Use OAuth2 errors in WWW-Authenticate header

RADAR-base / RADAR-RestApi

RESTful interface to access near real-time data

Apache License 2.0

2 stars 0 forks source link

Use OAuth2 errors in WWW-Authenticate header #73

Closed blootsvoets closed 6 years ago

blootsvoets commented 6 years ago

In the OAuth2 spec, it states the following example for an error:

HTTP/1.1 401 Unauthorized
  WWW-Authenticate: Bearer realm="example",
                    error="invalid_token",
                    error_description="The access token expired"

It would then not send a body. I would opt for using this technique rather than sending a JSON body back in AuthenticationFilter.

blootsvoets commented 6 years ago

The next paragraph is also relevant:

if no token was provided at all, no error should be provided
when a user does not have permission (HTTP status code 403 Forbidden), an error insufficient_scope may be given in the WWW-Authenticate header.