Re: [OAUTH-WG] Correct error code for rate limiting?

I don’t believe that any of the currently registered error codes are appropriate for indicating that the password request is invalid, let alone a more specific behavior like rate limiting.

It is also my opinion that 400 Bad Request shouldn’t be used for known transient errors, but rather for malformed requests - the request could very well be correct (and have the correct password), but it is being rejected due to temporal limits placed on the client or network address/domain.

So I would propose a different statuses such 401 to indicate the username/password were invalid, and either 429 (Too many requests) or 403 (Forbidden) when rate limited or denied due to too many attempts. Thats not to say that the body of the response can’t be an OAuth-format JSON error, possibly with a standardized code - but again I don’t think the currently registered codes would be appropriate for conveying that.

That said, I don’t know what interest there would be in standardizing such codes, considering the existing recommendations against using this grant type.

-DW

> On Feb 21, 2019, at 10:57 PM, Aaron Parecki <aaron@parecki.com> wrote:
> 
> The OAuth password grant section mentions taking appropriate measures to rate limit password requests at the token endpoint. However the error responses section (
> https://tools.ietf.org/html/rfc6749#section-5.2 <https://tools.ietf.org/html/rfc6749#section-5.2>) doesn't mention an error code to use if the request is being rate limited.. What's the recommended practice here? Thanks!
> 
> Aaron
> 
> -- 
> ----
> Aaron Parecki
> aaronparecki.com <http://aaronparecki.com/>
> @aaronpk <http://twitter.com/aaronpk>
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth