Re: [OAUTH-WG] Section 4.3. Resource Owner Password Credentials: Invalid Credentials Error Handling
'invalid_grant'. Added (e.g.) to the error code to make it more explicit. EHL -Original Message- From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Colm Divilly Sent: Tuesday, September 13, 2011 9:08 AM To: oauth@ietf.org Subject: [OAUTH-WG] Section 4.3. Resource Owner Password Credentials: Invalid Credentials Error Handling Apologies if this has been covered before, a cursory search of the archives and issue tracker didn't turn up anything. What is the expected error response when performing a Resource Owner Password Credentials flow, if the resource owner provides incorrect credentials? From reading the spec it looks like the expectation is that a response like the following should be generated: HTTP/1.1 400 Bad Request Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { error:invalid_request } Which is not terribly helpful for a user-agent trying to determine that it is the user supplied credentials at fault (and therefore be able to re-prompt the user for credentials). Perhaps something like the following would be more useful: HTTP/1.1 400 Bad Request Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { error:invalid_resource_owner_credentials } A bit verbose perhaps, any alternative suggestions? Regards, Colm Divilly ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] Section 4.3. Resource Owner Password Credentials: Invalid Credentials Error Handling
The error should be invalid_grant as it is the grant (the resource owner's username and password) that is invalid. On Tue, Sep 13, 2011 at 10:07 AM, Colm Divilly colm.divi...@oracle.com wrote: Apologies if this has been covered before, a cursory search of the archives and issue tracker didn't turn up anything. What is the expected error response when performing a Resource Owner Password Credentials flow, if the resource owner provides incorrect credentials? From reading the spec it looks like the expectation is that a response like the following should be generated: HTTP/1.1 400 Bad Request Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { error:invalid_request } Which is not terribly helpful for a user-agent trying to determine that it is the user supplied credentials at fault (and therefore be able to re-prompt the user for credentials). Perhaps something like the following would be more useful: HTTP/1.1 400 Bad Request Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { error:invalid_resource_owner_credentials } A bit verbose perhaps, any alternative suggestions? Regards, Colm Divilly ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth