I'm working on spec'ing out a use of the Resource Owner Password
Credentials flow and in trying to map out possible error cases, realized
that there is no good error for the case that the resource owner's
password credentials are invalid. Section 4.3 of draft 16 references
section 5.2 for errors. The list of available errors in section 5.2 are...
error
REQUIRED. A single error code from the following:
invalid_request
The request is missing a required parameter, includes an
unsupported parameter or parameter value, repeats a
parameter, includes multiple credentials, utilizes more
than one mechanism for authenticating the client, or is
otherwise malformed.
invalid_client
Client authentication failed (e.g. unknown client, no
client credentials included, multiple client credentials
included, or unsupported credentials type). The
authorization server MAY return an HTTP 401
(Unauthorized) status code to indicate which HTTP
authentication schemes are supported. If the client
attempted to authenticate via the "Authorization" request
header field, the authorization server MUST respond with
an HTTP 401 (Unauthorized) status code, and include the
"WWW-Authenticate" response header field matching the
authentication scheme used by the client.
invalid_grant
The provided authorization grant is invalid, expired,
revoked, does not match the redirection URI used in the
authorization request, or was issued to another client.
unauthorized_client
The authenticated client is not authorized to use this
authorization grant type.
unsupported_grant_type
The authorization grant type is not supported by the
authorization server.
invalid_scope
The requested scope is invalid, unknown, malformed, or
exceeds the scope granted by the resource owner.
I'm wondering if others have chosen one of these values to represent the
"invalid_credentials" use case.
Thanks,
George
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth