Hi Eran,
section 5.2
"The authorization server MAY return an HTTP 401
(Unauthorized) status code to indicate which HTTP
authentication schemes are supported."
Given the usage of HTTP authentication schemes is the way to authenticated
client recommended by the spec, status code 401 should be the default
status code for this kind of error. Usage of status code 400 should be the
exception.
"unauthorized_client"
So above - status code 403 seems to be a more appropriate default.
I think this is fine unchanged.
Can you please give a rationale?
...
section 10.6
Please replace the first sentence with the following text:
"Such an attack leverages the authorization code ..."
That reads funny. How about 'An attacker can leverage...'
No one said we have to write boring text :-) Your proposal is fine.
regards,
Torsten.
EHL
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
