12

I'm reading the oauth2 specs and I'm confused by unauthorized_client and access_denied error codes. They seem to express the same error condition, isn't it? At first glance(by error code) I thought one is for authentication failure and the other for authorisation failure but they are really both about authorisation failure which would translate into a http 403 status code.

 unauthorized_client
       The client is not authorized to request an access token
       using this method.

 access_denied
       The resource owner or authorization server denied the
       request.
Community
  • 1
  • 1
themihai
  • 7,903
  • 11
  • 39
  • 61
  • 2
    unauthorized_client comes when your clientId and clientSecret are not matching. access_denied comes when you are a legitimate user but don't have permissions to perform certain operation. – Azim Jun 25 '16 at 16:12
  • Shouldn't be an authentication error when credentials(clientId and clientSecret) are not matching ? Why would be unauthorized_client? The description also says that "The client is not authorized to request an access token" not that the client and secret are wrong. Btw there is a specific error for mismatching credentials: `invalid_grant` - `The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or or was issued to another client` – themihai Jun 25 '16 at 16:19
  • The issue I found is in terminology here: In OAuth 2.0, the "client" is your app. The user is called the "resource owner"... confusing for people who don't read RFC... – Petr Dvořák Dec 02 '18 at 13:16

1 Answers1

15

unauthorized_client: In practical sense this error might come:

  • If client is requesting for scope which is not allowed
  • Suppose you are going for Refresh token flow but Client configuration on server doesn't allow that.
  • Similar usecases where Client is trying to do something which is not allowed as per client config on Authz server Now above issue occurs with fault being with Client.

access_denied This might occur if your client is OK but

  • Resource owner cancelled the OAuth flow (for example when you some client hits google then a consent page occurs where Use can either allow or deny the access)

  • If resource server for some reason feels that this client should not be granted the access

As you can see that access_denied is caused by either Resource Owner or Server and not because of client

I hope this helps

Andrew Tobilko
  • 48,120
  • 14
  • 91
  • 142
dvsakgec
  • 3,514
  • 4
  • 28
  • 35