Re: [OAUTH-WG] token endpoint: 400 or 401?
Vladimir Dzhuvinov <vladimir@connect2id.com> Fri, 30 October 2015 09:16 UTC
Return-Path: <vladimir@connect2id.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 795F51A88AD for <oauth@ietfa.amsl.com>; Fri, 30 Oct 2015 02:16:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2RkTdcMLOaJd for <oauth@ietfa.amsl.com>; Fri, 30 Oct 2015 02:16:55 -0700 (PDT)
Received: from p3plsmtpa06-02.prod.phx3.secureserver.net (p3plsmtpa06-02.prod.phx3.secureserver.net [173.201.192.103]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E82B81A88D1 for <oauth@ietf.org>; Fri, 30 Oct 2015 02:16:50 -0700 (PDT)
Received: from [192.168.0.106] ([77.77.164.50]) by p3plsmtpa06-02.prod.phx3.secureserver.net with id bMGp1r00515ZTut01MGqzm; Fri, 30 Oct 2015 02:16:50 -0700
To: oauth@ietf.org
References: <CABPN19-CX9AGrLOTWZrkcuP9xMj7wnuEZbs38OqLSFjnpv+Qfg@mail.gmail.com>
From: Vladimir Dzhuvinov <vladimir@connect2id.com>
Organization: Connect2id Ltd.
Message-ID: <56333580.30809@connect2id.com>
Date: Fri, 30 Oct 2015 11:16:48 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <CABPN19-CX9AGrLOTWZrkcuP9xMj7wnuEZbs38OqLSFjnpv+Qfg@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------000705030703040400020003"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/DDF3PRmITvY9HqqTVEJVSN46HHM>
Subject: Re: [OAUTH-WG] token endpoint: 400 or 401?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Oct 2015 09:16:56 -0000
Hi Ofer, If the client has authenticated RFC 2617 style then the 401 status code is mandatory. So there's no conflict with the RFC 2617 spec. http://tools.ietf.org/html/rfc6749#section-5.2 invalid_client Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the "Authorization" request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code and include the "WWW-Authenticate" response header field matching the authentication scheme used by the client. On 24.10.2015 05:23, Ofer Nave wrote: > I'm using the auth code flow, and supporting basic auth for client auth on > the token endpoint. > > In the OAuth spec it says to respond with 400 and a json body with error: > invalid_client if client auth fails. However, doesn't RFC 2617 say to > respond with 401 and a WWW-Authenticate header? Does the OAuth spec > supercede 2617 in this case? > > -ofer > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] token endpoint: 400 or 401? Ofer Nave
- Re: [OAUTH-WG] token endpoint: 400 or 401? Vladimir Dzhuvinov