Description

We need to change the error response value from INVALID_TOKEN to invalid_request.

Discussion

No response

Motivation

The spec in RFC8693 says “Other error codes may also be used, as appropriate.”, and this may allow the currently used error codes, but since the paragraphs above say MUST be, we need to adapt the error codes in the response.

Perhaps we can use error_description for the old “error code” used by Keycloak.

Details

Currently Keycloak returns INVALID_TOKEN instead of invalid_request, but invalid_request must be used as the value of the error field in the error response.

Current error response with an invalid_subject token

{
"error": "invalid_token",
"error_description": "Invalid token"
}

See: https://github.com/keycloak/keycloak/blob/24.0.2/services/src/main/java/org/keycloak/protocol/oidc/DefaultTokenExchangeProvider.java#L158