Request for a change in FAPI CIBA Test fapi-ciba-id1-ensure-client-assertion-signature-algorithm-in-backchannel-authorization-request-is-RS256-fails
What did you do?
I run fapi-ciba-id1-test-plan with variant client_auth_type=private_key_jwt, ciba_mode=poll, fapi_profile=plain_fapi, client_registration=static_client
.
What did you expect would happen?
Request for a small change for test fapi-ciba-id1-ensure-client-assertion-signature-algorithm-in-backchannel-authorization-request-is-RS256-fails to make it pass when 400
is returned.
What did happen?
The test fapi-ciba-id1-ensure-client-assertion-signature-algorithm-in-backchannel-authorization-request-is-RS256-fails failed on step CheckBackchannelAuthenticationEndpointErrorHttpStatus
which expects 401
but the product returns 400
with invalid_client
.
Please reference and quote any relevant OAuth2 / OpenID Connect / FAPI specification clauses that support your expectations
CIBA provides guidance on the use of 401 and invalid_client in conjunction. However, it may be somewhat a bit incongruent with HTTP Semantics 401 which requires a response MUST send a WWW-Authenticate header field in this case.
Would it be possible to make the step's exception slightly more lenient that both 401 and 400 work? OR at least mark the test as WARNING instead of FAILURE when 400 is returned since it doesn't actually lower the security standards.
If the problem relates to a test, please provide a link to the log-detail.html page on our server (the test result does NOT need to be 'published')
https://www.certification.openid.net/log-detail.html?log=atalkmTMcpFTYTx