[openidConnectServer-1.0] incorrect http status code for error response invalid_grant #11773
Labels
bug
This bug is not present in a released version of Open Liberty
Needs member attention
release bug
This bug is present in a released version of Open Liberty
release:20006
team:Security SSO
Milestone
Describe the bug
When an OpenIDConnect client provides a bogus code, the server response with an invalid_grant error and an HTTP Status for HTTP 401.
This contradicts https://tools.ietf.org/html/rfc6749#section-5.2 which states that the server should respond with an HTTP 400 (Bad Request) status code.
Steps to Reproduce
Note the response is HTTP 401 with a body like:
Expected behavior
The server should reject the token exchange request and respond with the error type (invalid_grant) and an HTTP status code of 400
Diagnostic information:
$WLP_OUTPUT_DIR/messages.log
Additional context
This behavior is preventing us from passing the following conformance test defined by https://inferno.healthit.gov/
The text was updated successfully, but these errors were encountered: