During the last week I had the chance to implement the non optional
features of the token revokation draft. I would be glad if the document
would get a closer connection to the refrenced RFC6749 regarding the
error handling.
The draft states to use HTTP status 401 and 403 for certain error
conditions. RFC6749 declares this as optional (OK, not for the
Authorization header). The implemation of the token revokation endpoint
in conjunction with a tokens endpoint would be much easier if there is a
single way to handle exceptions which conforms to RFC6749.
Therefore I want to suggest to replace
Status code 401 indicates a
failed client authentication, whereas a status code 403 is used if
the client is not authorized to revoke the particular token. For all
other error conditions, a status code 400 is used along with an error
response as defined insection 5.2
<http://tools.ietf.org/html/draft-ietf-oauth-revocation-03#section-5.2>. of [RFC6749
<http://tools.ietf.org/html/rfc6749>].
with
The error presentation conforms to the defintion in section 5.2 of
[RFC6749].
To express the status code 403 I suggest to use the error code
"unauthorized_client" of RFC6749 in conjunction with status code 400.
The additional error codes defined in the draft will remain of course.
Happy apocalypse ;-)
Peter Mauritius
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
