Code Monkey home page Code Monkey logo

Comments (6)

jankapunkt avatar jankapunkt commented on September 13, 2024 1

Hm but there is also

invalid_token
The access token provided is expired, revoked, malformed, or
invalid for other reasons. The resource SHOULD respond with
the HTTP 401 (Unauthorized) status code. The client MAY
request a new access token and retry the protected resource
request.

I think the part invalid for other reason is interpreted as "missing". However, I agree that simply missing the token is rather a bad request than the token being invalid. Especially from a machine-perspective the distinciton has to be precise. A token that does not exist cannot be valid or invalid.

Is there any discussion on this in the original repo? This would be a breaking change, right?

Also we need to identify the places in the code and tests to be updated accordingly.

// cc @jwerre @HappyZombies

from node-oauth2-server.

jwerre avatar jwerre commented on September 13, 2024 1

Both are good points. Just out of curiosity I've hit a couple of well know APIs without an access token:

curl -I https://api.github.com/user
HTTP/2 401
curl -I https://api.stripe.com/v1/charges
HTTP/2 401
www-authenticate: Basic realm="Stripe"
curl -I https://api.twilio.com/2010-04-01/Accounts
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic realm="Twilio API"

from node-oauth2-server.

Uzlopak avatar Uzlopak commented on September 13, 2024

Thus, the correct ErrorCode for missing token is 400 and not 401

from node-oauth2-server.

Uzlopak avatar Uzlopak commented on September 13, 2024

Good argument, but also this would mean, that we would not need that UnauthorizedRequestError but invalid_token with 401.

from node-oauth2-server.

Uzlopak avatar Uzlopak commented on September 13, 2024

I tested the three above mentioned resource servers and only stripe made a RFC6750 conform response.

Return Value of the resource server is:

{
  "error": {
    "message": "You did not provide an API key. You need to provide your API key in the Authorization header, using Bearer auth (e.g. 'Authorization: Bearer YOUR_SECRET_KEY'). See https://stripe.com/docs/api#authentication for details, or we can help at https://support.stripe.com/.",
    "type": "invalid_request_error"
  }
}

InvalidRequestError ^^

from node-oauth2-server.

jwerre avatar jwerre commented on September 13, 2024

So it should be 401:invalid_request_error. Do you concur @jankapunkt @HappyZombies ?

from node-oauth2-server.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.