I believe Torsten proposed an "authentication_failed" error response in
a different context. Possibly we could use that?
Alternatively, OpenID Connect defines a 'login_required' error that
could work in this context as well. It doesn't fit the semantic as
defined in the OIDC spec, but as an error would work.
If we need to use an existing OAuth2 error code, then I'd recommend
'invalid_request' in that the request is invalid because there are too
many of them which is indicated by the 429 HTTP error code.
On 2/22/19 9:53 AM, Aaron Parecki wrote:
HTTP 429 sounds fine for the HTTP response code, but what about the
OAuth error code string? "invalid_grant" seems closest but doesn't
sound right because if the app tries the same request again later it
would be valid.
On Fri, Feb 22, 2019 at 6:02 AM George Fletcher <gffle...@aol.com
<mailto:gffle...@aol.com>> wrote:
+1 for using 429
On 2/22/19 2:09 AM, David Waite wrote:
I don’t believe that any of the currently registered error codes
are appropriate for indicating that the password request is
invalid, let alone a more specific behavior like rate limiting.
It is also my opinion that 400 Bad Request shouldn’t be used for
known transient errors, but rather for malformed requests - the
request could very well be correct (and have the correct
password), but it is being rejected due to temporal limits placed
on the client or network address/domain.
So I would propose a different statuses such 401 to indicate the
username/password were invalid, and either 429 (Too many
requests) or 403 (Forbidden) when rate limited or denied due to
too many attempts. Thats not to say that the body of the response
can’t be an OAuth-format JSON error, possibly with a standardized
code - but again I don’t think the currently registered codes
would be appropriate for conveying that.
That said, I don’t know what interest there would be in
standardizing such codes, considering the existing
recommendations against using this grant type.
-DW
On Feb 21, 2019, at 10:57 PM, Aaron Parecki <aa...@parecki.com
<mailto:aa...@parecki.com>> wrote:
The OAuth password grant section mentions taking appropriate
measures to rate limit password requests at the token endpoint.
However the error responses section (
https://tools.ietf.org/html/rfc6749#section-5.2) doesn't mention
an error code to use if the request is being rate limited..
What's the recommended practice here? Thanks!
Aaron
--
----
Aaron Parecki
aaronparecki.com <http://aaronparecki.com/>
@aaronpk <http://twitter.com/aaronpk>
_______________________________________________
OAuth mailing list
OAuth@ietf.org <mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org <mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
--
----
Aaron Parecki
aaronparecki.com <http://aaronparecki.com>
@aaronpk <http://twitter.com/aaronpk>
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
