Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

401 and 403 status errors? #1

Open
dmitrizagidulin opened this issue Sep 22, 2020 · 3 comments
Open

401 and 403 status errors? #1

dmitrizagidulin opened this issue Sep 22, 2020 · 3 comments

Comments

@dmitrizagidulin
Copy link

Hi Richard,
Fabulous library! The only thing that gives me pause is - why hardcode the http status code at 400 for all the errors? Some of them are traditionally 401 (invalid_token, invalid_client_secret etc) and 403.
Would you be open to a PR that adjusts that?
@dmitrizagidulin dmitrizagidulin mentioned this issue Sep 23, 2020
Open
@ralucas
Copy link
Owner

ralucas commented Sep 23, 2020

I do welcome a PR and I think the reason they're all 400s was probably just simplification. However, I do want to make sure we're following the Oauth 2.0 specification. And so it looks to me the only one we'd want to change in the current libary (i.e. RFC 6749 basis): invalid_client -> 401. Here's the text from the rfc:

Client authentication failed (e.g., unknown client, no
               client authentication included, or unsupported
               authentication method).  The authorization server MAY
               return an HTTP 401 (Unauthorized) status code to indicate
               which HTTP authentication schemes are supported.  If the
               client attempted to authenticate via the "Authorization"
               request header field, the authorization server MUST
               respond with an HTTP 401 (Unauthorized) status code and
               include the "WWW-Authenticate" response header field
               matching the authentication scheme used by the client.

It looks like there's some caveats around sending 401, so perhaps this lib needs to be adjusted to allowing users to simply pass in the status code.

And perhaps we should add the extensions errors from RFC6750:

  • invalid_request -> 400
  • invalid_token -> 401
  • insufficient_scope -> 403

What are your thoughts? Hope all is well.

Best,
Richard

@dmitrizagidulin
Copy link
Author

@ralucas - excellent, thanks! (I'll adjust PR #2 to reflect that.)

So, agreed that all the errors listed in RFC6749 will be 400 except for invalid_client.
And yes, let's add the ones from RFC6750.

In addition, I would argue that:

  • access_denied should be http 403 (sort of by definition).
  • server_error should be 500.
  • temporarily_unavailable should be 503 (since that's what that code is for).

@dmitrizagidulin
Copy link
Author

(Re the WWW-Authenticate response header in the error.response helper, that was gonna be my next issue/PR :) )

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dmitrizagidulin @ralucas