Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

OAuth 2.0 - Why does the authorization server return 400 instead of 401 when the resource owner credentials are invalid?

Tags:

http

oauth

When using a Resource Owner Password grant type, it appears that an authorization server should respond with an HTTP 400 (Bad Request) status code if an access token could not be granted due to the resource owner entering an incorrect password. I have concluded this based on my understanding of RFC 6749 Section 5.2**, which says "The authorization server responds with an HTTP 400 (Bad Request) status code" in the case where a token could not be granted due to an invalid_grant. The reasons listed for an invalid_grant include the resource owner credentials being invalid.

Is my understanding correct? If so, why isn't HTTP 401 (Unauthorized) returned instead? With basic authentication an invalid password results in a 401. Why does OAuth 2.0 stipulate that 400 be returned? Is this because 401 is reserved for invalid client credentials?

** See https://www.rfc-editor.org/rfc/rfc6749#section-5.2

like image 499
Jason Novak Avatar asked Mar 22 '14 00:03

Jason Novak

People also ask

How do I fix OAuth error?

When a user tries to login after the session id is expired, the system throws the OAuth error. Solution: Typically, clearing the browser or device cache fixes the problem.

Which OAuth 2.0 authorization grant type is used the most?

The Authorization Code Grant Type is probably the most common of the OAuth 2.0 grant types that you'll encounter. It is used by both web apps and native apps to get an access token after a user authorizes an app.

What is authorization server in OAuth2?

At its core, an authorization server is simply an engine for minting OpenID Connect or OAuth 2.0 tokens. An authorization server is also used to apply access policies. Each authorization server has a unique issuer URI and its own signing key for tokens to keep a proper boundary between security domains.

How does authorization work in OAuth?

OAuth doesn't share password data but instead uses authorization tokens to prove an identity between consumers and service providers. OAuth is an authentication protocol that allows you to approve one application interacting with another on your behalf without giving away your password.

1 Answers

I was wondering this as well, but it seems that a 401 response requires returning a WWW-Authenticate header in the response, which doesn't make sense in this OAuth flow. This is the link to the thread where the spec designers discuss this issue.

And for completeness (tl;dr): here is the specific message where Eran Hammer-Lahav from the OAuth team clarifies this issue.

like image 137
Daniel B. Roy Avatar answered Sep 18 '22 15:09

Daniel B. Roy
Sign in to Comment

Related questions

How to detect HTTP status from JavaScript
Google Chrome audit on caching
Which browsers support a http 303 response?
GET HTTP request payload
Why use quality values in the HTTP Accept-Language header?
How to modify HTTP response body with Charles Proxy rewrite tool and regex?
Modifying HTTP response headers in Firefox
Making an HTTP POST call with multipart/form-data using jQuery?
Difference between an HTTP query parameter and HTTP form parameter? [closed]
Java - HttpUrlConnection returns cached response every time
Should I use defer on script which are already at just before the bottom body tag?
Sharing Cookie between different ports
Rate limit in nginx based on http header
Elm http request returns NetworkError for successful requests
Request a file with a custom header
Which Java libraries do HTTP Accept Header Parsing? [closed]
How to set a header in an HTTP response?
Is there a Ruby http client library with a response cache?
Posting data to asp.net Web API
Binding tab-specific data to an HTTP GET request

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!