Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What's the difference between unauthorized_client and access_denied

Tags:

oauth2

rfc6749

I'm reading the oauth2 specs and I'm confused by unauthorized_client and access_denied error codes. They seem to express the same error condition, isn't it? At first glance(by error code) I thought one is for authentication failure and the other for authorisation failure but they are really both about authorisation failure which would translate into a http 403 status code.

 unauthorized_client
       The client is not authorized to request an access token
       using this method.

 access_denied
       The resource owner or authorization server denied the
       request.
like image 216
themihai Avatar asked Jun 25 '16 14:06

themihai

People also ask

What is Response_type?

2. Response Types and Response Modes. The Response Type request parameter response_type informs the Authorization Server of the desired authorization processing flow, including what parameters are returned from the endpoints used.

What is OAuth 2.0 and how it works?

OAuth 2.0, which stands for “Open Authorization”, is a standard designed to allow a website or application to access resources hosted by other web apps on behalf of a user. It replaced OAuth 1.0 in 2012 and is now the de facto industry standard for online authorization.

How long is auth code valid?

The authorization code must expire shortly after it is issued. The OAuth 2.0 spec recommends a maximum lifetime of 10 minutes, but in practice, most services set the expiration much shorter, around 30-60 seconds. The authorization code itself can be of any length, but the length of the codes should be documented.

What is oauth2 authorization code grant type?

The OAuth 2.0 authorization code grant type, or auth code flow, enables a client application to obtain authorized access to protected resources like web APIs. The auth code flow requires a user-agent that supports redirection from the authorization server (the Microsoft identity platform) back to your application.

1 Answers

unauthorized_client: In practical sense this error might come:

  • If client is requesting for scope which is not allowed
  • Suppose you are going for Refresh token flow but Client configuration on server doesn't allow that.
  • Similar usecases where Client is trying to do something which is not allowed as per client config on Authz server Now above issue occurs with fault being with Client.

access_denied This might occur if your client is OK but

  • Resource owner cancelled the OAuth flow (for example when you some client hits google then a consent page occurs where Use can either allow or deny the access)

  • If resource server for some reason feels that this client should not be granted the access

As you can see that access_denied is caused by either Resource Owner or Server and not because of client

I hope this helps

like image 157
dvsakgec Avatar answered Sep 30 '22 13:09

dvsakgec
Sign in to Comment

Related questions

Authenticating with OAuth2 on iOS
OAuth2, Swift 3, Instagram
spring security OAuth2 - custom ClientDetailsService
What authentication strategy to use? [closed]
Keycloak Token request rejected because of invalid redirect URI
LinkedIn OAuth2 Authorization server encountered an unexpected condition
Secure Spring RESTful API with Google OAuth2 Authorization server
OAuth flow when user is already logged in to the Oauth Provider
Proxy configuration in OAuth2RestTemplate
Social registration in SPA (Angular 2) with ASP.NET Core REST API
Content-type for token request in OAuth2
OpenIdConnectAuthenticationHandler: message.State is null or empty
Android: GoogleAuthUtil.getToken - where is the account object supposed to come from?
What are the security risks of Implicit flow

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!