diff --git a/pkg/op/token_code.go b/pkg/op/token_code.go
index 6e4b53b..62bad2b 100644
--- a/pkg/op/token_code.go
+++ b/pkg/op/token_code.go
@@ -16,7 +16,7 @@ func CodeExchange(w http.ResponseWriter, r *http.Request, exchanger Exchanger) {
 		RequestError(w, r, err)
 	}
 	if tokenReq.Code == "" {
-		RequestError(w, r, oidc.ErrInvalidGrant()) //TODO: ErrInvalidRequest("code missing")?
+		RequestError(w, r, oidc.ErrInvalidRequest().WithDescription("code missing"))
 		return
 	}
 	authReq, client, err := ValidateAccessTokenRequest(r.Context(), tokenReq, exchanger)
@@ -96,7 +96,7 @@ func AuthorizeCodeClient(ctx context.Context, tokenReq *oidc.AccessTokenRequest,
 	}
 	err = AuthorizeClientIDSecret(ctx, tokenReq.ClientID, tokenReq.ClientSecret, exchanger.Storage())
 	if err != nil {
-		return nil, nil, oidc.ErrInvalidClient().WithDescription("invalid client_id / client_secret").WithParent(err)
+		return nil, nil, err
 	}
 	request, err = AuthRequestByCode(ctx, exchanger.Storage(), tokenReq.Code)
 	return request, client, err
diff --git a/pkg/op/token_refresh.go b/pkg/op/token_refresh.go
index 0d489e4..fe7661d 100644
--- a/pkg/op/token_refresh.go
+++ b/pkg/op/token_refresh.go
@@ -54,7 +54,7 @@ func ParseRefreshTokenRequest(r *http.Request, decoder utils.Decoder) (*oidc.Ref
 //and returns the data representing the original auth request corresponding to the refresh_token
 func ValidateRefreshTokenRequest(ctx context.Context, tokenReq *oidc.RefreshTokenRequest, exchanger Exchanger) (RefreshTokenRequest, Client, error) {
 	if tokenReq.RefreshToken == "" {
-		return nil, nil, oidc.ErrInvalidGrant() //TODO: ErrInvalidRequest("refresh_token missing")?
+		return nil, nil, oidc.ErrInvalidRequest().WithDescription("refresh_token missing")
 	}
 	request, client, err := AuthorizeRefreshClient(ctx, tokenReq, exchanger)
 	if err != nil {
diff --git a/pkg/op/token_request.go b/pkg/op/token_request.go
index 47993d5..e01cd5a 100644
--- a/pkg/op/token_request.go
+++ b/pkg/op/token_request.go
@@ -52,7 +52,7 @@ func tokenHandler(exchanger Exchanger) func(w http.ResponseWriter, r *http.Reque
 	}
 }
 
-//authenticatedTokenRequest is a helper interface for ParseAuthenticatedTokenRequest
+//AuthenticatedTokenRequest is a helper interface for ParseAuthenticatedTokenRequest
 //it is implemented by oidc.AuthRequest and oidc.RefreshTokenRequest
 type AuthenticatedTokenRequest interface {
 	SetClientID(string)
@@ -71,35 +71,36 @@ func ParseAuthenticatedTokenRequest(r *http.Request, decoder utils.Decoder, requ
 		return oidc.ErrInvalidRequest().WithDescription("error decoding form").WithParent(err)
 	}
 	clientID, clientSecret, ok := r.BasicAuth()
-	if ok {
-		clientID, err = url.QueryUnescape(clientID)
-		if err != nil {
-			return oidc.ErrInvalidRequest().WithDescription("invalid basic auth header").WithParent(err)
-		}
-		clientSecret, err = url.QueryUnescape(clientSecret)
-		if err != nil {
-			return oidc.ErrInvalidRequest().WithDescription("invalid basic auth header").WithParent(err)
-		}
-		request.SetClientID(clientID)
-		request.SetClientSecret(clientSecret)
+	if !ok {
+		return nil
 	}
+	clientID, err = url.QueryUnescape(clientID)
+	if err != nil {
+		return oidc.ErrInvalidClient().WithDescription("invalid basic auth header").WithParent(err)
+	}
+	clientSecret, err = url.QueryUnescape(clientSecret)
+	if err != nil {
+		return oidc.ErrInvalidClient().WithDescription("invalid basic auth header").WithParent(err)
+	}
+	request.SetClientID(clientID)
+	request.SetClientSecret(clientSecret)
 	return nil
 }
 
-//AuthorizeRefreshClientByClientIDSecret authorizes a client by validating the client_id and client_secret (Basic Auth and POST)
+//AuthorizeClientIDSecret authorizes a client by validating the client_id and client_secret (Basic Auth and POST)
 func AuthorizeClientIDSecret(ctx context.Context, clientID, clientSecret string, storage Storage) error {
 	err := storage.AuthorizeClientIDSecret(ctx, clientID, clientSecret)
 	if err != nil {
-		return oidc.ErrInvalidGrant().WithDescription("code_challenge required").WithParent(err)
+		return oidc.ErrInvalidClient().WithDescription("invalid client_id / client_secret").WithParent(err)
 	}
 	return nil
 }
 
-//AuthorizeCodeClientByCodeChallenge authorizes a client by validating the code_verifier against the previously sent
+//AuthorizeCodeChallenge authorizes a client by validating the code_verifier against the previously sent
 //code_challenge of the auth request (PKCE)
 func AuthorizeCodeChallenge(tokenReq *oidc.AccessTokenRequest, challenge *oidc.CodeChallenge) error {
 	if tokenReq.CodeVerifier == "" {
-		return oidc.ErrInvalidGrant().WithDescription("code_challenge required") //TODO: ErrInvalidRequest("code_challenge required")
+		return oidc.ErrInvalidRequest().WithDescription("code_challenge required")
 	}
 	if !oidc.VerifyCodeChallenge(challenge, tokenReq.CodeVerifier) {
 		return oidc.ErrInvalidGrant().WithDescription("invalid code challenge")