Re: [OAUTH-WG] misuse of status code: 400 Bad Request

Wed, 21 Apr 2010 10:17:09 -0700 

+1 pro James' proposal

Am 21.04.2010 18:38, schrieb Eran Hammer-Lahav:

How about Marius' suggestion to use a 200 response?

I'd rather not invent a new auth scheme that is used just to comply with HTTP 
requirements for a 401... I think we either keep this simple(r) by using a 400 
or 200, or take another look at James' proposal for using Basic auth to send 
the client credentials. At that point a 401 will be used when the client 
credentials are wrong, and a 400 (or 200) when something else doesn't match in 
the request (verification code, username/password).

Can others voice their support/dislike for the various options?

EHL


-----Original Message-----
From: Robert Sayre [mailto:say...@gmail.com]
Sent: Wednesday, April 21, 2010 9:31 AM
To: Eran Hammer-Lahav
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] misuse of status code: 400 Bad Request

On Wed, Apr 21, 2010 at 11:30 AM, Eran Hammer-Lahav
<e...@hueniverse.com>  wrote:

We tried something like this approach before but the group consensus was

that we should only have a single spec for now.

Eran kindly pointed me at this survey:
http://www.ietf.org/mail-archive/web/oauth/current/msg01214.html

It doesn't look like very strong consensus to me, but I can see how the desire
of everyone to call their thing "OAuth" can be a powerful motivator. :)


As for using Basic/Digest for flow authentication, that's a proposal made by

James Manger which so far received little support (though no hard
objections).

I don't have a strong preference either way.


Well, regardless of how big the spec gets, this bit from 3.6.1.1. is a bug:

      HTTP/1.1 400 Bad Request
      Content-Type: application/x-www-form-urlencoded

      error=incorrect_credentials

If you imagine a client trying to do something special with OAuth errors,
there's nothing about this response that's self describing.
Something like this layers much better:

      HTTP/1.1 401 Unauthorized
      WWW-Authenticate: OAuthDelegatation
      Content-Type: application/x-www-form-urlencoded

      error=incorrect_credentials

On Wed, Apr 21, 2010 at 12:16 PM, Marius Scurtescu
<mscurte...@google.com>  wrote:

At first 401 may seem like the perfect status code in this case, but
because there is no real challenge response, it probably is a bad
choice.


There certainly is, it just isn't an Authorization header. A client receiving
error=incorrect_credentials would change the creds and respond, right?


Some HTTP libraries will try to automatically respond to a 401
challenge and if they are not configured to do so will generate noise
in the log files. I have seen Apache HttpClient doing that.

People will write buggy OAuth clients too. Don't design around lame bugs in
Apache HttpClient. :)

--

Robert Sayre

"I would have written a shorter letter, but I did not have the time."

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth



_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to