+1 for language in the spec describing how to handle this case On Wed, Oct 13, 2010 at 4:12 PM, Jeff Lindsay <progr...@twilio.com> wrote: >> Hopefully you also invalidate the token (if bearer) since it was send over >> an insecure channel. > > Excuse my naivety, but perhaps that's worth putting in the spec? > >> >> EHL >> >> > -----Original Message----- >> > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf >> > Of Breno >> > Sent: Wednesday, October 13, 2010 11:31 AM >> > To: oauth@ietf.org >> > Subject: [OAUTH-WG] Request sent to http: instead of https:` >> > >> > Suppose server A documents that their endpoint X is at >> > https://server.example.com/x; there's no service at the corresponding >> > http >> > location for security reasons. >> > >> > Client developer fatfingers URL as http://server.example.com/x >> > >> > What is the correct response? I understand that this is out of scope for >> > the >> > spec, but maybe there's agreement on some guidance? >> > >> > One thing one shouldn't do is serve a 302 here; it would allow defective >> > clients to remain unpatched. >> > >> > My preference is to simply return a bare 403 or 404 here -- after all >> > the >> > endpoint does not exist (404) or if one uses the convention that >> > resources at >> > http/https are usually identical, then http is a non-authorized method >> > to >> > access the resource (403). >> > >> > Thoughts? >> > >> > -- >> > Breno de Medeiros >> > _______________________________________________ >> > OAuth mailing list >> > OAuth@ietf.org >> > https://www.ietf.org/mailman/listinfo/oauth >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > >
-- Breno de Medeiros _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
