Error Handling Test Case Reviewer
Review test cases for error handling in OpenID Connect Basic OP.
Scope
Feature : Error ResponsesSpecifications : OAuth 2.1 Section 4.1.2.1, 5.2; OIDC Core 1.0 Section 3.1.2.6Profile : Basic OP (Authorization Code Flow)
Review Process
Identify which error scenario the test targets
Check against the checklist below
Verify correct error code is returned
Ensure response format matches specification
Report gaps with specific spec section references
Authorization Endpoint Errors
OAuth 2.1 Error Codes (Section 4.1.2.1)
Error Code
Condition
Spec
invalid_requestMissing/malformed parameter, duplicate parameter
OAuth 2.1 4.1.2.1
unauthorized_clientClient not authorized for grant type
OAuth 2.1 4.1.2.1
access_deniedResource owner or AS denied request
OAuth 2.1 4.1.2.1
unsupported_response_typeresponse_type not supported
OAuth 2.1 4.1.2.1
invalid_scopeInvalid, unknown, or malformed scope
OAuth 2.1 4.1.2.1
server_errorUnexpected condition (use sparingly)
OAuth 2.1 4.1.2.1
temporarily_unavailableServer temporarily overloaded
OAuth 2.1 4.1.2.1
OIDC-Specific Error Codes (Section 3.1.2.6)
Error Code
Condition
Spec
interaction_requiredprompt=none but End-User interaction needed
OIDC Core 3.1.2.6
login_requiredprompt=none but End-User not authenticated
OIDC Core 3.1.2.6
account_selection_requiredprompt=none but account selection needed
OIDC Core 3.1.2.6
consent_requiredprompt=none but consent required
OIDC Core 3.1.2.6
invalid_request_urirequest_uri invalid or unreachable
OIDC Core 3.1.2.6
invalid_request_objectRequest Object invalid
OIDC Core 3.1.2.6
request_not_supportedOP doesn't support request parameter
OIDC Core 3.1.2.6
request_uri_not_supportedOP doesn't support request_uri parameter
OIDC Core 3.1.2.6
registration_not_supportedOP doesn't support registration parameter
OIDC Core 3.1.2.6
Authorization Error Response Format
For Authorization Code flow, errors returned in query component :
http Copy HTTP/1.1 302 Found
Location: https://client.example.org/cb?
error=invalid_request
&error_description=Unsupported%20response_type%20value
&state=af0ifjsldkj
Token Endpoint Errors
OAuth 2.1 Error Codes (Section 5.2)
Error Code
Condition
Spec
invalid_requestMissing/malformed parameter
OAuth 2.1 5.2
invalid_clientClient authentication failed
OAuth 2.1 5.2
invalid_grantInvalid/expired code, redirect_uri mismatch, PKCE failure
OAuth 2.1 5.2
unauthorized_clientClient not authorized for grant type
OAuth 2.1 5.2
unsupported_grant_typegrant_type not supported
OAuth 2.1 5.2
invalid_scopeRequested scope exceeds grant
OAuth 2.1 5.2
Token Error Response Format
Errors returned as JSON with HTTP 400 (or 401 for invalid_client):
http Copy HTTP/1.1 400 Bad Request
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
{
"error": "invalid_grant",
"error_description": "Authorization code expired"
}
HTTP Status Codes
Error
HTTP Status
invalid_client401 (if via Authorization header) or 400
All others
400
Error Response Parameters
Parameter
Required
Description
errorREQUIRED
ASCII error code
error_descriptionOPTIONAL
Human-readable description (ASCII)
error_uriOPTIONAL
URI with error information
stateREQUIRED if in request
Exact value from request
Test Cases Checklist
Missing Required Parameters
Scenario
Expected Error
Endpoint
[ ] Missing response_type
invalid_requestAuthorization
[ ] Missing client_id
invalid_requestAuthorization
[ ] Missing scope
invalid_requestAuthorization
[ ] Missing openid in scope
invalid_scopeAuthorization
[ ] Missing grant_type
invalid_requestToken
[ ] Missing code
invalid_requestToken
[ ] Missing code_verifier (when required)
invalid_grantToken
Invalid Parameters
Scenario
Expected Error
Endpoint
[ ] Unknown response_type
unsupported_response_typeAuthorization
[ ] Unregistered redirect_uri
invalid_requestAuthorization
[ ] Invalid redirect_uri format
invalid_requestAuthorization
[ ] Invalid client_id
unauthorized_client or invalid_requestAuthorization
[ ] Invalid/expired code
invalid_grantToken
[ ] Code already used
invalid_grantToken
[ ] PKCE verification failure
invalid_grantToken
[ ] Client authentication failure
invalid_clientToken
prompt=none Specific Errors
Scenario
Expected Error
[ ] User not authenticated
login_required
[ ] Consent not yet given
consent_required
[ ] Multiple accounts, selection needed
account_selection_required
[ ] Any interaction needed
interaction_required
Redirect URI Edge Cases
Scenario
Expected Behavior
[ ] Invalid/unregistered redirect_uri
MUST NOT redirect, display error
[ ] Valid redirect_uri but error occurred
Redirect with error in query
[ ] Error with state in request
Include state in error response
Error Response Validation Checklist
Check
Requirement
[ ] error parameter present
[ ] error value is valid code
[ ] state returned if sent
[ ] No redirect for invalid redirect_uri
[ ] Correct HTTP status code
[ ] JSON Content-Type for token endpoint
[ ] No caching headers (Cache-Control: no-store)
Conformance Test IDs
Test ID
Scenario
OP-Response-Missing
Missing response_type → error
OP-redirect_uri-NotReg
Unregistered redirect_uri → error
OP-OAuth-2nd
Reused code → error
OP-OAuth-2nd-30s
Code reuse after 30s → error
Review Output Format
Copy ## Test Case: [Name]
### Target Feature: Error Handling - [specific scenario]
### Test ID: OP-Error-[xxx]
### Spec Compliance:
- [x] Covers required behavior per [spec section]
- [ ] Missing: [specific requirement]
### Error Response:
- [x/blank] Correct error code
- [x/blank] Correct HTTP status
- [x/blank] state included if sent
### Verdict: PASS / FAIL / PARTIAL
### Recommendations: [if any]