Why wouldn't you return an HTTP-level status code of 401, with perhaps some text describing the account lock-out? Or a 403 if you wanted a separate lockout status code.
Todd Lainhart Rational software IBM Corporation 550 King Street, Littleton, MA 01460-1250 1-978-899-4705 2-276-4705 (T/L) [email protected] From: Santiago Pérez <[email protected]> To: [email protected], Date: 07/17/2013 11:09 AM Subject: [OAUTH-WG] Throttling error using resource owner password credentials grant or authorization code grant Sent by: [email protected] Dear all, We are implementing a OAuth 2.0 server and there is a point that is not clear for me in the RFC 6749. What error should we return when the maximum number of attempts for resource owner credentials is exceeded? I can not see any suitable error in the current RFC. We are implementing a policy for controlling this X attempts per period (e.g.: 3 times/15 minutes) Thanks for your answer. Kind Regards, Santiago Pérez_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
