Overstrict requirements on invalid_client error being http 401

[bitbucket-import-issues]

Originally submitted by josephheenan (Joseph Heenan) on 2024-02-28

https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html#rfc.section.13 says that invalid_client should be used with a 401 status code, but 401 requires a WWW-Authenticate header which is not applicable for all client authentication schemes - in particular not the ones used by FAPI, private_key_jwt or mtls client auth.

https://www.rfc-editor.org/rfc/rfc6749#section-5.2 allows both a 400 or a 401 with a WWW-Authenticate in this case. It’d seem reasonable for CIBA to do the same.

‌

---

Bitbucket status: new

Bitbucket origin: issue 218

[bitbucket-import-issues]

Originally submitted by josephheenan (Joseph Heenan) on 2024-02-28

Related to a query received by certification team: https://gitlab.com/openid/conformance-suite/-/issues/1311

[bitbucket-import-issues]

Originally submitted by Brian Campbell (Brian Campbell) on 2024-02-28

It does seem reasonable. CIBA probably should have more explicitly allowed for both a 400 or a 401 with invalid_client

[bitbucket-import-issues]

Originally submitted by Bjorn Hjelm (Bjorn Hjelm) on 2024-03-12

I agree, the proposed change seems reasonable.

[bitbucket-import-issues]

Originally submitted by Bjorn Hjelm (Bjorn Hjelm) on 2025-02-11

A draft of the CIBA Core 1.0 Errata now exist that a PR for this issue can be applied to.