+1
I would propose to use appropriate HTTP status codes where possible.
Especially wrong parameters (violated precodition) and
authentication/authorization related errors should be signaled
differently. I think status code 400 is ok for the first category,
status codes 401 and probably 403 are good candidates for the other.
Status code 401 could be combined w/ WW-Authenticate header.
regards,
Torsten.
Am 21.04.2010 03:01, schrieb Robert Sayre:
The OAuth 2.0 draft uses HTTP status code 400 for access token
requests that are denied.
Here is the definition of 400:
The request could not be understood by the server due to malformed
syntax. The client SHOULD NOT repeat the request without
modifications.
Status 400 should be used for malformed requests, not those that are
understood and rejected. 401 seems to be a better fit.
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth