The OAuth 2.0 draft uses HTTP status code 400 for access token requests that are denied.
Here is the definition of 400: The request could not be understood by the server due to malformed syntax. The client SHOULD NOT repeat the request without modifications. Status 400 should be used for malformed requests, not those that are understood and rejected. 401 seems to be a better fit. -- Robert Sayre "I would have written a shorter letter, but I did not have the time." _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
