I'm using the auth code flow, and supporting basic auth for client auth on the token endpoint.
In the OAuth spec it says to respond with 400 and a json body with error: invalid_client if client auth fails. However, doesn't RFC 2617 say to respond with 401 and a WWW-Authenticate header? Does the OAuth spec supercede 2617 in this case? -ofer
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
