inferno TR-03: error responses can be extended to support http status 403.

[sanjay-hegde]

Thank you for reporting a possible bug in Inferno! Please fill in as much of the template below as you can.

Subject of the issue inferno tr-03:Token refresh fails after token revocation response. Since the tokens are revoked for registered/authorized applications, error responses can be extended to support http status 403.

Your environment Program Edition 1.8.2 Chrome

Steps to reproduce In inferno program edition, under other section , run Token Revocation tests.

Actual behavior Bad response code: expected 400 or 401

Expected actual behaviour + 403

[Jammjammjamm]

According to The OAuth 2.0 Authorization Framework RFC, 400 and 401 are the correct error statuses for a failed token refresh.

[sanjay-hegde]

as to why 403 would be helpful HTTP/1.1 Semantics and Content.

indicates that the server understood the request but refuses to authorize it.
..... The client MAY repeat the request with new or different credentials. However, a request might be forbidden for reasons unrelated to the credentials.

Similar requirements in case of applications revoked by the patients.

[Jammjammjamm]

This is not a request for access to patient data, it is a request to refresh an access token. If it were a request for patient data using a bad token, a 403 would be acceptable. According to the OAuth 2.0 spec, however, a server returns a 400 status for a token refresh request with an invalid refresh token:

The authorization server responds with an HTTP 400 (Bad Request) status code (unless specified otherwise) and includes the following parameters with the response: ... invalid_grant The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.