> > Hopefully you also invalidate the token (if bearer) since it was send over > an insecure channel. >
Excuse my naivety, but perhaps that's worth putting in the spec? > > EHL > > > -----Original Message----- > > From: [email protected] [mailto:[email protected]] On Behalf > > Of Breno > > Sent: Wednesday, October 13, 2010 11:31 AM > > To: [email protected] > > Subject: [OAUTH-WG] Request sent to http: instead of https:` > > > > Suppose server A documents that their endpoint X is at > > https://server.example.com/x; there's no service at the corresponding > http > > location for security reasons. > > > > Client developer fatfingers URL as http://server.example.com/x > > > > What is the correct response? I understand that this is out of scope for > the > > spec, but maybe there's agreement on some guidance? > > > > One thing one shouldn't do is serve a 302 here; it would allow defective > > clients to remain unpatched. > > > > My preference is to simply return a bare 403 or 404 here -- after all the > > endpoint does not exist (404) or if one uses the convention that > resources at > > http/https are usually identical, then http is a non-authorized method to > > access the resource (403). > > > > Thoughts? > > > > -- > > Breno de Medeiros > > _______________________________________________ > > OAuth mailing list > > [email protected] > > https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
