When using a Resource Owner Password grant type, it appears that an authorization server should respond with an HTTP 400 (Bad Request) status code if an access token could not be granted due to the resource owner entering an incorrect password. I have concluded this based on my understanding of RFC 6749 Section 5.2**, which says "The authorization server responds with an HTTP 400 (Bad Request) status code" in the case where a token could not be granted due to an invalid_grant. The reasons listed for an invalid_grant include the resource owner credentials being invalid.
Is my understanding correct? If so, why isn't HTTP 401 (Unauthorized) returned instead? With basic authentication an invalid password results in a 401. Why does OAuth 2.0 stipulate that 400 be returned? Is this because 401 is reserved for invalid client credentials?
** See https://www.rfc-editor.org/rfc/rfc6749#section-5.2
When a user tries to login after the session id is expired, the system throws the OAuth error. Solution: Typically, clearing the browser or device cache fixes the problem.
The Authorization Code Grant Type is probably the most common of the OAuth 2.0 grant types that you'll encounter. It is used by both web apps and native apps to get an access token after a user authorizes an app.
At its core, an authorization server is simply an engine for minting OpenID Connect or OAuth 2.0 tokens. An authorization server is also used to apply access policies. Each authorization server has a unique issuer URI and its own signing key for tokens to keep a proper boundary between security domains.
OAuth doesn't share password data but instead uses authorization tokens to prove an identity between consumers and service providers. OAuth is an authentication protocol that allows you to approve one application interacting with another on your behalf without giving away your password.
I was wondering this as well, but it seems that a 401 response requires returning a WWW-Authenticate header in the response, which doesn't make sense in this OAuth flow. This is the link to the thread where the spec designers discuss this issue.
And for completeness (tl;dr): here is the specific message where Eran Hammer-Lahav from the OAuth team clarifies this issue.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With