[OAUTH-WG] OAuth 2.1: Missing token?
Johannes Koch <johannes.koch@avenga.com> Fri, 04 February 2022 09:16 UTC
Return-Path: <johannes.koch@avenga.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7EB223A11C8 for <oauth@ietfa.amsl.com>; Fri, 4 Feb 2022 01:16:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=avenga.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D4_qEaJ6ijCM for <oauth@ietfa.amsl.com>; Fri, 4 Feb 2022 01:16:01 -0800 (PST)
Received: from mail-ej1-x630.google.com (mail-ej1-x630.google.com [IPv6:2a00:1450:4864:20::630]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 06D243A11C4 for <oauth@ietf.org>; Fri, 4 Feb 2022 01:16:00 -0800 (PST)
Received: by mail-ej1-x630.google.com with SMTP id me13so17427055ejb.12 for <oauth@ietf.org>; Fri, 04 Feb 2022 01:16:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=avenga.com; s=google; h=mime-version:from:date:message-id:subject:to; bh=x67FkMTFEKFOoDPAB5bAkExY1L3Nwth/6SVudD12m4s=; b=EeQ8Acff5OgpjUQZ6cU+HhhaV5VTZ81PpThRZlubL7oZH8EZEVSwenHXLNXwCYWnwI ImV3FUh31CJOKAKDHc830LODI4pBWyP0oaxfVpkf4cBqXq2a6ZR6AaMkyi+94iN0sO2/ rKnbMdtHy9DVVeczW7AQUJY6APIAJjReWfsFA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=x67FkMTFEKFOoDPAB5bAkExY1L3Nwth/6SVudD12m4s=; b=de7A7umY8v6zk67FiMK7ph3bKNzibkCYF/I29RDoZcCaedotqaKkdvfrW5NSw8noEF PI5R0LL6i/raV/KaoH2H0EyAigAJoHorH/+M8h92FFWlQL2ZXwdN9+edDPBvNr3TOA3M 2h7bsVnEpGRy51kvgMa7a97GTUr7GqLcGj39o9neqvpx5vzW+5PJ2KksVqaOaB11uAmb RrpWTmei++NixrsBnPuVKOD2+NtitBZcCmFXzNilpL9LbwNAa3dE6UPZcZMhM+7pII5Q mhxZBqHD6WlN2irt1UYhAfinLPkHvbCd3k/EvSxQdaM+fZ+9IcUe+zFRD17cdvcTYuVC //OQ==
X-Gm-Message-State: AOAM530eV6K2rBc5oP0+XyoKOVkHURZYWjMPqnY1OEhDZExtYAf5+Pfa boTGpfVfc+8R3dWG2D4+G5A8geVav7nRmMCo5J376SHO++Oi2A==
X-Google-Smtp-Source: ABdhPJxphQ4LOvMaxIUDHtc9MBXGTzwqi5eEF3rphp1yEFvwABDW8fVNCnHwl2eG+kim0zYZ1KKXxNaH7EiXQh9Xrh4=
X-Received: by 2002:a17:907:d8d:: with SMTP id go13mr1599014ejc.440.1643966159312; Fri, 04 Feb 2022 01:15:59 -0800 (PST)
MIME-Version: 1.0
From: Johannes Koch <johannes.koch@avenga.com>
Date: Fri, 04 Feb 2022 10:15:48 +0100
Message-ID: <CAGRquTpc0Un5igAdx_ftcMQvpGCEwxBNOjNL+dyk3D0EK9T3Jg@mail.gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="000000000000f2edce05d72db299"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/_I6NaR2T3od3AO6ApefRxkKbuVE>
Subject: [OAUTH-WG] OAuth 2.1: Missing token?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Feb 2022 09:16:06 -0000
Hi there, a question about https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-04 5.2.3. Error Codes "invalid_request": The request is missing a required parameter, includes an unsupported parameter or parameter value, repeats the same parameter, uses more than one method for including an access token, or is otherwise malformed. The resource server SHOULD respond with the HTTP 400 (Bad Request) status code. "invalid_token": The access token provided is expired, revoked, malformed, or invalid for other reasons. The resource SHOULD respond with the HTTP 401 (Unauthorized) status code. The client MAY request a new access token and retry the protected resource request. Now, what is the intended error code for the situation where no access token is provided? The description for invalid_token seems to imply that one token was provided. As the token may be seen as a required parameter, invalid_request may be appropriate. However, a missing token smells more like HTTP 401 (Unauthorized). Should this be an additional error code (missing_token)? Or should this case be added to invalid_token? -- Johannes Koch
- [OAUTH-WG] OAuth 2.1: Missing token? Johannes Koch
- Re: [OAUTH-WG] OAuth 2.1: Missing token? Warren Parad
- Re: [OAUTH-WG] OAuth 2.1: Missing token? Neil Madden