Should we accept additional 4XX error codes for some negative tests?
Using oidcc-refresh-token as an example, the test expects only HTTP 400 (Bad Request), but we're returning HTTP 401 (Unauthorized) which logically makes sense given the refresh token was not authorized. Should the tool be modified to accept 401 Unauthorized?
Additional Info
Actual test log: https://www.certification.openid.net/log-detail.html?log=vp3s8zsshL
This is similar to #712
Edited by Tim Cappalli