Re: [OAUTH-WG] Apparent consensus on OAuth Errors Registry

2011-03-21 Thread Eran Hammer-Lahav
There are two separate issues here which Mike's latest draft conflated into one. Issues 1: The v2 specification currently does not allow for defining additional error codes to the authorization and token endpoints. The only way to define additional error codes is by updating the RFC (once publi

Re: [OAUTH-WG] Apparent consensus on OAuth Errors Registry

2011-03-21 Thread Phil Hunt
I'm still not understanding why each RFC (e.g. the bearer spec) can't define its own error codes. If you were to support the bearer token RFC, then you obviously understand the normative errors. I'm just not getting what the value of a central "OAuth" registry is. An OAuth registry also unnec

Re: [OAUTH-WG] Apparent consensus on OAuth Errors Registry

2011-03-21 Thread Eran Hammer-Lahav
That's what I did for MAC. However, this thread is about the v2 spec. EHL On Mar 21, 2011, at 16:38, "Manger, James H" mailto:james.h.man...@team.telstra.com>> wrote: The bearer spec defines 3 errors (invalid_request, invalid_token, insufficient_scope), which accompany 3 different status codes

Re: [OAUTH-WG] Apparent consensus on OAuth Errors Registry

2011-03-21 Thread Manger, James H
The bearer spec defines 3 errors (invalid_request, invalid_token, insufficient_scope), which accompany 3 different status codes (400 Bad request, 401 Unauthorized, 403 Forbidden respectively). Client apps are probably better off switching behaviour based on the HTTP status code, and ignoring th

Re: [OAUTH-WG] Apparent consensus on OAuth Errors Registry

2011-03-21 Thread Phil Hunt
I don't believe there is consensus yet. Many of us have not voted and/or don't agree with the options presented. Phil phil.h...@oracle.com On 2011-03-21, at 9:48 AM, Mike Jones wrote: > People voted as follows in the poll I conducted on the OAuth Errors Registry: > > For A: >

Re: [OAUTH-WG] OAuth Bearer Token draft

2011-03-21 Thread Phil Hunt
+1 Phil phil.h...@oracle.com On 2011-03-21, at 8:50 AM, George Fletcher wrote: > +1 > > On 3/11/11 2:56 AM, tors...@lodderstedt.net wrote: >> >> Why not "bearer_token"? This would be in line with the Authorization scheme >> name. >> >> regards, >> Torsten. >> Gesendet mit BlackBerry® Webm

Re: [OAUTH-WG] Apparent consensus on OAuth Errors Registry

2011-03-21 Thread Eran Hammer-Lahav
You call this consensus? David Recordon was raising concerns about the proposal and Justin Richter agreed to registry alternatives. So no, this is not sufficient to make changes yet. I do see a need to extend the error code set in case of extensions which modify the behavior of the authorizatio

[OAUTH-WG] Apparent consensus on OAuth Errors Registry

2011-03-21 Thread Mike Jones
People voted as follows in the poll I conducted on the OAuth Errors Registry: For A: Mike Jones Igor Faynberg Justin Richter Anthony Nadalin For D or C: Eran Hammer-Lahav William Mills Given that twic

Re: [OAUTH-WG] OAuth Bearer Token draft

2011-03-21 Thread George Fletcher
+1 On 3/11/11 2:56 AM, tors...@lodderstedt.net wrote: Why not "bearer_token"? This would be in line with the Authorization scheme name. regards, Torsten. Gesendet mit BlackBerry® Webmail von Telekom Deutschland -Original Message- From: Mike Jones Sender: oauth-boun...@ietf.org Date: F