Re: [OAUTH-WG] Section 4.3. Resource Owner Password Credentials: Invalid Credentials Error Handling
'invalid_grant'. Added (e.g.) to the error code to make it more explicit.
EHL
-Original Message-
From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf
Of Colm Divilly
Sent: Tuesday, September 13, 2011 9:08 AM
To: oauth@ietf.org
Subject: [OAUTH-WG] Section 4.3. Resource Owner Password Credentials:
Invalid Credentials Error Handling
Apologies if this has been covered before, a cursory search of the archives
and issue tracker didn't turn up anything.
What is the expected error response when performing a Resource Owner
Password Credentials flow, if the resource owner provides incorrect
credentials?
From reading the spec it looks like the expectation is that a response like
the
following should be generated:
HTTP/1.1 400 Bad Request
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
error:invalid_request
}
Which is not terribly helpful for a user-agent trying to determine that it is
the
user supplied credentials at fault (and therefore be able to re-prompt the
user for credentials). Perhaps something like the following would be more
useful:
HTTP/1.1 400 Bad Request
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
error:invalid_resource_owner_credentials
}
A bit verbose perhaps, any alternative suggestions?
Regards,
Colm Divilly
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] Section 4.3. Resource Owner Password Credentials: Invalid Credentials Error Handling
The error should be invalid_grant as it is the grant (the resource
owner's username and password) that is invalid.
On Tue, Sep 13, 2011 at 10:07 AM, Colm Divilly colm.divi...@oracle.com wrote:
Apologies if this has been covered before, a cursory search of the archives
and issue tracker didn't turn up anything.
What is the expected error response when performing a Resource Owner
Password Credentials flow, if the resource owner provides incorrect
credentials?
From reading the spec it looks like the expectation is that a response like
the following should be generated:
HTTP/1.1 400 Bad Request
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
error:invalid_request
}
Which is not terribly helpful for a user-agent trying to determine that it
is the user supplied credentials at fault (and therefore be able to
re-prompt the user for credentials). Perhaps something like the following
would be more useful:
HTTP/1.1 400 Bad Request
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
error:invalid_resource_owner_credentials
}
A bit verbose perhaps, any alternative suggestions?
Regards,
Colm Divilly
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
