[openidConnectServer-1.0] incorrect http status code for error response invalid_grant

[lmsurpre]

Describe the bug
When an OpenIDConnect client provides a bogus code, the server response with an invalid_grant error and an HTTP Status for HTTP 401.

This contradicts https://tools.ietf.org/html/rfc6749#section-5.2 which states that the server should respond with an HTTP 400 (Bad Request) status code.

Steps to Reproduce

1. configure a server as an openidConnectServer and an Oauth2 provider with grantType authorization_code; for example by following https://www.ibm.com/support/knowledgecenter/SSD28V_liberty/com.ibm.websphere.wlp.core.doc/ae/twlp_config_oidc_pc_examp_beginner.html
2. issue a request and pass an invalid code

Note the response is HTTP 401 with a body like:

{
  "error_description": "CWOAU0029E: The token with key: ********************** type: authorization_grant subType: authorization_code was not found in the token cache.",
  "error": "invalid_grant"
}

Expected behavior
The server should reject the token exchange request and respond with the error type (invalid_grant) and an HTTP status code of 400

Diagnostic information:

• OpenLiberty Version: 19.0.0.8
• Java Version: AdoptOpenJDK 11.0.5 (OpenJ9)
• server.xml configuration

<server description="fhir-server">

    <!-- Enable features -->
    <featureManager>
        <feature>appSecurity-2.0</feature>
        <feature>batchManagement-1.0</feature>
        <feature>jaxrs-2.1</feature>
        <!-- the db2 jcc driver for 11.5.0.0 doesn't fully implement jdbc-4.2 -->
        <feature>jdbc-4.1</feature>
        <feature>jsonp-1.1</feature>
        <feature>mpOpenAPI-1.0</feature>
        <feature>openidConnectClient-1.0</feature>
        <feature>openidConnectServer-1.0</feature>
        <feature>servlet-4.0</feature>
        <feature>transportSecurity-1.0</feature>
        <feature>websocket-1.1</feature>
        <feature>localConnector-1.0</feature>
    	<feature>oauth-2.0</feature>
	</featureManager>

    <!-- Disable welcome page so that internal server info won't be revealed in responses
         to requests with an invalid context root.
    -->
    <httpDispatcher enableWelcomePage="false"/>
    <!-- Disable X-Powered-By header to avoid leaking information and
         override the default error pages to avoid showing stack traces
         for nonsensical queries like requests for a JSP page that doesn't exist.
    -->
    <webContainer deferServletLoad="false" disableXPoweredBy="true" displaytextwhennoerrorpagedefined="Unexpected request/response. Please check the URL and try again."/>

    <!-- IBM FHIR Server's keystore and truststore configuration -->
    <ssl clientAuthenticationSupported="true" id="defaultSSLConfig" keyStoreRef="defaultKeyStore" sslProtocol="TLSv1.2"/>
    <keyStore id="defaultKeyStore" password="change-password"/>
    <!-- <keyStore id="defaultTrustStore" password="change-password"/> -->

    <!-- This entry defines the ports that the server will listen on.
        By default, the httpPort is disabled (set to "-1").
        Modify the port #'s as needed to satisfy your config requirements.
        Note: on Linux, the server must be running with root priviledges in order to
        listen on ports <= 1024.
     -->
    <httpEndpoint host="*" httpPort="-1" httpsPort="9443" id="defaultHttpEndpoint" onError="FAIL"/>

    <!-- 
        Modify the trace string below as needed to enable/disable tracing. 
        <logging traceSpecification="*=info" traceFormat="BASIC"/>
        <logging traceSpecification="*=info:com.ibm.fhir.*=finer" traceFormat="BASIC"/>
    -->
    <logging traceFormat="BASIC" traceSpecification="*=info:com.ibm.ws.security.*=all:com.ibm.ws.webcontainer.security.*=all:com.ibm.oauth.*=all:com.ibm.wsspi.security.oauth20.*=all:com.ibm.ws.transport.http.*=all:org.apache.http.client.*=all"/>

    <!-- Automatically expand WAR files and EAR files -->
    <applicationManager autoExpand="true"/>

    <applicationMonitor updateTrigger="mbean"/>

    <!-- This is the main IBM FHIR Server REST API war -->
    <webApplication contextRoot="fhir-server/api/v4" id="fhir-server-webapp" location="fhir-server.war" name="fhir-server-webapp">
        <classloader commonLibraryRef="fhirSharedLib" privateLibraryRef="configResources,fhirUserLib"/>
        <!-- Include id attributes to make it easier to override this via dropinConfig -->
        <application-bnd id="binding">
            <security-role id="users" name="FHIRUsers">
                <group name="FHIRUsers"/>
            </security-role>
        </application-bnd>
    </webApplication>

    <!-- This is the openapi definition for the IBM FHIR Server -->
    <webApplication id="fhir-openapi" location="fhir-openapi.war" name="fhir-openapi"/>
    
