The example at the end of section 5.2.2 suggests no error_code and just a 401/WWW-Authenticate header in this case:
For example, in response to a protected resource request without authentication: HTTP/1.1 401 Unauthorized WWW-Authenticate: Bearer realm="example" And the paragraph in section 5.2.3 immediately following the section you quote is even more explicit: If the request lacks any authentication information (e.g., the client was unaware that authentication is necessary or attempted using an unsupported authentication method), the resource server SHOULD NOT include an error code or other error information. So, no error_code at all if no access token supplied. Kind regards, Neil > On 4 Feb 2022, at 09:15, Johannes Koch > <johannes.koch=40avenga....@dmarc.ietf.org> wrote: > > EntSec couldn't recognize this email as this is the first time you > received an email from this sender johannes.koch=40avenga.com @ dmarc.ietf.org > > Hi there, > > a question about > https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-04 > <https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-04> > 5.2.3. Error Codes > > "invalid_request": The request is missing a required parameter, > includes an unsupported parameter or parameter value, repeats the > same parameter, uses more than one method for including an access > token, or is otherwise malformed. The resource server SHOULD > respond with the HTTP 400 (Bad Request) status code. > > "invalid_token": The access token provided is expired, revoked, > malformed, or invalid for other reasons. The resource SHOULD > respond with the HTTP 401 (Unauthorized) status code. The client > MAY request a new access token and retry the protected resource > request. > > Now, what is the intended error code for the situation where no access token > is provided? The description for invalid_token seems to imply that one token > was provided. > As the token may be seen as a required parameter, invalid_request may be > appropriate. However, a missing token smells more like HTTP 401 > (Unauthorized). > > Should this be an additional error code (missing_token)? Or should this case > be added to invalid_token? > > -- > Johannes Koch > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
