Claude-skill-registry error-handling-reviewer

Review test cases for OAuth/OIDC error handling. Covers authorization endpoint errors, token endpoint errors, error response formats, HTTP status codes, and all error codes per OAuth 2.1 and OIDC Core 1.0.

install

source · Clone the upstream repo

git clone https://github.com/majiayu000/claude-skill-registry

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/majiayu000/claude-skill-registry "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/data/error-handling-reviewer" ~/.claude/skills/majiayu000-claude-skill-registry-error-handling-reviewer && rm -rf "$T"

manifest: skills/data/error-handling-reviewer/SKILL.md

source content

Error Handling Test Case Reviewer

Review test cases for error handling in OpenID Connect Basic OP.

Scope

Feature: Error Responses
Specifications: OAuth 2.1 Section 4.1.2.1, 5.2; OIDC Core 1.0 Section 3.1.2.6
Profile: Basic OP (Authorization Code Flow)

Review Process

Identify which error scenario the test targets
Check against the checklist below
Verify correct error code is returned
Ensure response format matches specification
Report gaps with specific spec section references

Authorization Endpoint Errors

OAuth 2.1 Error Codes (Section 4.1.2.1)

Error Code	Condition	Spec
`invalid_request`	Missing/malformed parameter, duplicate parameter	OAuth 2.1 4.1.2.1
`unauthorized_client`	Client not authorized for grant type	OAuth 2.1 4.1.2.1
`access_denied`	Resource owner or AS denied request	OAuth 2.1 4.1.2.1
`unsupported_response_type`	response_type not supported	OAuth 2.1 4.1.2.1
`invalid_scope`	Invalid, unknown, or malformed scope	OAuth 2.1 4.1.2.1
`server_error`	Unexpected condition (use sparingly)	OAuth 2.1 4.1.2.1
`temporarily_unavailable`	Server temporarily overloaded	OAuth 2.1 4.1.2.1

OIDC-Specific Error Codes (Section 3.1.2.6)

Error Code	Condition	Spec
`interaction_required`	prompt=none but End-User interaction needed	OIDC Core 3.1.2.6
`login_required`	prompt=none but End-User not authenticated	OIDC Core 3.1.2.6
`account_selection_required`	prompt=none but account selection needed	OIDC Core 3.1.2.6
`consent_required`	prompt=none but consent required	OIDC Core 3.1.2.6
`invalid_request_uri`	request_uri invalid or unreachable	OIDC Core 3.1.2.6
`invalid_request_object`	Request Object invalid	OIDC Core 3.1.2.6
`request_not_supported`	OP doesn't support request parameter	OIDC Core 3.1.2.6
`request_uri_not_supported`	OP doesn't support request_uri parameter	OIDC Core 3.1.2.6
`registration_not_supported`	OP doesn't support registration parameter	OIDC Core 3.1.2.6

Authorization Error Response Format

For Authorization Code flow, errors returned in query component:

HTTP/1.1 302 Found
Location: https://client.example.org/cb?
  error=invalid_request
  &error_description=Unsupported%20response_type%20value
  &state=af0ifjsldkj

Token Endpoint Errors

OAuth 2.1 Error Codes (Section 5.2)

Error Code	Condition	Spec
`invalid_request`	Missing/malformed parameter	OAuth 2.1 5.2
`invalid_client`	Client authentication failed	OAuth 2.1 5.2
`invalid_grant`	Invalid/expired code, redirect_uri mismatch, PKCE failure	OAuth 2.1 5.2
`unauthorized_client`	Client not authorized for grant type	OAuth 2.1 5.2
`unsupported_grant_type`	grant_type not supported	OAuth 2.1 5.2
`invalid_scope`	Requested scope exceeds grant	OAuth 2.1 5.2

Token Error Response Format

Errors returned as JSON with HTTP 400 (or 401 for invalid_client):

HTTP/1.1 400 Bad Request
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store

{
  "error": "invalid_grant",
  "error_description": "Authorization code expired"
}

HTTP Status Codes

Error	HTTP Status
`invalid_client`	401 (if via Authorization header) or 400
All others	400

Error Response Parameters

Parameter	Required	Description
`error`	REQUIRED	ASCII error code
`error_description`	OPTIONAL	Human-readable description (ASCII)
`error_uri`	OPTIONAL	URI with error information
`state`	REQUIRED if in request	Exact value from request

Test Cases Checklist

Missing Required Parameters

Scenario	Expected Error	Endpoint
[ ] Missing response_type	`invalid_request`	Authorization
[ ] Missing client_id	`invalid_request`	Authorization
[ ] Missing scope	`invalid_request`	Authorization
[ ] Missing openid in scope	`invalid_scope`	Authorization
[ ] Missing grant_type	`invalid_request`	Token
[ ] Missing code	`invalid_request`	Token
[ ] Missing code_verifier (when required)	`invalid_grant`	Token

Invalid Parameters

Scenario	Expected Error	Endpoint
[ ] Unknown response_type	`unsupported_response_type`	Authorization
[ ] Unregistered redirect_uri	`invalid_request`	Authorization
[ ] Invalid redirect_uri format	`invalid_request`	Authorization
[ ] Invalid client_id	`unauthorized_client` or `invalid_request`	Authorization
[ ] Invalid/expired code	`invalid_grant`	Token
[ ] Code already used	`invalid_grant`	Token
[ ] PKCE verification failure	`invalid_grant`	Token
[ ] Client authentication failure	`invalid_client`	Token

prompt=none Specific Errors

Scenario	Expected Error
[ ] User not authenticated	`login_required`
[ ] Consent not yet given	`consent_required`
[ ] Multiple accounts, selection needed	`account_selection_required`
[ ] Any interaction needed	`interaction_required`

Redirect URI Edge Cases

Scenario	Expected Behavior
[ ] Invalid/unregistered redirect_uri	MUST NOT redirect, display error
[ ] Valid redirect_uri but error occurred	Redirect with error in query
[ ] Error with state in request	Include state in error response

Error Response Validation Checklist

Check	Requirement
[ ] `error` parameter present
[ ] `error` value is valid code
[ ] `state` returned if sent
[ ] No redirect for invalid redirect_uri
[ ] Correct HTTP status code
[ ] JSON Content-Type for token endpoint
[ ] No caching headers (Cache-Control: no-store)

Conformance Test IDs

Test ID	Scenario
OP-Response-Missing	Missing response_type → error
OP-redirect_uri-NotReg	Unregistered redirect_uri → error
OP-OAuth-2nd	Reused code → error
OP-OAuth-2nd-30s	Code reuse after 30s → error

Review Output Format

## Test Case: [Name]
### Target Feature: Error Handling - [specific scenario]
### Test ID: OP-Error-[xxx]
### Spec Compliance:
- [x] Covers required behavior per [spec section]
- [ ] Missing: [specific requirement]
### Error Response:
- [x/blank] Correct error code
- [x/blank] Correct HTTP status
- [x/blank] state included if sent
### Verdict: PASS / FAIL / PARTIAL
### Recommendations: [if any]