Hopefully you also invalidate the token (if bearer) since it was send over an insecure channel.
EHL > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf > Of Breno > Sent: Wednesday, October 13, 2010 11:31 AM > To: [email protected] > Subject: [OAUTH-WG] Request sent to http: instead of https:` > > Suppose server A documents that their endpoint X is at > https://server.example.com/x; there's no service at the corresponding http > location for security reasons. > > Client developer fatfingers URL as http://server.example.com/x > > What is the correct response? I understand that this is out of scope for the > spec, but maybe there's agreement on some guidance? > > One thing one shouldn't do is serve a 302 here; it would allow defective > clients to remain unpatched. > > My preference is to simply return a bare 403 or 404 here -- after all the > endpoint does not exist (404) or if one uses the convention that resources at > http/https are usually identical, then http is a non-authorized method to > access the resource (403). > > Thoughts? > > -- > Breno de Medeiros > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
