New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Clarify 401 vs. 403 #105
Clarify 401 vs. 403 #105
Conversation
Straight from the horse's mouth (RFC 6750):
|
Thanks @fkooman, fixed in this PR (needs squashing of the two commits). |
Same as #96? On 6 November 2015 10:19:28 CET, Michiel de Jong notifications@github.com wrote:
Sent from my phone. Please excuse my brevity. |
* 403 for all requests that either have insufficient scope, e.g. | ||
accessing a <module> for which no scope was obtained, or accessing | ||
data outside the user's <storage_root>, | ||
* 401 for all requests that don't have a valid bearer token, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For which definition of "valid" though? Should perhaps be something like "for all requests with missing, expired or revoked token".
Yes, but additionally it fixes https://github.com/remotestorage/spec/pull/96/files#r44145820 and removes the stray 'either' from the 403 text. |
Updated with phrasing from irc (because public documents don't require a valid bearer token), and with reference to [OAUTH]. |
* 403 for all requests that either have insufficient scope, e.g. | ||
accessing a <module> for which no scope was obtained, or accessing | ||
data outside the user's <storage_root>, | ||
* 401 for all requests that require a valid bearer token and |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I still don't understand what "valid" is supposed to mean in this context. Syntactic validity might e.g. only mean that some value that fits the ABNF was sent. I couldn't find anything about valid tokens in the OAuth RFC.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It was [BEARER], not [OAUTH], sorry (it's also already mentioned at the start of the section).
f336038
to
e1fe09f
Compare
+1 |
See https://en.wikipedia.org/wiki/List_of_HTTP_status_codes#4xx_Client_Error