Re: [OAUTH-WG] Resource Owner Password Credentials question/feedback

[Eran Hammer-Lahav <eran@hueniverse.com>]

Yep. Invalid grant is the right error code.

EHL

> -----Original Message-----
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
> Of Brian Campbell
> Sent: Tuesday, June 28, 2011 9:05 AM
> To: George Fletcher
> Cc: oauth@ietf.org
> Subject: Re: [OAUTH-WG] Resource Owner Password Credentials
> question/feedback
> 
> invalid_grant seems like the appropriate error as the username and
> password are the grant in the context of the Resource Owner Password
> Credentials flow/grant type.
> 
> On Tue, Jun 28, 2011 at 9:47 AM, George Fletcher <gffletch@aol.com> wrote:
> >
> > I'm working on spec'ing out a use of the Resource Owner Password
> Credentials flow and in trying to map out possible error cases, realized that
> there is no good error for the case that the resource owner's password
> credentials are invalid. Section 4.3 of draft 16 references section 5.2 for
> errors. The list of available errors in section 5.2 are...
> >
> >    error
> >          REQUIRED.  A single error code from the following:
> >          invalid_request
> >                The request is missing a required parameter, includes an
> >                unsupported parameter or parameter value, repeats a
> >                parameter, includes multiple credentials, utilizes more
> >                than one mechanism for authenticating the client, or is
> >                otherwise malformed.
> >          invalid_client
> >                Client authentication failed (e.g. unknown client, no
> >                client credentials included, multiple client credentials
> >                included, or unsupported credentials type).  The
> >                authorization server MAY return an HTTP 401
> >                (Unauthorized) status code to indicate which HTTP
> >                authentication schemes are supported.  If the client
> >                attempted to authenticate via the "Authorization" request
> >                header field, the authorization server MUST respond with
> >                an HTTP 401 (Unauthorized) status code, and include the
> >                "WWW-Authenticate" response header field matching the
> >                authentication scheme used by the client.
> >          invalid_grant
> >                The provided authorization grant is invalid, expired,
> >                revoked, does not match the redirection URI used in the
> >                authorization request, or was issued to another client.
> >          unauthorized_client
> >                The authenticated client is not authorized to use this
> >                authorization grant type.
> >          unsupported_grant_type
> >                The authorization grant type is not supported by the
> >                authorization server.
> >          invalid_scope
> >                The requested scope is invalid, unknown, malformed, or
> >                exceeds the scope granted by the resource owner.
> >
> > I'm wondering if others have chosen one of these values to represent the
> "invalid_credentials" use case.
> >
> > Thanks,
> > George
> >
> >
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
> >
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth