ok
Am 25.07.2011 11:53, schrieb Eran Hammer-Lahav:
-----Original Message-----
From: Torsten Lodderstedt [mailto:tors...@lodderstedt.net]
Sent: Monday, July 25, 2011 7:24 AM
To: Eran Hammer-Lahav
Cc: OAuth WG
Subject: Re: [OAUTH-WG] Comments on -18
Hi Eran,
section 5.2
"The authorization server MAY return an HTTP 401
(Unauthorized) status code to indicate which HTTP
authentication schemes are supported."
Given the usage of HTTP authentication schemes is the way to
authenticated client recommended by the spec, status code 401 should
be the default status code for this kind of error. Usage of status
code 400 should be the exception.
"unauthorized_client"
So above - status code 403 seems to be a more appropriate default.
I think this is fine unchanged.
Can you please give a rationale?
The current text keeps things simple by using a single error code 400, but
allowing/requiring the use of 401 when client authentication fails. Whether
this is the ideal use of HTTP status codes is open for debate, but even the
HTTP experts informed us that we can use 400 for cases that might be more
accurately described by a 403.
So I rather not change this at this point.
EHL
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
