Is 400 the appropriate error code for OAuth verification errors (http)?

10,273

Solution 1

Correct.

401 Unauthorized should be the primary choice for response status code in your example.

EDIT:

I spent some time browsing the OAuth2 draft, and it looks like they specify the following when client authentication fails:

  • normally MUST respond with 400 Bad Request, but
  • MAY respond with 401 Unauthorized, and
  • MUST respond with 401 Unauthorized if authentication was attempted using the Authorization request header. If so it must also include a WWW-Authenticate in the response.

Solution 2

From http://oauth.net/core/1.0a/#http_codes

HTTP 400 Bad Request
    Unsupported parameter
    Unsupported signature method
    Missing required parameter
    Duplicated OAuth Protocol Parameter
HTTP 401 Unauthorized
    Invalid Consumer Key
    Invalid / expired Token
    Invalid signature
    Invalid / used nonce

So the 401 is right.

Share:
10,273
jayunit100
Author by

jayunit100

Current: Red Hat BigData, Apache BigTop commiter. Past: Phd in scalable, data driven bioinformatics analytics tools on the JVM, which led me into the world of big data as the genomic data space started to explode. After that, I was with peerindex as a hadoop mapreduce dev, and now I'm a big data engineer at redhat. We're making red hat storage awesome(r). blog: http://jayunit100.blogspot.com. github: http://github.com/jayunit100 pubs : https://www.researchgate.net/profile/Jay_Vyas/publications/?ev=prf_pubs_p2

Updated on June 05, 2022

Comments

  • jayunit100
    jayunit100 over 1 year

    Hi guys : What should the correct http response code be for an request which, although well-formed, is includes an invalid oauth token ?

    The error code 400 seems misleading, since an invalid oauth is, I believe, not malformed request.

    Strangely, it is the case that facebook oauth tokens (if invalid), cause an api return of result in the return if a 400 response code....

  • jayunit100
    jayunit100 almost 12 years
    Hmmm... any thoughts on why facebook implements a 400 return on bad oauths ?
  • Igy
    Igy almost 12 years
    That's for Oauth 1.0 - it may be different for Oauth 2.0 (which Facebook uses) - tools.ietf.org/html/draft-ietf-oauth-v2-22 may specify otherwise (I haven't read the specs so i'm not sure)
  • Jon Nylander
    Jon Nylander almost 12 years
    Well, having implemented an OAuth provider myself, I can only say that I didn't think it was trivial to get all the response codes right. I had to refactor quite a bit to get to where I wanted. In facebooks case I can only surmise that they have overlooked it, or simply not deemed it worthwhile doing. On a side note: there are over a 1000 open bugs on developers.facebook.com, and none of them seem to deal with this issue.
  • prashant
    prashant over 9 years
    On my reading of RFC 6749 the invalid token case falls under invalid_grant rather than invalid_client, and so should be a 400 Bad Request, with no WWW-Authenticate. I agree the RFC is really unclear, though.
  • prashant
    prashant over 9 years
    Correction: RFC 6749 section 5.2 only refers to requests for tokens, not to requests with tokens. It looks like RFC 6750 section 3 does specify 401 Unauthorized and require a WWW-Authenticate.