Ordering of the validation and checks in the login operation causes differences in behaviour.
3.3.7.2 (login op of the login service) of the spec states:
a) The authenticationId field of the REQUEST message must be NULL otherwise an INVALID error shall be returned.
g) A DUPLICATE error shall be returned if the username and role combination is currently in use.
If an implementation applies a) first and attempts to login with the same user and password that you're currently logged in as then this results in an INVALID error if the implementation applies g) and then a) this same process results in a DUPLICATE error. The spec should be clear which order these should be applied in.
apinder
commented
5 years ago
Ordering of the validation and checks in the login operation causes differences in behaviour.
3.3.7.2 (login op of the login service) of the spec states:
If an implementation applies a) first and attempts to login with the same user and password that you're currently logged in as then this results in an INVALID error if the implementation applies g) and then a) this same process results in a DUPLICATE error. The spec should be clear which order these should be applied in.