Hi Fletcher, Actually we are not in the same case. The /token endpoint is a protected ressource in regard to the client application. The credentials are the client id and, in the case of confidential clients, the client secret . The OAuth 2.0 ressource is protected in regard to the user. The credential is the AT.
If your client id and your client secret are right, you are allowed to call the /token endpoint. The content of the request is a different matter. Regards, -----Message d'origine----- De : OAuth <oauth-boun...@ietf.org> De la part de George Fletcher Envoyé : lundi 17 septembre 2018 15:46 À : oauth@ietf.org Objet : [OAUTH-WG] Inconsistent error responses between 6749 and 6750 Hi, It appears that RFC 6749 and RFC 6750 are inconsistent in regards to the HTTP status code that should be returned when a requested scope is "invalid". For example, if a call is make to the /token endpoint to obtain a new access_token and the scopes requested are outside those issued to the refresh_token, RFC 6749 says the HTTP status code returned should be 400 (Bad Request). However, if an access token is presented to an OAuth2 protected resource and the access token does not contain the necessary scope, RFC 6750 says the HTTP status code returned should be 403 (Forbidden). Does anyone remember if this is intentional? The two cases here are pretty equivalent semantic-wise. Thanks, George _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth The information transmitted in the present email including the attachment is intended only for the person to whom or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete all copies of the material. Ce message et toutes les pièces qui y sont éventuellement jointes sont confidentiels et transmis à l'intention exclusive de son destinataire. Toute modification, édition, utilisation ou diffusion par toute personne ou entité autre que le destinataire est interdite. Si vous avez reçu ce message par erreur, nous vous remercions de nous en informer immédiatement et de le supprimer ainsi que les pièces qui y sont éventuellement jointes. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth