Clarify 401 vs. 403

[michielbdejong]

See https://en.wikipedia.org/wiki/List_of_HTTP_status_codes#4xx_Client_Error

[ghost]

Straight from the horse's mouth (RFC 6750):

   insufficient_scope
         The request requires higher privileges than provided by the
         access token.  The resource server SHOULD respond with the HTTP
         403 (Forbidden) status code and MAY include the "scope"
         attribute with the scope necessary to access the protected
         resource.

[michielbdejong]

Thanks @fkooman, fixed in this PR (needs squashing of the two commits).

[untitaker]

Same as #96?

On 6 November 2015 10:19:28 CET, Michiel de Jong notifications@github.com wrote:

See
https://en.wikipedia.org/wiki/List_of_HTTP_status_codes#4xx_Client_Error
You can view, comment on, or merge this pull request online at:

#105

-- Commit Summary --

• Clarify 401 vs. 403

-- File Changes --

M source.txt (5)

-- Patch Links --

https://github.com/remotestorage/spec/pull/105.patch
https://github.com/remotestorage/spec/pull/105.diff

---

Reply to this email directly or view it on GitHub:
#105

Sent from my phone. Please excuse my brevity.

[untitaker]

For which definition of "valid" though? Should perhaps be something like "for all requests with missing, expired or revoked token".

[michielbdejong]

Yes, but additionally it fixes https://github.com/remotestorage/spec/pull/96/files#r44145820 and removes the stray 'either' from the 403 text.

[michielbdejong]

Updated with phrasing from irc (because public documents don't require a valid bearer token), and with reference to [OAUTH].

[untitaker]

I still don't understand what "valid" is supposed to mean in this context. Syntactic validity might e.g. only mean that some value that fits the ABNF was sent. I couldn't find anything about valid tokens in the OAuth RFC.

[michielbdejong]

It was [BEARER], not [OAUTH], sorry (it's also already mentioned at the start of the section).

[ghost]

+1