Apologies if this has been covered before, a cursory search of the
archives and issue tracker didn't turn up anything.
What is the expected error response when performing a Resource Owner
Password Credentials flow, if the resource owner provides incorrect
credentials?
From reading the spec it looks like the expectation is that a response
like the following should be generated:
HTTP/1.1 400 Bad Request
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"error":"invalid_request"
}
Which is not terribly helpful for a user-agent trying to determine that
it is the user supplied credentials at fault (and therefore be able to
re-prompt the user for credentials). Perhaps something like the
following would be more useful:
HTTP/1.1 400 Bad Request
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"error":"invalid_resource_owner_credentials"
}
A bit verbose perhaps, any alternative suggestions?
Regards,
Colm Divilly
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
