xmlgrrl
commented
6 years ago The choices are in Grant Sec 3.3.6: invalid_grant, invalid_scope, request_submitted, need_info. I don't see an obvious winner here. The WG needs to discuss.
Closed joebandenburg closed 6 years ago
xmlgrrl
commented
6 years ago The choices are in Grant Sec 3.3.6: invalid_grant, invalid_scope, request_submitted, need_info. I don't see an obvious winner here. The WG needs to discuss.
mrpotes
commented
6 years ago I think this could be invalid_grant, as the rpt parameter is part of the UMA grant. The Client should have been told when its access token was going to expire, so it has sent it in error.
xmlgrrl
commented
6 years ago That makes sense. 6749 defines invalid_grant as "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client" and we already say as part of our enhanced definition of it, "If the provided permission ticket was not found at the authorization server, or the provided permission ticket has expired, or any other original reasons to use this error response are found as defined in [6749]..."
Given the original wording in 6749, perhaps we should simply give "permission ticket" and "RPT" as two UMA-flavored examples of invalid/expired/does-not-match authorization grant elements. In other words, there's a way we can actually make this align just a tad more closely with the original.
ciseng
commented
6 years ago +1
xmlgrrl
commented
6 years ago Per UMA telecon 2017-08-23: See decisions and notes as recorded in #348, and see full meeting notes as well.
The spec does not specify what to do if the provided RPT for upgrade is invalid or expired. Should it be ignored or should an error be returned? If an error, which one?