2

I'm integrating to Google OpenID Connect as a relying party, using the authorization code flow. If I send in an invalid parameter in the AuthenticationRequest, e.g. an invalid value for scope, Google presents the error in a web page saying e.g. "Some requested scopes were invalid...".

The OpenID Connect spec (and the OAuth spec) clearly states that: "Unless the Redirection URI is invalid, the Authorization Server returns the Client to the Redirection URI specified in the Authorization Request with the appropriate error and state parameters."

Am I doing something wrong in my request, or am I misinterpreting the specification, or are Google just not conformant when it comes to sending error responses?

Magnus Hoflin
  • 73
  • 4

1 Answers1

1

Sounds to me like Google is a little non-conformant here:

  • Step 10 of my blog post shows the standards based behaviour

As a developer of an OIDC client you need to accept that some invalid input will be displayed in the browser:

  • Invalid client_id / redirect_uri

I tend to use an invalid scope to test error responses - it is handy for that - and I guess you're doing the same.

Solutions from the big cloud vendors often have this type of annoyance - when all that we want as consumers is a standards based solution.

Gary Archer
  • 22,534
  • 2
  • 12
  • 24
  • OK, thanks, good to know that I'm not the only one seeing this. And I agree, client_id and redirect_uri errors should not (and often cannot) be returned to the client, so these errors needs to be handled in another way. – Magnus Hoflin Sep 22 '20 at 07:32