    <!-- This library element puts a specific directory in the classpath so that it can be used
        for user-provided configuration files (e.g. extension-search-parameters.xml)
    -->
    <library id="configResources">
        <folder dir="${server.config.dir}/config"/>
        <fileset dir="${server.config.dir}/config" includes="*.jar"/>
    </library>
    
    <!-- 
        This sharedlib can contain user-contributed jars that are intended to augment
        the IBM FHIR Server installation (persistence interceptors, persistence layer impl's,
        custom operation impl's, etc.)
     -->
    <library id="fhirUserLib">
        <fileset dir="${server.config.dir}/userlib" includes="*.jar"/>
    </library>
   
    <!-- Definitions related to the JDBC proxy datasource -->
    <library id="fhirSharedLib">
        <fileset dir="${shared.resource.dir}/lib/derby" includes="*.jar"/>
        <fileset dir="${shared.resource.dir}/lib/db2" includes="*.jar"/>
        <fileset dir="${shared.resource.dir}/lib/fhir" includes="*.jar"/>
    </library>
    
    <dataSource id="fhirProxyDataSource" jndiName="jdbc/fhirProxyDataSource" type="javax.sql.XADataSource">
        <jdbcDriver javax.sql.XADataSource="com.ibm.fhir.persistence.proxy.FHIRProxyXADataSource" libraryRef="fhirSharedLib"/>
        <connectionManager/>
    </dataSource>
    
    <webAppSecurity allowFailOverToBasicAuth="true"/>

    <authorization-roles id="com.ibm.ws.batch">
        <security-role name="batchAdmin">
            <user name="fhiradmin"/>
        </security-role>
        <security-role name="batchSubmitter">
            <user name="fhiruser"/>
        </security-role>
        <security-role name="batchMonitor">
            <user name="fhiradmin"/>
            <user name="fhiruser"/>
        </security-role>
    </authorization-roles>
    
    <!-- Define a basic user registry with a few users. -->
    <basicRegistry id="basic" realm="BasicRealm"> 
        <user name="fhiruser" password="change-password"/>
        <user name="fhiradmin" password="change-password"/>
        <group name="FHIRUsers">
            <member name="fhiruser"/>
        </group>
        <group name="clientAdministrator">
            <member name="fhiruser"/>
        </group>
    </basicRegistry>

    <openidConnectProvider id="oidc-provider" 
        oauthProviderRef="oauth2-provider" 
        keyStoreRef="defaultKeyStore"
        signatureAlgorithm="RS256"
        />
    
    <oauth-roles>
        <authenticated>
            <special-subject type="ALL_AUTHENTICATED_USERS"/>
        </authenticated>
        <clientManager>
            <group name="clientAdministrator" />
        </clientManager>
    </oauth-roles>
    
    <oauthProvider id="oauth2-provider" oauthOnly="false" allowPublicClients="true" jwtAccessToken="true">
        <grantType>authorization_code</grantType>
        <databaseStore dataSourceRef="OAuthDataSource" />
    </oauthProvider>

    <dataSource id="OAuthDataSource" jndiName="jdbc/OAuth2DB">
        <properties.derby.embedded createDatabase="create" databaseName="derby/oauth2db" />
        <jdbcDriver libraryRef="derbyLib"/>
    </dataSource>
    
    <library id="derbyLib">
        <fileset dir="${shared.resource.dir}/lib/derby" includes="*.jar"/>
    </library>
    
    <openidConnectClient id="RS" inboundPropagation="required"
        clientId="inferno"
        mapIdentityToRegistryUser="true"
        trustStoreRef="defaultKeyStore"
        trustAliasName="libertyop"
        validationEndpointUrl="https://localhost:9443/oidc/endpoint/oidc-provider/introspect"
        signatureAlgorithm="RS256"
        authFilterRef="filter"
        issuerIdentifier="https://localhost:9443/oauth2/endpoint/oauth2-provider,https://host.docker.internal:9443/oauth2/endpoint/oauth2-provider"
        />
    
    <authFilter id="filter">
        <requestUrl urlPattern="/fhir-server" />
    </authFilter>
    
    <include optional="true" location="${server.config.dir}/batchDs.xml"/>
</server>

• If it would be useful, upload the messages.log file found in $WLP_OUTPUT_DIR/messages.log

Additional context
This behavior is preventing us from passing the following conformance test defined by https://inferno.healthit.gov/

• SLS-05: OAuth token exchange fails when supplied invalid code

POST   https://host.docker.internal:9443/oauth2/endpoint/oauth2-provider/token
Request Headers

    Content-Type: application/x-www-form-urlencoded

Payload

{"grant_type"=>"authorization_code", "code"=>"INVALID_CODE", "redirect_uri"=>"http://localhost:4567/inferno/oauth2/static/redirect", "client_id"=>"***********************"}