By: Travis Salyer user 21 Jan 2022 at 7:42 a.m. CST

0 Responses
Travis Salyer gravatar
Expected: Documentation matches the implementation for the OIDC Token Endpoint API documentation for version 4.3 Actual: The token endpoint API documentation required inputs for authorization code grant type does not match what the implementation actually validates. The documentation says that `client_assertion` and `client_assertion_type` are both required inputs and the `redirect_uri` is not required for when the `grant_type` is set to `authorization_code`. The actual code in the Gluu oxauth repository how only validates that the `authorization_code` and `redirect_uri` is present. If the API documentation is followed without looking at the source code, the request is always met with a non-descriptive 400 response. Additionally, there is little to no explanation for which request inputs are required for which grant type. Token API Endpoint Documentation: Source code for token api endpoint validation: