I think that text is a viable solution -- we didn't want the "ghost
client" situation to be 404 for security reasons (to keep people from
poking around the registration endpoint). I don't think it's going to
happen in practice, but I think it's important to be clear on what to do
in this situat
[Current]
If the client does not exist on this server, the server MUST return an HTTP 403
Forbidden.
[Proposed]
If the client does not exist on this server, the server treat the given token
as invalid and
MUST return HTTP 401 Unauthorized as described in RFC 6750 Section 3.1.
On 2013/04/02, at
Thanks for your clarification.
After reading the editor's note in draft06, I felt 401 is more natural than 403.
(assuming you don't want to use 404 for security reason)
The editor's note is enough detail for the reason of using 401.
Using 403, it's like "the token is valid, but the ghost client
If the access token isn't valid, then the intent is that the server
return whatever is a valid response from OAuth, which as I recall is
practically any 400 class error. This behavior for DynReg is outlined in
section 5.2 of draft -09.
In your case, since you're actually failing on the bad tok
oops sorry, not draft07, but draft06.
On 2013/03/30, at 12:55, nov matake wrote:
> Hi Justin,
>
> I read the latest draft and found endpoints described in the spec returns 403
> in "no such clients" case.
> I also read the draft07's editor note below, so I can understand the
> situation.
>
>
Hi Justin,
I read the latest draft and found endpoints described in the spec returns 403
in "no such clients" case.
I also read the draft07's editor note below, so I can understand the situation.
[[ Editor's note: If the client doesn't exist,
then the Refresh Access Token shouldn't be valid, mak
New dynamic registration draft is published. Biggest changes here are
the internationalization/localization capabilities that are now
applicable to human-readable client metadata fields.
-- Justin
On 03/29/2013 04:38 PM, internet-dra...@ietf.org wrote:
A New Internet-Draft is available from
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol Working Group of
the IETF.
Title : OAuth 2.0 Dynamic Client Registration Protocol
Author(s) : Justin Richer
