Re: [OAUTH-WG] Question about error response rule described in section 4.3 of draft v.10

Torsten Lodderstedt Sat, 18 Sep 2010 11:14:45 -0700

Default for client password authentication is HTTP BASIC (cf.http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-2.1)


regards,
Torsten.
Am 16.09.2010 15:52, schrieb mat...@gmail:

Hi experts,


I'm now developing OAuth2 server library in Ruby, rack-oauth2.

I have one question about error response.

In section 4.3, it says

"If the client provided invalid credentials using an HTTP authentication scheme via the 
"Authorization" request header field, the authorization server MUST respond with the HTTP 
401 (Unauthorized) status code.Otherwise, the authorization server SHALL respond with the HTTP 400 
(Bad Request) status code."

In which case, client sends credentials via the "Authorization" request header?
In my understanding, client put any credentials in request body when obtaining 
an access token.
Is there some use-cases I'm missing?

Thanks

--
Nov Matake (=nov)
http://matake.jp
http://twitter.com/nov

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Question about error response rule described in section 4.3 of draft v.10

Reply via email to