Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

OAuth 2.0 - Why does the authorization server return 400 instead of 401 when the resource owner credentials are invalid?

Tags:

http

oauth

When using a Resource Owner Password grant type, it appears that an authorization server should respond with an HTTP 400 (Bad Request) status code if an access token could not be granted due to the resource owner entering an incorrect password. I have concluded this based on my understanding of RFC 6749 Section 5.2**, which says "The authorization server responds with an HTTP 400 (Bad Request) status code" in the case where a token could not be granted due to an invalid_grant. The reasons listed for an invalid_grant include the resource owner credentials being invalid.

Is my understanding correct? If so, why isn't HTTP 401 (Unauthorized) returned instead? With basic authentication an invalid password results in a 401. Why does OAuth 2.0 stipulate that 400 be returned? Is this because 401 is reserved for invalid client credentials?

** See https://www.rfc-editor.org/rfc/rfc6749#section-5.2

like image 499
Jason Novak Avatar asked Mar 22 '14 00:03

Jason Novak


People also ask

How do I fix OAuth error?

When a user tries to login after the session id is expired, the system throws the OAuth error. Solution: Typically, clearing the browser or device cache fixes the problem.

Which OAuth 2.0 authorization grant type is used the most?

The Authorization Code Grant Type is probably the most common of the OAuth 2.0 grant types that you'll encounter. It is used by both web apps and native apps to get an access token after a user authorizes an app.

What is authorization server in OAuth2?

At its core, an authorization server is simply an engine for minting OpenID Connect or OAuth 2.0 tokens. An authorization server is also used to apply access policies. Each authorization server has a unique issuer URI and its own signing key for tokens to keep a proper boundary between security domains.

How does authorization work in OAuth?

OAuth doesn't share password data but instead uses authorization tokens to prove an identity between consumers and service providers. OAuth is an authentication protocol that allows you to approve one application interacting with another on your behalf without giving away your password.


1 Answers

I was wondering this as well, but it seems that a 401 response requires returning a WWW-Authenticate header in the response, which doesn't make sense in this OAuth flow. This is the link to the thread where the spec designers discuss this issue.

And for completeness (tl;dr): here is the specific message where Eran Hammer-Lahav from the OAuth team clarifies this issue.

like image 137
Daniel B. Roy Avatar answered Sep 18 '22 15:09

Daniel B. Roy