What error is returned in case the request object cannot be verified? According to JAR (RFC9101) it is invalid_request_object, but we basically say that for error codes RFC6749 should be followed. In this case, it would be invalid_request.
We need to clarify this ambiguity.
I don't think it helps to have a contradiction with JAR there. We should add a general note to the error response section that generally says that error codes follow what is defined in the relevant OAuth extension if applicable. Possibly it is not needed if OAuth makes this clear enough but perhaps worthwhile repeating/ reminding implementers that those apply. In general, OAuth covers these extension error codes.
What error is returned in case the request object cannot be verified? According to JAR (RFC9101) it is
invalid_request_object, but we basically say that for error codes RFC6749 should be followed. In this case, it would beinvalid_request.We need to clarify this ambiguity.
I don't think it helps to have a contradiction with JAR there. We should add a general note to the error response section that generally says that error codes follow what is defined in the relevant OAuth extension if applicable. Possibly it is not needed if OAuth makes this clear enough but perhaps worthwhile repeating/ reminding implementers that those apply. In general, OAuth covers these extension error codes.