Hi there,
a question about
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-04
5.2.3. Error Codes
"invalid_request": The request is missing a required parameter,
includes an unsupported parameter or parameter value, repeats the
same parameter, uses more than one method for including an access
token, or is otherwise malformed. The resource server SHOULD
respond with the HTTP 400 (Bad Request) status code.
"invalid_token": The access token provided is expired, revoked,
malformed, or invalid for other reasons. The resource SHOULD
respond with the HTTP 401 (Unauthorized) status code. The client
MAY request a new access token and retry the protected resource
request.
Now, what is the intended error code for the situation where no access
token is provided? The description for invalid_token seems to imply that
one token was provided.
As the token may be seen as a required parameter, invalid_request may be
appropriate. However, a missing token smells more like HTTP 401
(Unauthorized).
Should this be an additional error code (missing_token)? Or should this
case be added to invalid_token?
--
Johannes Koch
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
