On Wed, Apr 21, 2010 at 1:16 PM, Marius Scurtescu wrote:
> On Wed, Apr 21, 2010 at 9:31 AM, Robert Sayre wrote:
>> On Wed, Apr 21, 2010 at 12:16 PM, Marius Scurtescu
>> wrote:
>>>
>>> At first 401 may seem like the perfect status code in this case, but
>>> because there is no real challenge resp
day, April 21, 2010 9:31 AM
To: Eran Hammer-Lahav
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] misuse of status code: 400 Bad Request
On Wed, Apr 21, 2010 at 11:30 AM, Eran Hammer-Lahav
wrote:
We tried something like this approach before but the group consensus was
that we should o
On Wed, Apr 21, 2010 at 9:31 AM, Robert Sayre wrote:
> On Wed, Apr 21, 2010 at 12:16 PM, Marius Scurtescu
> wrote:
>>
>> At first 401 may seem like the perfect status code in this case, but
>> because there is no real challenge response, it probably is a bad
>> choice.
>>
>
> There certainly is,
>
>> -Original Message-
>> From: Robert Sayre [mailto:say...@gmail.com]
>> Sent: Wednesday, April 21, 2010 9:31 AM
>> To: Eran Hammer-Lahav
>> Cc: oauth@ietf.org
>> Subject: Re: [OAUTH-WG] misuse of status code: 400 Bad Request
>>
>> On Wed,
.
Can others voice their support/dislike for the various options?
EHL
-Original Message-
From: Robert Sayre [mailto:say...@gmail.com]
Sent: Wednesday, April 21, 2010 9:31 AM
To: Eran Hammer-Lahav
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] misuse of status code: 400 Bad Request
On Wed,
; -Original Message-
> From: Robert Sayre [mailto:say...@gmail.com]
> Sent: Wednesday, April 21, 2010 9:31 AM
> To: Eran Hammer-Lahav
> Cc: oauth@ietf.org
> Subject: Re: [OAUTH-WG] misuse of status code: 400 Bad Request
>
> On Wed, Apr 21, 2010 at 11:30 AM, Eran Hammer-Laha
On Wed, Apr 21, 2010 at 11:30 AM, Eran Hammer-Lahav wrote:
> We tried something like this approach before but the group consensus was that
> we should only have a single spec for now.
Eran kindly pointed me at this survey:
http://www.ietf.org/mail-archive/web/oauth/current/msg01214.html
It does
;
> [1] http://tools.ietf.org/html/draft-ietf-httpbis-p7-auth-09#section-2.1
>
>
>> -Original Message-
>> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf
>> Of Robert Sayre
>> Sent: Tuesday, April 20, 2010 6:02 PM
>> To: oauth@iet
ent: Wednesday, April 21, 2010 8:24 AM
> To: Eran Hammer-Lahav
> Cc: oauth@ietf.org
> Subject: Re: [OAUTH-WG] misuse of status code: 400 Bad Request
>
> On Wed, Apr 21, 2010 at 11:11 AM, Eran Hammer-Lahav
> wrote:
> > The reason I used 400 in the flows (section 3) is that a
On Wed, Apr 21, 2010 at 11:11 AM, Eran Hammer-Lahav wrote:
> The reason I used 400 in the flows (section 3) is that a 401 response
> requires returning a challenge [1]:
>
> The request requires user authentication. The response MUST include
> a WWW-Authenticate header field.
>
> and we don't
400.
EHL
[1] http://tools.ietf.org/html/draft-ietf-httpbis-p7-auth-09#section-2.1
> -Original Message-
> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf
> Of Robert Sayre
> Sent: Tuesday, April 20, 2010 6:02 PM
> To: oauth@ietf.org
> Subject: [OAU
+1, but why "where possible" (vs always)?
Igor
Torsten Lodderstedt wrote:
+1
I would propose to use appropriate HTTP status codes where possible.
Especially wrong parameters (violated precodition) and
authentication/authorization related errors should be signaled
differently. I think status
+1
I would propose to use appropriate HTTP status codes where possible.
Especially wrong parameters (violated precodition) and
authentication/authorization related errors should be signaled
differently. I think status code 400 is ok for the first category,
status codes 401 and probably 403 ar
The OAuth 2.0 draft uses HTTP status code 400 for access token
requests that are denied.
Here is the definition of 400:
The request could not be understood by the server due to malformed
syntax. The client SHOULD NOT repeat the request without
modifications.
Status 400 should be used f
14 matches
Mail list logo
