[OAUTH-WG] Section 4.3. Resource Owner Password Credentials: Invalid Credentials Error Handling
Colm Divilly <colm.divilly@oracle.com> Tue, 13 September 2011 16:05 UTC
Return-Path: <colm.divilly@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 934AD21F8C45 for <oauth@ietfa.amsl.com>; Tue, 13 Sep 2011 09:05:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.433
X-Spam-Level:
X-Spam-Status: No, score=-6.433 tagged_above=-999 required=5 tests=[AWL=0.166, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f8tCOPfo2Az6 for <oauth@ietfa.amsl.com>; Tue, 13 Sep 2011 09:05:37 -0700 (PDT)
Received: from acsinet15.oracle.com (acsinet15.oracle.com [141.146.126.227]) by ietfa.amsl.com (Postfix) with ESMTP id 156E921F8C42 for <oauth@ietf.org>; Tue, 13 Sep 2011 09:05:37 -0700 (PDT)
Received: from rtcsinet22.oracle.com (rtcsinet22.oracle.com [66.248.204.30]) by acsinet15.oracle.com (Switch-3.4.4/Switch-3.4.4) with ESMTP id p8DG7fj3005052 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <oauth@ietf.org>; Tue, 13 Sep 2011 16:07:43 GMT
Received: from acsmt357.oracle.com (acsmt357.oracle.com [141.146.40.157]) by rtcsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id p8DG7e6w028160 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <oauth@ietf.org>; Tue, 13 Sep 2011 16:07:41 GMT
Received: from abhmt108.oracle.com (abhmt108.oracle.com [141.146.116.60]) by acsmt357.oracle.com (8.12.11.20060308/8.12.11) with ESMTP id p8DG7YjL015798 for <oauth@ietf.org>; Tue, 13 Sep 2011 11:07:34 -0500
Received: from [141.144.10.84] (/141.144.10.84) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 13 Sep 2011 09:07:34 -0700
Message-ID: <4E6F7FC3.1020600@oracle.com>
Date: Tue, 13 Sep 2011 09:07:31 -0700
From: Colm Divilly <colm.divilly@oracle.com>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.21) Gecko/20110831 Lightning/1.0b2 OracleBeehiveExtension/1.0.0.2-OracleInternal ObetStats/LAFCAT_1292347119411-757469839 Thunderbird/3.1.13
MIME-Version: 1.0
To: oauth@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Source-IP: rtcsinet22.oracle.com [66.248.204.30]
X-CT-RefId: str=0001.0A020203.4E6F7FCF.0122,ss=1,re=0.000,fgs=0
Subject: [OAUTH-WG] Section 4.3. Resource Owner Password Credentials: Invalid Credentials Error Handling
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Sep 2011 16:05:37 -0000
Apologies if this has been covered before, a cursory search of the
archives and issue tracker didn't turn up anything.
What is the expected error response when performing a Resource Owner
Password Credentials flow, if the resource owner provides incorrect
credentials?
From reading the spec it looks like the expectation is that a response
like the following should be generated:
HTTP/1.1 400 Bad Request
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"error":"invalid_request"
}
Which is not terribly helpful for a user-agent trying to determine that
it is the user supplied credentials at fault (and therefore be able to
re-prompt the user for credentials). Perhaps something like the
following would be more useful:
HTTP/1.1 400 Bad Request
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"error":"invalid_resource_owner_credentials"
}
A bit verbose perhaps, any alternative suggestions?
Regards,
Colm Divilly
- [OAUTH-WG] Section 4.3. Resource Owner Password C… Colm Divilly
- Re: [OAUTH-WG] Section 4.3. Resource Owner Passwo… Brian Campbell
- Re: [OAUTH-WG] Section 4.3. Resource Owner Passwo… Eran Hammer-Lahav