Suppose server A documents that their endpoint X is at https://server.example.com/x; there's no service at the corresponding http location for security reasons.
Client developer fatfingers URL as http://server.example.com/x What is the correct response? I understand that this is out of scope for the spec, but maybe there's agreement on some guidance? One thing one shouldn't do is serve a 302 here; it would allow defective clients to remain unpatched. My preference is to simply return a bare 403 or 404 here -- after all the endpoint does not exist (404) or if one uses the convention that resources at http/https are usually identical, then http is a non-authorized method to access the resource (403). Thoughts? -- Breno de Medeiros _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
