On Mon, Jan 22, 2018 at 8:40 PM, Nilasini Thirunavukkarasu < [email protected]> wrote:
> Hi, > > > Client password is just one of the client authentication methods and also > client authentication can be extensible according to OAuth2. So why can't > we say this as an unsupported authentication method?. According to the spec > If it falls under unsupported authentication method then it will be an > invalid client. > Sending out basic authorization header is one of the ways to authenticate. Hence the client would expect to authenticate by sending out basic authentication headers. Since we do support basic authentication it's not correct to say unsupported authentication mechanism in my point of view. Rather this is something wrong with the format. > > Please correct me if I'm wrong. > > Thanks, > Nila. > > On Fri, Jan 19, 2018 at 3:43 PM, Pushpalanka Jayawardhana <[email protected]> > wrote: > >> Hi Hasintha, >> >> On Fri, Jan 19, 2018 at 3:32 PM, Hasintha Indrajee <[email protected]> >> wrote: >> >>> WDYT about the $subject ? Below quoted the descriptions of two types of >>> error codes from spec [1]. It looks like "invalid_request" is more >>> appropriate here. Any thoughts ? . An example authorization header is >>> Base64Encoded (randomString which doesn't have the format >>> clientid:clientSecret format) >>> >>> >>> invalid_request >>> The request is missing a required parameter, includes an >>> unsupported parameter value (other than grant type), >>> repeats a parameter, includes multiple credentials, >>> utilizes more than one mechanism for authenticating the >>> client, or is otherwise malformed. >>> >>> invalid_client >>> Client authentication failed (e.g., unknown client, no >>> client authentication included, or unsupported >>> authentication method). The authorization server MAY >>> return an HTTP 401 (Unauthorized) status code to indicate >>> which HTTP authentication schemes are supported. If the >>> client attempted to authenticate via the "Authorization" >>> request header field, the authorization server MUST >>> respond with an HTTP 401 (Unauthorized) status code and >>> include the "WWW-Authenticate" response header field >>> matching the authentication scheme used by the client. >>> >>> >> +1 for using 'invalid request' in this case, where client authentication >> is happening with the method 'client password'. >> We will have consider that other authentication mechanism can also be >> available as per [2], which won't adhere this format of >> 'Base64Encoded(clientid:clientSecret). >> >> >>> >>> [1] https://tools.ietf.org/html/rfc6749 >>> >> [2] - https://tools.ietf.org/html/rfc6749#section-2.3 >> >>> >>> >>> -- >>> Hasintha Indrajee >>> WSO2, Inc. >>> Mobile:+94 771892453 <077%20189%202453> >>> >>> >> >> Thanks, >> -- >> Pushpalanka. >> -- >> Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). >> Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ >> Mobile: +94779716248 >> Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/p >> ushpalanka/ | Twitter: @pushpalanka >> >> >> _______________________________________________ >> Dev mailing list >> [email protected] >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > > -- > Nilasini Thirunavukkarasu > Software Engineer - WSO2 > > Email : [email protected] > Mobile : +94775241823 <+94%2077%20524%201823> > Web : http://wso2.com/ > > > <http://wso2.com/signature> > -- Hasintha Indrajee WSO2, Inc. Mobile:+94 771892453
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
