[OAUTH-WG] Missing Client Credentials on Token Endpoint - Which Error Response?

Wed, 16 Feb 2011 08:01:43 -0800 

Hi all,

I noticed a minor change in wording for the error response codes at the token 
endpoint (see citation below).
But I'm still not sure how an authorization server is expected to behave in 
cases where he supports client password authentication via request parameters 
and HTTP Basic authentication and the client included neither of them in the 
request.

Since one could argue that "no credentials" are also "invalid credentials" the 
authorization server could do:
a) Send status code 401 and WWW-Authenticate Basic as header
b) Send status code 400 and error code invalid_client

I'm more in favor of a) because it seems to be more HTTP-like (or RESTful if 
you will) but I'm afraid b) is what was initially intended.
How are your implementations handling this case? Should we be more specific in 
the spec?


draft-10 (chapter 4.3):
-----------------------
If the client provided invalid credentials using an HTTP authentication scheme 
via the Authorization request header field, the authorization server MUST 
respond with the HTTP 401 (Unauthorized) status code. Otherwise, the 
authorization server SHALL respond with the HTTP 400 (Bad Request) status code.
[...]
    invalid_client: The client identifier provided is invalid, the client 
failed to authenticate, the client did not include its credentials, provided 
multiple client credentials, or used unsupported credentials type. 


draft-12 (chapter 5.2): 
-----------------------
If the client provided invalid credentials using an HTTP authentication scheme 
via the Authorization request header field, the authorization server MUST 
respond with a HTTP 401 (Unauthorized) status code, and include the 
WWW-Authenticate response header field matching the authentication scheme used 
by the client. Otherwise, the authorization server MUST respond with the HTTP 
400 (Bad Request) status code.
[...]
    invalid_client: Client authentication failed (e.g. unknown client, no 
client credentials included, multiple client credentials included, or 
unsupported credentials type). 



Regards,
Christian Stübner
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to