Failed Logins: Missing required parameter: response_type

Hello,

I am receiving a number of failed logins, intermixed with normal/successful logins. The failed logins come in ‘bursts’ of 6-8 at a time, all within a few seconds of each other, and all with the same description: “Missing required parameter: response_type”

These failed logins also do not have an assigned Application or Connection - they all say “N/A”, whereas the successful logins all have their correct designations listed.

Here is a support topic with a similar scenario: Missing required parameter: response_type - #11

This feels a bit like a series of bot/spam login attempts, but am uncertain how to verify this or go about restricting them. Any advice would be appreciated.

Hi @eric12,

I understand you encountered the “Missing required parameter: response_type” error.

I have reproduced this issue by omitting the response_type in the login request. As you have observed, the application and connection are N/A.

In this scenario, you must ensure the login requests include the response_type query parameter.

For example:

https://{yourDomain}/authorize?
    response_type=code&
    client_id={yourClientId}&
    redirect_uri={https://yourApp/callback}&
    scope={scope}&
    audience={apiAudience}&
    state={state}

(Reference: Call Your API Using the Authorization Code Flow)

I can guarantee that this is unrelated to bot/spam login attempts because it refers to a missing query parameter. If this were bot/spam activity, you would see scripted login/signup attacks, which you can workaround by enabling the features for Attack Protection.

Thanks,
Rueben