>> 3. I believe that section 5.2 is ambiguous as to the error code that should
>> be
>> returned from the token endpoint when the client credentials are valid,
>> when the client is authorized to use the authorization code grant type in
>> general, but when the authorization code supplied is not va
First up, nice work with the latest version it¹s considerably easier to
follow than previous version. Based on a simple attempt to implement a
compliant authentication server, I have the following requests for
clarification:
1. The error response mechanism for the authorization endpoint depends
Section 4.1.3 (v12) says:
The authorization server MUST:
o Validate the client credentials and ensure they match the
authorization code.
o Verify that the authorization code and redirection URI are valid
and match its stored association.
The ³stored association² does not a
