Skip to main content

6.3. Request Parameter Assembly and Validation

6.3. Request Parameter Assembly and Validation

The authorization server MUST extract the set of authorization request parameters from the Request Object value. The authorization server MUST only use the parameters in the Request Object, even if the same parameter is provided in the query parameter. The client ID values in the client_id request parameter and in the Request Object client_id claim MUST be identical. The authorization server then validates the request, as specified in OAuth 2.0 [RFC6749].

If the Client ID check or the request validation fails, then the authorization server MUST return an error to the client in response to the authorization request, as specified in Section 5.2 of [RFC6749] (OAuth 2.0).

Last updated on