IETF Logo Mail Archive

Re: [OAUTH-WG] Comments on -18

Torsten Lodderstedt <torsten@lodderstedt.net> Mon, 25 July 2011 17:22 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 04F4B21F8545 for <oauth@ietfa.amsl.com>; Mon, 25 Jul 2011 10:22:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.049
X-Spam-Level:
X-Spam-Status: No, score=-2.049 tagged_above=-999 required=5 tests=[AWL=0.200, BAYES_00=-2.599, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H5BuiCxDHrn0 for <oauth@ietfa.amsl.com>; Mon, 25 Jul 2011 10:22:44 -0700 (PDT)
Received: from smtprelay02.ispgateway.de (smtprelay02.ispgateway.de [80.67.18.14]) by ietfa.amsl.com (Postfix) with ESMTP id 754FD21F84CE for <oauth@ietf.org>; Mon, 25 Jul 2011 10:22:41 -0700 (PDT)
Received: from [130.129.17.214] by smtprelay02.ispgateway.de with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1QlOrX-0006QK-S0; Mon, 25 Jul 2011 19:22:39 +0200
Message-ID: <4E2DA65D.4070602@lodderstedt.net>
Date: Mon, 25 Jul 2011 13:22:37 -0400
From: Torsten Lodderstedt <torsten@lodderstedt.net>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; de; rv:1.9.2.18) Gecko/20110616 Thunderbird/3.1.11
MIME-Version: 1.0
To: Eran Hammer-Lahav <eran@hueniverse.com>
References: <4E274D61.4020804@lodderstedt.net> <90C41DD21FB7C64BB94121FBBC2E72345021F378BE@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4E2D7C84.9080601@lodderstedt.net> <90C41DD21FB7C64BB94121FBBC2E723450245F5755@P3PW5EX1MB01.EX1.SECURESERVER.NET>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723450245F5755@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Df-Sender: torsten@lodderstedt-online.de
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Comments on -18
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jul 2011 17:22:45 -0000

ok

Am 25.07.2011 11:53, schrieb Eran Hammer-Lahav:
>
>> -----Original Message-----
>> From: Torsten Lodderstedt [mailto:torsten@lodderstedt.net]
>> Sent: Monday, July 25, 2011 7:24 AM
>> To: Eran Hammer-Lahav
>> Cc: OAuth WG
>> Subject: Re: [OAUTH-WG] Comments on -18
>>
>> Hi Eran,
>>>> section 5.2
>>>>
>>>> "The authorization server MAY return an HTTP 401
>>>>                   (Unauthorized) status code to indicate which HTTP
>>>>                   authentication schemes are supported."
>>>>
>>>> Given the usage of HTTP authentication schemes is the way to
>>>> authenticated client recommended by the spec, status code 401 should
>>>> be the default status code for this kind of error. Usage of status
>>>> code 400 should be the exception.
>>>>
>>>> "unauthorized_client"
>>>>
>>>> So above - status code 403 seems to be a more appropriate default.
>>> I think this is fine unchanged.
>> Can you please give a rationale?
> The current text keeps things simple by using a single error code 400, but allowing/requiring the use of 401 when client authentication fails. Whether this is the ideal use of HTTP status codes is open for debate, but even the HTTP experts informed us that we can use 400 for cases that might be more accurately described by a 403.
>
> So I rather not change this at this point.
>
> EHL

v2.23.0 | Report a Bug | By Email