okta yet, but it worked with all other providers I tried > so far. I try to verify this with Okta and modify it if it doesn't > work
Great, thanks! > , but I think this isn't clear in the RFCs: > ... Unfortunately thats true for most of the OAuth related RFCs, they are in places wishy washy at best. >> It doesn't seem in line with the specification, which error are they sending >> 428 for? Do they use 401 for invalid_client? > > During the wait for the user to enter the device code. It's documented here: > > https://developers.google.com/identity/protocols/oauth2/limited-input-device#authorization-pending Thanks for the reference, I'm not sure we should handle it equally to 400/401 (need to think about that, and am looking foward to Jacob's wisdom on it) but it should regardless be quite doable to support. -- Daniel Gustafsson
