OpenIDConnect Error Codes

Error Code Usage
"invalid_client"
  • When the client is not known
  • When the code grant is not enabled for the client
  • When in a code grant there is no user session
"invalid_request"
  • When the message fails to parse (e.g. required parameters missing)
  • When the redirection_uri is not allowed
  • When in "urn:ietf:params:oauth:grant-type:token-exchange" grant, the requested token type is not supported
"invalid_request_object"
  • When the request object is not valid
"unauthorized_client"
  • When the client is blocked
  • When a PUBLIC client requests the client credentials grant
  • When client credentials grant is not enabled for the client
  • When "password" grant is not enabled for the client
  • When "urn:ietf:params:oauth:grant-type:jwt-bearer" grant is not enable for the client
  • When "urn:ietf:params:oauth:grant-type:token-exchange" grant is not enabled for the client
  • When CONFIDENTIAL client authorization fails (client secret)
"unsupported_response_type"
  • When the response type is not allowed for the given client
"invalid_grant"
  • When a PUBLIC client does not provide a code challenge and method to the authorize endpoint
  • When a PUBLIC client fails to offer a valid code verifier to the token endpoint
  • When cross origin validation fails (Origin not in whitelist)
  • When the code offered to the token endpoint has expired
  • When the code offered to the token endpoint was revoked (possible double use)
  • When in "urn:ietf:params:oauth:grant-type:jwt-bearer" grant we do not trust the issuer of the token offered for exchange
  • When in "urn:ietf:params:oauth:grant-type:jwt-bearer" grant the token offered for exchange has expired
  • When in "urn:ietf:params:oauth:grant-type:jwt-bearer" grant the signature is invalid
  • When in "urn:ietf:params:oauth:grant-type:jwt-bearer" grant the token offered for exchange is not a valid JWT
  • When in "password" grant, the credentials are invalid
  • When "refresh_token" grant is not enabled for the client
  • When in "refresh_token" grant the refresh token has expired
  • When in "refresh_token" grant the refresh token was revoked
  • When in "refresh_token" grant the client is blocked
  • When in "urn:ietf:params:oauth:grant-type:token-exchange" grant, there is no existing consent of the subject for the client
  • When on the token introspection endpoint the token offered was not found for the client
"unsupported_grant_type"
  • When the grant_type is not supported
"invalid_scope"
  • When the scopes requested from the token endpoint are not covered by the offered code
  • When the scopes requested from the token endpoint are not covered by the offered refresh token
"access_denied"
  • When the user denies access to the client
"consent_required"
  • When user info endpoint is offered a token that has no user info attached (e.g. token from client credentials grant)
"invalid_token"
  • When user info endpoint is accessed without a valid bearer access token in the Authorization header
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.