Hi Ofer, If the client has authenticated RFC 2617 style then the 401 status code is mandatory. So there's no conflict with the RFC 2617 spec.
http://tools.ietf.org/html/rfc6749#section-5.2 invalid_client Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the "Authorization" request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code and include the "WWW-Authenticate" response header field matching the authentication scheme used by the client. On 24.10.2015 05:23, Ofer Nave wrote: > I'm using the auth code flow, and supporting basic auth for client auth on > the token endpoint. > > In the OAuth spec it says to respond with 400 and a json body with error: > invalid_client if client auth fails. However, doesn't RFC 2617 say to > respond with 401 and a WWW-Authenticate header? Does the OAuth spec > supercede 2617 in this case? > > -ofer > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
