Error Response with invalid redirection URI

[user1336]

In the OAuth authorization_code flow, when validating the redirect_uri on the token endpoint, why do we return an unauthorized_client when the redirect_uri is invalid.
Shouldn't this be an invalid_grant according to the spec:

"invalid_grant
The provided authorization grant (e.g., authorization
code, resource owner credentials) or refresh token is
invalid, expired, revoked, does not match the redirection
URI used in the authorization request, or was issued to
another client."
https://tools.ietf.org/html/rfc6749#section-5.2

Edit: mixed the authorize and token endpoint error-responses.

[leastprivilege]

Yep. seems you are right. invalid_grant would be the better error response.

[user1336]

I'll submit a PR!

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.