Take a look at RFC 6750 "The OAuth 2.0 Authorization Framework: Bearer
Token Usage" - particularly section 3:
http://tools.ietf.org/html/rfc6750#section-3 which describes using the
"WWW-Authenticate" response header field in response to a request with
an invalid/insufficient/missing/etc token.
On Tue, Jul 29, 2014 at 8:10 PM, Takahiko Kawasaki <daru...@gmail.com> wrote:
> Hello,
>
> I have a question. Is there any standardized specification about
> error responses from protected resource endpoints?
>
> "RFC 6749, 7.2. Error Response" says "the specifics of such error
> responses are beyond the scope of this specification", but I'm
> wondering if OAuth WG has done something for that.
>
> >From error responses, I'd like to know information about:
>
> (1) Usability (active or expired? (or not exist?))
> (2) Refreshability (associated usable refresh token exists?)
> (3) Sufficiency (usable but lacking necessary permissions?)
>
> For example, I'm expecting an error response like below with
> "400 Bad Request" or "403 Forbidden".
>
> {
> "error":"...",
> "error_description":"...",
> "error_uri":"...",
> "usable": true,
> "refreshable": true,
> "sufficient": false
> }
>
>
> Best Regards,
> Takahiko Kawasaki
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
