Re: [OAUTH-WG] Detecting revoked token in OAuth 2.0 client libraries

Hi,

an invalid token should cause the server to reply with status code 401.

regards,
Torsten.

Bart Wiegmans <bart@all4students.nl> schrieb:

Hi,

As far as I know, the implementation of API endpoints is outside of the specification of OAuth. 
But the specification of Bearer Tokens state that the endpoint must return the HTTP 403 (Access Denied) status code, along with a WWW-Authenticate: Bearer response header. That should be enough to determine token invalidity. 

With kind regards,
Bart Wiegmans

-----Oorspronkelijk bericht-----
Van: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] Namens Andreas Åkre Solberg
Verzonden: maandag 9 januari 2012 9:41
Aan: oauth@ietf.org
Onderwerp: [OAUTH-WG] Detecting revoked token in OAuth 2.0 client libraries

Hi,

I'm trying to do an OAuth 2.0 library, and got a question:

I cannot find a standardized way for an OAuth protected endpoint to report to the client that the Token is not valid (expired or revoked). As a library developer, I'd like to take away as much of possible of the OAuth logic from the application. I need a way to distinguish applicaiton specific protocol errors, from OAuth related errors on protected endpoints.

If the library could detect this, it could also in example do refresh the token automatically, and even start a new flow if neccessary.

I'm sorry if the answer is obvious. 

Another question on token validity; the optional expires_in parameter. If I would like to indicate permanent validity, how can I express that? I assume that if I leave the parameter out it is not possible to distinguish between 'undefined / not specified' and 'infitite'. Putting the semanthics into a specific scope could off course work, but lack the feature of beeing standardized between providers.

Andreas
_____________________________________________

OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth