I agree with Peter. I'd probably return: 401 Invalid verifier Leah
On Thu, Aug 27, 2009 at 12:24 PM, Peter Saint-Andre <[email protected]>wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 8/22/09 8:59 PM, Doug Kaye wrote: > > Spec 6.3.2 (service provider processing of access token request) says > > to return an HTTP error if the oauth_verifier is bad. But Spec > > paragraph 10 indicates neither whether a 400 or 401 should be returned > > nor an appropriate text string. What is expected? > > I'm can't speak to what was intended and I think it depends a bit on > what you mean by the oauth_verifier being "bad" (incorrectly formatted > or invalid?), but I think that 401 (Unauthorized) is more appropriate > than 400 (Bad Request). See also Section 10 of the spec: > > 10. HTTP Response Codes > > This section applies only to the Request Token and Access Token > requests. In general, the Service Provider SHOULD use the response codes > defined in [RFC2616] Section 10. When the Service Provider rejects a > Consumer request, it SHOULD respond with HTTP 400 Bad Request or HTTP > 401 Unauthorized. > > * HTTP 400 Bad Request > o Unsupported parameter > o Unsupported signature method > o Missing required parameter > o Duplicated OAuth Protocol Parameter > * HTTP 401 Unauthorized > o Invalid Consumer Key > o Invalid / expired Token > o Invalid signature > o Invalid / used nonce > > Peter > > - -- > Peter Saint-Andre > https://stpeter.im/ > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.8 (Darwin) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkqW3XgACgkQNL8k5A2w/vxQcwCffs4GRE1fhp6QKGUQ1z8AQMTt > jQEAn3/yI4hEaJyxYCzaF/HchqfGFf4U > =cLxv > -----END PGP SIGNATURE----- > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
