automatic-payments_api_invalid-scope_test-module_v1 - 400 BAD_REQUEST at PAR endpoint
1. What happened and what were you expecting?
→ Test Log observed Behavior
Participant is executing the test module using PAR as the auth request method.
While conformance suit executes the following steps:
• Redirect the user to authorize consent, sending the scopes as scope=openid&recurring-payments&consent:{recurringConsentId}
• Check if an error is returned at the redirect, and no authorization code is sent back
As PAR is being used, CS makes a call to the PAR endpoint sending, in the request body, the invalid scopes
Which then results in a 400 BAD_REQUEST from the Authorization server, implying that the scopes are being validated on the PAR endpoint.
As this the error is returned before the redirect, test module is throwing a failure.
→ Available specifications
As described in:
OAuth 2.0 Pushed Authorization Requests
- Topic: 2.3. Error Response
"The authorization server returns an error response with the same format as is specified for error responses from the token endpoint in Section 5.2 of [RFC6749] using the appropriate error code from therein or from Section 4.1.2.1 of [RFC6749]"
Although this is described as possible in the specification, we currently do not support error at the token endpoint if PAR is not used. To exemplify, if an authorization code is returned, than we expect the error at the payment endpoint, and not at the token endpoint for the code exchange.
In that sense, we believe an error should not be accepted at the PAR Endpoint, since, according to specifications, it should follow the error responses from the token endpoint, which is currently not supported.
→ What needs to be evaluated:
As the scenario discussed with the Services WG, and described in issue #1545 (closed), did not contemplate this possibility, we would like confirmation from WG for the following matters:
- Whether we should adjust the engine so that: If PAR is used in this test module, conformance suit should expects 400 from PAR Endpoint, when a request to it sends scope "consent:{recurringConsentId}" in the request_body of a Automatic Payments redirection
- If the response is yes for "1",
- would an error for the token endpoint after the authorization could also possible?
- the error status code to be expected by the conformance suit in this scenario is in fact a 400 for both endpoints?
2. Test Id
test name | test id | plan id |
---|---|---|
automatic-payments_api_invalid-scope_test-module_v1 | oJIMqmDuLdX6LrH | 4LjBxea7B6Hki |