At Facebook we issue an HTTP 400 with "invalid_request" as the error.
http://graph.facebook.com/me?access_token=blah&client_id=150629244948164 <http://graph.facebook.com/me?access_token=blah&client_id=150629244948164>(the client_id is to enable draft-10 error messaging). On Oct 13, 2010, at 11:31 AM, Breno wrote: Suppose server A documents that their endpoint X is at https://server.example.com/x; there's no service at the corresponding http location for security reasons. Client developer fatfingers URL as http://server.example.com/x What is the correct response? I understand that this is out of scope for the spec, but maybe there's agreement on some guidance? One thing one shouldn't do is serve a 302 here; it would allow defective clients to remain unpatched. My preference is to simply return a bare 403 or 404 here -- after all the endpoint does not exist (404) or if one uses the convention that resources at http/https are usually identical, then http is a non-authorized method to access the resource (403). Thoughts? -- Breno de Medeiros _______________________________________________ OAuth mailing list [email protected]<mailto:[email protected]> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
