Re: [Dev] OAuth2 Client Authentication Error Response when authorization header is malformed

Fri, 19 Jan 2018 02:15:21 -0800 

Hi Hasintha,

On Fri, Jan 19, 2018 at 3:32 PM, Hasintha Indrajee <hasin...@wso2.com>
wrote:

> WDYT about the $subject ? Below quoted the descriptions of two types of
> error codes from spec [1]. It looks like "invalid_request" is more
> appropriate here. Any thoughts ? . An example authorization header is
> Base64Encoded (randomString which doesn't have the format
> clientid:clientSecret format)
>
>
>  invalid_request
>                The request is missing a required parameter, includes an
>                unsupported parameter value (other than grant type),
>                repeats a parameter, includes multiple credentials,
>                utilizes more than one mechanism for authenticating the
>                client, or is otherwise malformed.
>
>  invalid_client
>                Client authentication failed (e.g., unknown client, no
>                client authentication included, or unsupported
>                authentication method).  The authorization server MAY
>                return an HTTP 401 (Unauthorized) status code to indicate
>                which HTTP authentication schemes are supported.  If the
>                client attempted to authenticate via the "Authorization"
>                request header field, the authorization server MUST
>                respond with an HTTP 401 (Unauthorized) status code and
>                include the "WWW-Authenticate" response header field
>                matching the authentication scheme used by the client.
>
>
+1 for using 'invalid request' in this case, where client authentication is
happening with the method 'client password'.
We will have consider that other authentication mechanism can also be
available as per [2], which won't adhere this format of
'Base64Encoded(clientid:clientSecret).


>
> [1] https://tools.ietf.org/html/rfc6749
>
[2] - https://tools.ietf.org/html/rfc6749#section-2.3

>
>
> --
> Hasintha Indrajee
> WSO2, Inc.
> Mobile:+94 771892453 <077%20189%202453>
>
>

Thanks,
-- 
Pushpalanka.
-- 
Pushpalanka Jayawardhana, B.Sc.Eng.(Hons).
Senior Software Engineer, WSO2 Lanka (pvt) Ltd;  wso2.com/
Mobile: +94779716248
Blog: pushpalankajaya.blogspot.com/ | LinkedIn:
lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka

_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Reply via email to