Open soxofaan opened 10 months ago
Yeah, AuthenticationSchemeInvalid should probably be 401, TokenInvalid is debatable and both fit according to the quote, CredentialsInvalid is clearly 403 to me.
TokenInvalid is debatable and both fit according to the quote
TokenInvalid (with message "Authorization token has expired or is invalid") only fits "401 ... lacks valid authentication credentials" in my understanding
CredentialsInvalid is clearly 403 to me.
I think I understand what you mean, but the current error code and message troubles that understanding I guess:
CredentialsInvalid: Credentials are not correct
you can easily interpret this as unparsable/expired tokens. However "403 Forbidden" considers the the provided tokens as valid, but the associated permissions are insufficient. I think it makes sense to clarify this a bit in the error message (changing the error code is probably too much of a change), e.g.
The provided credentials do not give access to the requested resource
AuthenticationSchemeInvalid/TokenInvalid/CredentialsInvalid are currently associated with HTTP status code
403 (Forbidden)
:https://github.com/Open-EO/openeo-api/blob/c5a45b4647b06e313a4f099e9119bfa3cca5c6a3/errors.json#L360-L379
While discussing some auth related integrations, @JanssenBrm noted that
401 (Unauthorized)
is actually more correct for these error situations:from RFC 9110:
So 403 means that the provided credentials were correctly parsed and the users is fully authenticated, but additional access rules deny permission. And 401 means that there is something wrong with the provided credentials, failing authentication.