Hi all, I noticed a minor change in wording for the error response codes at the token endpoint (see citation below). But I'm still not sure how an authorization server is expected to behave in cases where he supports client password authentication via request parameters and HTTP Basic authentication and the client included neither of them in the request.
Since one could argue that "no credentials" are also "invalid credentials" the authorization server could do: a) Send status code 401 and WWW-Authenticate Basic as header b) Send status code 400 and error code invalid_client I'm more in favor of a) because it seems to be more HTTP-like (or RESTful if you will) but I'm afraid b) is what was initially intended. How are your implementations handling this case? Should we be more specific in the spec? draft-10 (chapter 4.3): ----------------------- If the client provided invalid credentials using an HTTP authentication scheme via the Authorization request header field, the authorization server MUST respond with the HTTP 401 (Unauthorized) status code. Otherwise, the authorization server SHALL respond with the HTTP 400 (Bad Request) status code. [...] invalid_client: The client identifier provided is invalid, the client failed to authenticate, the client did not include its credentials, provided multiple client credentials, or used unsupported credentials type. draft-12 (chapter 5.2): ----------------------- If the client provided invalid credentials using an HTTP authentication scheme via the Authorization request header field, the authorization server MUST respond with a HTTP 401 (Unauthorized) status code, and include the WWW-Authenticate response header field matching the authentication scheme used by the client. Otherwise, the authorization server MUST respond with the HTTP 400 (Bad Request) status code. [...] invalid_client: Client authentication failed (e.g. unknown client, no client credentials included, multiple client credentials included, or unsupported credentials type). Regards, Christian Stübner _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth