WDYT about the $subject ? Below quoted the descriptions of two types of
error codes from spec [1]. It looks like "invalid_request" is more
appropriate here. Any thoughts ? . An example authorization header is
Base64Encoded (randomString which doesn't have the format
clientid:clientSecret format)
invalid_request
The request is missing a required parameter, includes an
unsupported parameter value (other than grant type),
repeats a parameter, includes multiple credentials,
utilizes more than one mechanism for authenticating the
client, or is otherwise malformed.
invalid_client
Client authentication failed (e.g., unknown client, no
client authentication included, or unsupported
authentication method). The authorization server MAY
return an HTTP 401 (Unauthorized) status code to indicate
which HTTP authentication schemes are supported. If the
client attempted to authenticate via the "Authorization"
request header field, the authorization server MUST
respond with an HTTP 401 (Unauthorized) status code and
include the "WWW-Authenticate" response header field
matching the authentication scheme used by the client.
[1] https://tools.ietf.org/html/rfc6749
--
Hasintha Indrajee
WSO2, Inc.
Mobile:+94 771892453
_______________________________________________
Dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/dev
