When accessing a protected resource with what a client believes to be an valid token, what errors are possible/valid? Is this specifically out of scope? Section 7 doesn't seem to cover possible error conditions. E.g. the one that hit me just now, is how is an expired token indicated if at all (vs. invalid authorization).
Obviously in some cases, most sites won't give details. But still I found the issue of an expired token causing someone to try a refresh (section 6) to be a little unclear in draft 13. Also, would/should more specific errors be defined in the various Bearer, Mac, etc specifications? Phil phil.h...@oracle.com _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
