Hi,
> On Mon, Jan 22, 2018 at 8:40 PM, Nilasini Thirunavukkarasu < > nilas...@wso2.com> wrote: > >> Hi, >> >> >> Client password is just one of the client authentication methods and also >> client authentication can be extensible according to OAuth2. So why can't >> we say this as an unsupported authentication method?. According to the spec >> If it falls under unsupported authentication method then it will be an >> invalid client. >> > > Sending out basic authorization header is one of the ways to authenticate. > Hence the client would expect to authenticate by sending out basic > authentication headers. Since we do support basic authentication it's not > correct to say unsupported authentication mechanism in my point of view. > Rather this is something wrong with the format. > For a specific request if it expects a header based on the authentication mechanism, malformed header can be considered as a malformed credentials or malformed request. So +1 to proceed with 'invalid request'. Thanks, On Mon, Jan 22, 2018 at 9:13 PM, Hasintha Indrajee <hasin...@wso2.com> wrote: > > > On Mon, Jan 22, 2018 at 8:40 PM, Nilasini Thirunavukkarasu < > nilas...@wso2.com> wrote: > >> Hi, >> >> >> Client password is just one of the client authentication methods and also >> client authentication can be extensible according to OAuth2. So why can't >> we say this as an unsupported authentication method?. According to the spec >> If it falls under unsupported authentication method then it will be an >> invalid client. >> > > Sending out basic authorization header is one of the ways to authenticate. > Hence the client would expect to authenticate by sending out basic > authentication headers. Since we do support basic authentication it's not > correct to say unsupported authentication mechanism in my point of view. > Rather this is something wrong with the format. > >> >> Please correct me if I'm wrong. >> >> Thanks, >> Nila. >> >> On Fri, Jan 19, 2018 at 3:43 PM, Pushpalanka Jayawardhana <la...@wso2.com >> > wrote: >> >>> Hi Hasintha, >>> >>> On Fri, Jan 19, 2018 at 3:32 PM, Hasintha Indrajee <hasin...@wso2.com> >>> wrote: >>> >>>> WDYT about the $subject ? Below quoted the descriptions of two types of >>>> error codes from spec [1]. It looks like "invalid_request" is more >>>> appropriate here. Any thoughts ? . An example authorization header is >>>> Base64Encoded (randomString which doesn't have the format >>>> clientid:clientSecret format) >>>> >>>> >>>> invalid_request >>>> The request is missing a required parameter, includes an >>>> unsupported parameter value (other than grant type), >>>> repeats a parameter, includes multiple credentials, >>>> utilizes more than one mechanism for authenticating the >>>> client, or is otherwise malformed. >>>> >>>> invalid_client >>>> Client authentication failed (e.g., unknown client, no >>>> client authentication included, or unsupported >>>> authentication method). The authorization server MAY >>>> return an HTTP 401 (Unauthorized) status code to indicate >>>> which HTTP authentication schemes are supported. If the >>>> client attempted to authenticate via the "Authorization" >>>> request header field, the authorization server MUST >>>> respond with an HTTP 401 (Unauthorized) status code and >>>> include the "WWW-Authenticate" response header field >>>> matching the authentication scheme used by the client. >>>> >>>> >>> +1 for using 'invalid request' in this case, where client authentication >>> is happening with the method 'client password'. >>> We will have consider that other authentication mechanism can also be >>> available as per [2], which won't adhere this format of >>> 'Base64Encoded(clientid:clientSecret). >>> >>> >>>> >>>> [1] https://tools.ietf.org/html/rfc6749 >>>> >>> [2] - https://tools.ietf.org/html/rfc6749#section-2.3 >>> >>>> >>>> >>>> -- >>>> Hasintha Indrajee >>>> WSO2, Inc. >>>> Mobile:+94 771892453 <077%20189%202453> >>>> >>>> >>> >>> Thanks, >>> -- >>> Pushpalanka. >>> -- >>> Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). >>> Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ >>> Mobile: +94779716248 >>> Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/p >>> ushpalanka/ | Twitter: @pushpalanka >>> >>> >>> _______________________________________________ >>> Dev mailing list >>> Dev@wso2.org >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> >> >> >> -- >> Nilasini Thirunavukkarasu >> Software Engineer - WSO2 >> >> Email : nilas...@wso2.com >> Mobile : +94775241823 <+94%2077%20524%201823> >> Web : http://wso2.com/ >> >> >> <http://wso2.com/signature> >> > > > > -- > Hasintha Indrajee > WSO2, Inc. > Mobile:+94 771892453 <+94%2077%20189%202453> > > > _______________________________________________ > Dev mailing list > Dev@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- Hasanthi Dissanayake Senior Software Engineer | WSO2 E: hasan...@wso2.com M :0718407133| http://wso2.com <http://wso2.com/>
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
