Hi Sergey,
Am 14.02.2013 11:32, schrieb Sergey Beryozkin:
- an attempt to revoke an invalid token is now handled like a successful
revocation request (status code 200)
Does it create some precedent, meaning that while people suggest using
4xx statuses to indicate different sort of failures in this case 200
is returned, to eliminate a potential security attack. I mean, should
it become the recommended practice ?
For example, in the discussion about DELETE, should it be 204 that is
returned all the time ?
Sergey
good point. In this particular case, we decided to go with 200 merely
because the "error" indicates a state the client anyway wanted to
achieve for the particular token. I dont know whether this can be
generalized.
regards,
Torsten.
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
