It may help to specifically clarify which interaction with the AS are we talking about here.
Warren Parad Founder, CTO Secure your user data with IAM authorization as a service. Implement Authress <https://authress.io/>. On Fri, Feb 4, 2022 at 10:16 AM Johannes Koch <johannes.koch= [email protected]> wrote: > Hi there, > > a question about > https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-04 > > 5.2.3. Error Codes > > "invalid_request": The request is missing a required parameter, > includes an unsupported parameter or parameter value, repeats the > same parameter, uses more than one method for including an access > token, or is otherwise malformed. The resource server SHOULD > respond with the HTTP 400 (Bad Request) status code. > > "invalid_token": The access token provided is expired, revoked, > malformed, or invalid for other reasons. The resource SHOULD > respond with the HTTP 401 (Unauthorized) status code. The client > MAY request a new access token and retry the protected resource > request. > > Now, what is the intended error code for the situation where no access > token is provided? The description for invalid_token seems to imply that > one token was provided. > As the token may be seen as a required parameter, invalid_request may be > appropriate. However, a missing token smells more like HTTP 401 > (Unauthorized). > > Should this be an additional error code (missing_token)? Or should this > case be added to invalid_token? > > -- > Johannes Koch > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
