From a4f39fc93ca2cb3b14eb1f3538ba5363148485be Mon Sep 17 00:00:00 2001 From: Free Duerinckx Date: Wed, 4 Jul 2018 14:35:03 +0200 Subject: [PATCH] `invalid_grant` status code should be 400 According to section 5.2 of rfc 6749 (https://tools.ietf.org/html/rfc6749#section-5.2) A server should respond with 400 in case of an invalid grant. The given grant is invalid and the client should give other data. A 401 is not applicable here because the client is required to give a suitable Authorization header field which doesn't make any sense if you are trying to acquire a grant authentication. According to sections 10.4.1 and 10.4.2 of rfc 2616 (https://tools.ietf.org/html/rfc2616#section-10.4.1) --- oauthlib/oauth2/rfc6749/errors.py | 2 +- tests/oauth2/rfc6749/grant_types/test_refresh_token.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/oauthlib/oauth2/rfc6749/errors.py b/oauthlib/oauth2/rfc6749/errors.py index 5a0cca2b..7b31d478 100644 --- a/oauthlib/oauth2/rfc6749/errors.py +++ b/oauthlib/oauth2/rfc6749/errors.py @@ -245,7 +245,7 @@ class InvalidGrantError(OAuth2Error): issued to another client. """ error = 'invalid_grant' - status_code = 401 + status_code = 400 class UnauthorizedClientError(OAuth2Error): diff --git a/tests/oauth2/rfc6749/grant_types/test_refresh_token.py b/tests/oauth2/rfc6749/grant_types/test_refresh_token.py index 21540a21..f055c7d7 100644 --- a/tests/oauth2/rfc6749/grant_types/test_refresh_token.py +++ b/tests/oauth2/rfc6749/grant_types/test_refresh_token.py @@ -109,7 +109,7 @@ def test_invalid_token(self): token = json.loads(body) self.assertEqual(self.mock_validator.save_token.call_count, 0) self.assertEqual(token['error'], 'invalid_grant') - self.assertEqual(status_code, 401) + self.assertEqual(status_code, 400) def test_invalid_client(self): self.mock_validator.authenticate_client.return_value = False