Is 400 the appropriate error code for OAuth verification errors (http)?
Solution 1
Correct.
401 Unauthorized
should be the primary choice for response status code in your example.
EDIT:
I spent some time browsing the OAuth2 draft, and it looks like they specify the following when client authentication fails:
- normally MUST respond with
400 Bad Request
, but - MAY respond with
401 Unauthorized
, and - MUST respond with
401 Unauthorized
if authentication was attempted using theAuthorization
request header. If so it must also include aWWW-Authenticate
in the response.
Solution 2
From http://oauth.net/core/1.0a/#http_codes
HTTP 400 Bad Request
Unsupported parameter
Unsupported signature method
Missing required parameter
Duplicated OAuth Protocol Parameter
HTTP 401 Unauthorized
Invalid Consumer Key
Invalid / expired Token
Invalid signature
Invalid / used nonce
So the 401 is right.
jayunit100
Current: Red Hat BigData, Apache BigTop commiter. Past: Phd in scalable, data driven bioinformatics analytics tools on the JVM, which led me into the world of big data as the genomic data space started to explode. After that, I was with peerindex as a hadoop mapreduce dev, and now I'm a big data engineer at redhat. We're making red hat storage awesome(r). blog: http://jayunit100.blogspot.com. github: http://github.com/jayunit100 pubs : https://www.researchgate.net/profile/Jay_Vyas/publications/?ev=prf_pubs_p2
Updated on June 05, 2022Comments
-
jayunit100 over 1 year
Hi guys : What should the correct http response code be for an request which, although well-formed, is includes an invalid oauth token ?
The error code 400 seems misleading, since an invalid oauth is, I believe, not malformed request.
Strangely, it is the case that facebook oauth tokens (if invalid), cause an api return of result in the return if a 400 response code....
-
jayunit100 almost 12 yearsHmmm... any thoughts on why facebook implements a 400 return on bad oauths ?
-
Igy almost 12 yearsThat's for Oauth 1.0 - it may be different for Oauth 2.0 (which Facebook uses) - tools.ietf.org/html/draft-ietf-oauth-v2-22 may specify otherwise (I haven't read the specs so i'm not sure)
-
Jon Nylander almost 12 yearsWell, having implemented an OAuth provider myself, I can only say that I didn't think it was trivial to get all the response codes right. I had to refactor quite a bit to get to where I wanted. In facebooks case I can only surmise that they have overlooked it, or simply not deemed it worthwhile doing. On a side note: there are over a 1000 open bugs on developers.facebook.com, and none of them seem to deal with this issue.
-
prashant over 9 yearsOn my reading of RFC 6749 the invalid token case falls under
invalid_grant
rather thaninvalid_client
, and so should be a400 Bad Request
, with noWWW-Authenticate
. I agree the RFC is really unclear, though. -
prashant over 9 yearsCorrection: RFC 6749 section 5.2 only refers to requests for tokens, not to requests with tokens. It looks like RFC 6750 section 3 does specify
401 Unauthorized
and require aWWW-Authenticate
.