Replace UnauthorizedRequestError with InvalidRequestError #69
Comments
|
Thus, the correct ErrorCode for missing token is 400 and not 401 |
|
Hm but there is also
I think the part Is there any discussion on this in the original repo? This would be a breaking change, right? Also we need to identify the places in the code and tests to be updated accordingly. // cc @jwerre @HappyZombies |
jankapunkt
added
compliance 📜
|
Good argument, but also this would mean, that we would not need that UnauthorizedRequestError but invalid_token with 401. |
|
Both are good points. Just out of curiosity I've hit a couple of well know APIs without an access token: curl -I https://api.github.com/user
HTTP/2 401curl -I https://api.stripe.com/v1/charges
HTTP/2 401
www-authenticate: Basic realm="Stripe"curl -I https://api.twilio.com/2010-04-01/Accounts
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic realm="Twilio API" |
|
I tested the three above mentioned resource servers and only stripe made a RFC6750 conform response. Return Value of the resource server is: InvalidRequestError ^^ |
|
So it should be |
The UnauthorizedRequestError is not a standard error code. According to the reference in the comment https://datatracker.ietf.org/doc/html/rfc6750#section-3.1 there is no unauthorized_request error.
UnauthorizedRequestError is used in the AuthenticateHandler for indicating that there was no token in body and header.
According to the Spec it should be an InvalidRequestError, as the token is clearly a missing parameter.
The request is missing a required parameter, includes an
unsupported parameter or parameter value, repeats the same
parameter, uses more than one method for including an access
token, or is otherwise malformed. The resource server SHOULD
respond with the HTTP 400 (Bad Request) status code.
The text was updated successfully, but these errors were encountered: