On Jan 2, 2018, at 4:08 PM, William Denniss <wdenn...@google.com<mailto:wdenn...@google.com>> wrote:
On Fri, Dec 15, 2017 at 11:12 PM, Vladimir Dzhuvinov <vladi...@connect2id.com<mailto:vladi...@connect2id.com>> wrote: On 15/12/17 00:43, William Denniss wrote: > On Fri, Dec 8, 2017 at 11:42 AM, Vladimir Dzhuvinov > <vladi...@connect2id.com<mailto:vladi...@connect2id.com> >> wrote: >> Hi, >> >> I just got a question on Twitter about the slow_down error: >> >> https://tools.ietf.org/html/draft-ietf-oauth-device-flow-07#section-3.5 >> >> The question was why slow_down is communicated via HTTP status code 400 >> and not 429 (Too Many Requests). >> > We could, it seems to match the intent of that error code. Main reason it's > not like that so far is that 400 is the default for OAuth, I fear people > may not be checking for a 429. We don't strictly *need* the 429, since > we're returning data in machine readable format one way or another (i.e. > it's easy for the client to extract the "slow_down" response either way), > which differs from HTML over HTTP which is intended for end-user > consumption, making the specific status code more important. Yes, on a 400 clients will need to check the error JSON object anyway, so the "slow_down" cannot be missed. Whereas with 429 that becomes more likely. +1 to return "slow_down" with status 400 as it is with the other OAuth error codes. Thanks for considering this Vladimir. To conclude this topic, it seems there are no compelling reasons to change to the 429, and a reasonable explanation of why it's a 400, so I think we should keep things as-is. Rifaat: The deadline has passed on the WGLC, and I believe all comments raised have been addressed. Can we now advance the draft? No one responded to the comment I shared on 27 November. Scott
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
