-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 8/22/09 8:59 PM, Doug Kaye wrote:
> Spec 6.3.2 (service provider processing of access token request) says
> to return an HTTP error if the oauth_verifier is bad. But Spec
> paragraph 10 indicates neither whether a 400 or 401 should be returned
> nor an appropriate text string. What is expected?
I'm can't speak to what was intended and I think it depends a bit on
what you mean by the oauth_verifier being "bad" (incorrectly formatted
or invalid?), but I think that 401 (Unauthorized) is more appropriate
than 400 (Bad Request). See also Section 10 of the spec:
10. HTTP Response Codes
This section applies only to the Request Token and Access Token
requests. In general, the Service Provider SHOULD use the response codes
defined in [RFC2616] Section 10. When the Service Provider rejects a
Consumer request, it SHOULD respond with HTTP 400 Bad Request or HTTP
401 Unauthorized.
* HTTP 400 Bad Request
o Unsupported parameter
o Unsupported signature method
o Missing required parameter
o Duplicated OAuth Protocol Parameter
* HTTP 401 Unauthorized
o Invalid Consumer Key
o Invalid / expired Token
o Invalid signature
o Invalid / used nonce
Peter
- --
Peter Saint-Andre
https://stpeter.im/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkqW3XgACgkQNL8k5A2w/vxQcwCffs4GRE1fhp6QKGUQ1z8AQMTt
jQEAn3/yI4hEaJyxYCzaF/HchqfGFf4U
=cLxv
-----END PGP SIGNATURE-----
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"OAuth" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [email protected]
For more options, visit this group at http://groups.google.com/group/oauth?hl=en
-~----------~----~----~----~------~----~------~--~---
