Thanks for your clarification. After reading the editor's note in draft06, I felt 401 is more natural than 403. (assuming you don't want to use 404 for security reason)
The editor's note is enough detail for the reason of using 401. Using 403, it's like "the token is valid, but the ghost client has no permission"..? On 2013/04/02, at 2:04, Justin Richer <jric...@mitre.org> wrote: > If the access token isn't valid, then the intent is that the server return > whatever is a valid response from OAuth, which as I recall is practically any > 400 class error. This behavior for DynReg is outlined in section 5.2 of draft > -09. > > In your case, since you're actually failing on the bad token, you're fine > with returning a 401. In other words, by my intent of the text and my > understanding of your implementation, you're actually compliant. The problem > is that the text made you think otherwise. :) > > Can you suggest how to make this clearer for developers in the text? > > -- Justin > > > On 03/29/2013 11:57 PM, nov matake wrote: >> oops sorry, not draft07, but draft06. >> >> On 2013/03/30, at 12:55, nov matake <mat...@gmail.com> wrote: >> >>> Hi Justin, >>> >>> I read the latest draft and found endpoints described in the spec returns >>> 403 in "no such clients" case. >>> I also read the draft07's editor note below, so I can understand the >>> situation. >>> >>> [[ Editor's note: If the client doesn't exist, >>> then the Refresh Access Token shouldn't be valid, making this kind of >>> error a 403 at the auth layer instead. How best to call this >>> inconsistency out? ]] >>> >>> However, in my current implementation, the server returns 401 if an access >>> token is given but there are no valid access token in its DB. >>> In my case, validation for the given access token is done in middleware >>> layer, so I don't want to change the error code per endpoint. >>> In such case, client registration/read/update/delete endpoints can return >>> 401 error? >>> >>> Thanks >>> >>> -- >>> nov >>> >>> On 2013/03/30, at 5:53, Justin Richer <jric...@mitre.org> wrote: >>> >>>> New dynamic registration draft is published. Biggest changes here are the >>>> internationalization/localization capabilities that are now applicable to >>>> human-readable client metadata fields. >>>> >>>> -- Justin >>>> >>>> On 03/29/2013 04:38 PM, internet-dra...@ietf.org wrote: >>>>> A New Internet-Draft is available from the on-line Internet-Drafts >>>>> directories. >>>>> This draft is a work item of the Web Authorization Protocol Working Group >>>>> of the IETF. >>>>> >>>>> Title : OAuth 2.0 Dynamic Client Registration Protocol >>>>> Author(s) : Justin Richer >>>>> John Bradley >>>>> Michael B. Jones >>>>> Maciej Machulak >>>>> Filename : draft-ietf-oauth-dyn-reg-09.txt >>>>> Pages : 23 >>>>> Date : 2013-03-29 >>>>> >>>>> Abstract: >>>>> This specification defines an endpoint and protocol for dynamic >>>>> registration of OAuth 2.0 Clients at an Authorization Server and >>>>> methods for the dynamically registered client to manage its >>>>> registration. >>>>> >>>>> >>>>> The IETF datatracker status page for this draft is: >>>>> https://datatracker.ietf.org/doc/draft-ietf-oauth-dyn-reg >>>>> >>>>> There's also a htmlized version available at: >>>>> http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-09 >>>>> >>>>> A diff from the previous version is available at: >>>>> http://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-dyn-reg-09 >>>>> >>>>> >>>>> Internet-Drafts are also available by anonymous FTP at: >>>>> ftp://ftp.ietf.org/internet-drafts/ >>>>> >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/oauth >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
