Hi,
It appears that RFC 6749 and RFC 6750 are inconsistent in regards to the
HTTP status code that should be returned when a requested scope is
"invalid".
For example, if a call is make to the /token endpoint to obtain a new
access_token and the scopes requested are outside those issued to the
refresh_token, RFC 6749 says the HTTP status code returned should be 400
(Bad Request).
However, if an access token is presented to an OAuth2 protected resource
and the access token does not contain the necessary scope, RFC 6750 says
the HTTP status code returned should be 403 (Forbidden).
Does anyone remember if this is intentional? The two cases here are
pretty equivalent semantic-wise.
Thanks,
George
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
