> On 8 Sep 2025, at 11:46, Zsolt Parragi <zsolt.parragi@percona.com> wrote:
>
>> AFAICT adding this would not violate the RFC but it is "NOT RECOMMENDED".
>
> I didn't test Okta yet, but it worked with all other providers I tried
> so far. I try to verify this with Okta and modify it if it doesn't
> work
Great, thanks!
> , but I think this isn't clear in the RFCs:
> ...
Unfortunately thats true for most of the OAuth related RFCs, they are in places
wishy washy at best.
>> It doesn't seem in line with the specification, which error are they sending
>> 428 for? Do they use 401 for invalid_client?
>
> During the wait for the user to enter the device code. It's documented here:
>
> https://developers.google.com/identity/protocols/oauth2/limited-input-device#authorization-pending
Thanks for the reference, I'm not sure we should handle it equally to 400/401
(need to think about that, and am looking foward to Jacob's wisdom on it) but
it should regardless be quite doable to support.
--
Daniel Gustafsson
