On Fri, Dec 15, 2017 at 11:12 PM, Vladimir Dzhuvinov < [email protected]> wrote:
> On 15/12/17 00:43, William Denniss wrote: > > On Fri, Dec 8, 2017 at 11:42 AM, Vladimir Dzhuvinov < > [email protected] > >> wrote: > >> Hi, > >> > >> I just got a question on Twitter about the slow_down error: > >> > >> https://tools.ietf.org/html/draft-ietf-oauth-device-flow-07#section-3.5 > >> > >> The question was why slow_down is communicated via HTTP status code 400 > >> and not 429 (Too Many Requests). > >> > > We could, it seems to match the intent of that error code. Main reason > it's > > not like that so far is that 400 is the default for OAuth, I fear people > > may not be checking for a 429. We don't strictly *need* the 429, since > > we're returning data in machine readable format one way or another (i.e. > > it's easy for the client to extract the "slow_down" response either way), > > which differs from HTML over HTTP which is intended for end-user > > consumption, making the specific status code more important. > Yes, on a 400 clients will need to check the error JSON object anyway, > so the "slow_down" cannot be missed. Whereas with 429 that becomes more > likely. > > +1 to return "slow_down" with status 400 as it is with the other OAuth > error codes. > Thanks for considering this Vladimir. To conclude this topic, it seems there are no compelling reasons to change to the 429, and a reasonable explanation of why it's a 400, so I think we should keep things as-is. Rifaat: The deadline has passed on the WGLC, and I believe all comments raised have been addressed. Can we now advance the draft?
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
