Thank you Torsten for updating the document. Two issues have been raised:
1) Terminology: Authorization vs. access grant vs. authorization grant There is a little bit of email exchange on that topic: http://www.ietf.org/mail-archive/web/oauth/current/msg10426.html I personally don't have an opinion on the terminology in this case. 2) invalid_token error code As mentioned on the list, a new error code has to be registered (which is not a big deal). Re-using an error code with different semantic is of course confusing. Re-using an already defined error code and to provide additional text in the error_description is fine as long as the description relates to the originally defined error description. In the case of the invalid_request error code RFC 6749 defines it as invalid_request The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. and RFC 6750 says: invalid_request The request is missing a required parameter, includes an unsupported parameter or parameter value, repeats the same parameter, uses more than one method for including an access token, or is otherwise malformed. The resource server SHOULD respond with the HTTP 400 (Bad Request) status code. Let us know how you want to proceed on these two issues. Ciao Hannes _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
