I'm integrating to Google OpenID Connect as a relying party, using the authorization code flow. If I send in an invalid parameter in the AuthenticationRequest, e.g. an invalid value for scope, Google presents the error in a web page saying e.g. "Some requested scopes were invalid...".
The OpenID Connect spec (and the OAuth spec) clearly states that: "Unless the Redirection URI is invalid, the Authorization Server returns the Client to the Redirection URI specified in the Authorization Request with the appropriate error and state parameters."
Am I doing something wrong in my request, or am I misinterpreting the specification, or are Google just not conformant when it comes to sending error responses?
Sounds to me like Google is a little non-conformant here:
As a developer of an OIDC client you need to accept that some invalid input will be displayed in the browser:
I tend to use an invalid scope to test error responses - it is handy for that - and I guess you're doing the same.
Solutions from the big cloud vendors often have this type of annoyance - when all that we want as consumers is a standards based solution.