Hi,
Client password is just one of the client authentication methods and also client authentication can be extensible according to OAuth2. So why can't we say this as an unsupported authentication method?. According to the spec If it falls under unsupported authentication method then it will be an invalid client. Please correct me if I'm wrong. Thanks, Nila. On Fri, Jan 19, 2018 at 3:43 PM, Pushpalanka Jayawardhana <[email protected]> wrote: > Hi Hasintha, > > On Fri, Jan 19, 2018 at 3:32 PM, Hasintha Indrajee <[email protected]> > wrote: > >> WDYT about the $subject ? Below quoted the descriptions of two types of >> error codes from spec [1]. It looks like "invalid_request" is more >> appropriate here. Any thoughts ? . An example authorization header is >> Base64Encoded (randomString which doesn't have the format >> clientid:clientSecret format) >> >> >> invalid_request >> The request is missing a required parameter, includes an >> unsupported parameter value (other than grant type), >> repeats a parameter, includes multiple credentials, >> utilizes more than one mechanism for authenticating the >> client, or is otherwise malformed. >> >> invalid_client >> Client authentication failed (e.g., unknown client, no >> client authentication included, or unsupported >> authentication method). The authorization server MAY >> return an HTTP 401 (Unauthorized) status code to indicate >> which HTTP authentication schemes are supported. If the >> client attempted to authenticate via the "Authorization" >> request header field, the authorization server MUST >> respond with an HTTP 401 (Unauthorized) status code and >> include the "WWW-Authenticate" response header field >> matching the authentication scheme used by the client. >> >> > +1 for using 'invalid request' in this case, where client authentication > is happening with the method 'client password'. > We will have consider that other authentication mechanism can also be > available as per [2], which won't adhere this format of > 'Base64Encoded(clientid:clientSecret). > > >> >> [1] https://tools.ietf.org/html/rfc6749 >> > [2] - https://tools.ietf.org/html/rfc6749#section-2.3 > >> >> >> -- >> Hasintha Indrajee >> WSO2, Inc. >> Mobile:+94 771892453 <077%20189%202453> >> >> > > Thanks, > -- > Pushpalanka. > -- > Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). > Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ > Mobile: +94779716248 > Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/p > ushpalanka/ | Twitter: @pushpalanka > > > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- Nilasini Thirunavukkarasu Software Engineer - WSO2 Email : [email protected] Mobile : +94775241823 <+94%2077%20524%201823> Web : http://wso2.com/ <http://wso2.com/signature>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
