On Fri, Jan 19, 2018 at 4:02 AM, Hasintha Indrajee <hasin...@wso2.com> wrote:
> WDYT about the $subject ? Below quoted the descriptions of two types of > error codes from spec [1]. It looks like "invalid_request" is more > appropriate here. Any thoughts ? . An example authorization header is > Base64Encoded (randomString which doesn't have the format > clientid:clientSecret format) > In HTTP world this is bad request with status code 400 [1]. Definitely it should be a invalid request. [1] https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html > > > invalid_request > The request is missing a required parameter, includes an > unsupported parameter value (other than grant type), > repeats a parameter, includes multiple credentials, > utilizes more than one mechanism for authenticating the > client, or is otherwise malformed. > > invalid_client > Client authentication failed (e.g., unknown client, no > client authentication included, or unsupported > authentication method). The authorization server MAY > return an HTTP 401 (Unauthorized) status code to indicate > which HTTP authentication schemes are supported. If the > client attempted to authenticate via the "Authorization" > request header field, the authorization server MUST > respond with an HTTP 401 (Unauthorized) status code and > include the "WWW-Authenticate" response header field > matching the authentication scheme used by the client. > > > > [1] https://tools.ietf.org/html/rfc6749 > > -- > Hasintha Indrajee > WSO2, Inc. > Mobile:+94 771892453 <+94%2077%20189%202453> > > > _______________________________________________ > Dev mailing list > Dev@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- Gayan Gunawardana Senior Software Engineer; WSO2 Inc.; http://wso2.com/ Email: ga...@wso2.com Mobile: +94 (71) 8020933
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev