3.2.5.3.1.3 Processing Details

The steps performed by the AD FS server to process an OAuth 2.0 client's device authorization request are defined in [RFC8628] section 3.2 (Device Authorization Response).

The following additional processing steps are expected as a result of the extensions included in this document:

  • If the OAuth 2.0 client specified either the client-request-id query parameter or the client-request-id HTTP header in the access token request, the AD FS server MUST use the request identifier specified in the request when logging errors or failures that occur while processing that access token request.

  • If the OAuth 2.0 client specifies both the client-request-id query parameter as well as the client-request-id HTTP header, the AD FS server MUST use the value specified in the query parameter when logging errors or failures that occur while processing that authorization request and ignore the value specified in the HTTP header.

  • If the AD FS server encountered an internal error when processing the OAuth 2.0 client's device authorization request, it MUST respond to the OAuth 2.0 client according to the requirements of [RFC6749] section 5.2 (Error Response). The REQUIRED error parameter of the response MUST be set to server_error (section 2.2.4.2).

  • If the OAuth 2.0 client specified the resource parameter, the AD FS server MUST validate that the resource parameter specified by the OAuth 2.0 client matches a resource or relying party registered with the AD FS server.

  • If the resource parameter is invalid or not found to be registered on the AD FS server, the AD FS server must respond to the OAuth 2.0 client as per the requirements of [RFC6749] section 4.1.2.1 (Error Response). The REQUIRED error parameter of the response MUST be set to the invalid_request error code as defined in [RFC6749] section 4.1.2.1.