What's the difference between unauthorized_client and access_denied

Question

I'm reading the oauth2 specs and I'm confused by unauthorized_client and access_denied error codes. They seem to express the same error condition, isn't it? At first glance(by error code) I thought one is for authentication failure and the other for authorisation failure but they are really both about authorisation failure which would translate into a http 403 status code.

 unauthorized_client
       The client is not authorized to request an access token
       using this method.

 access_denied
       The resource owner or authorization server denied the
       request.

Answer 1

unauthorized_client: In practical sense this error might come:

• If client is requesting for scope which is not allowed
• Suppose you are going for Refresh token flow but Client configuration on server doesn't allow that.
• Similar usecases where Client is trying to do something which is not allowed as per client config on Authz server Now above issue occurs with fault being with Client.

access_denied This might occur if your client is OK but

• Resource owner cancelled the OAuth flow (for example when you some client hits google then a consent page occurs where Use can either allow or deny the access)

• If resource server for some reason feels that this client should not be granted the access

As you can see that access_denied is caused by either Resource Owner or Server and not because of client

I hope this helps