+1 for using 429
On 2/22/19 2:09 AM, David Waite wrote:
I don’t believe that any of the currently registered error codes are
appropriate for indicating that the password request is invalid, let
alone a more specific behavior like rate limiting.
It is also my opinion that 400 Bad Request shouldn’t be used for known
transient errors, but rather for malformed requests - the request
could very well be correct (and have the correct password), but it is
being rejected due to temporal limits placed on the client or network
address/domain.
So I would propose a different statuses such 401 to indicate the
username/password were invalid, and either 429 (Too many requests) or
403 (Forbidden) when rate limited or denied due to too many attempts.
Thats not to say that the body of the response can’t be an
OAuth-format JSON error, possibly with a standardized code - but again
I don’t think the currently registered codes would be appropriate for
conveying that.
That said, I don’t know what interest there would be in standardizing
such codes, considering the existing recommendations against using
this grant type.
-DW
On Feb 21, 2019, at 10:57 PM, Aaron Parecki <aa...@parecki.com
<mailto:aa...@parecki.com>> wrote:
The OAuth password grant section mentions taking appropriate measures
to rate limit password requests at the token endpoint. However the
error responses section (
https://tools.ietf.org/html/rfc6749#section-5.2) doesn't mention an
error code to use if the request is being rate limited.. What's the
recommended practice here? Thanks!
Aaron
--
----
Aaron Parecki
aaronparecki.com <http://aaronparecki.com/>
@aaronpk <http://twitter.com/aaronpk>
_______________________________________________
OAuth mailing list
OAuth@ietf.org <mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth