Giters

jaredhanson / oauth2orize

OAuth 2.0 authorization server toolkit for Node.js.

Home Page:https://www.oauth2orize.org?utm_source=github&utm_medium=referral&utm_campaign=oauth2orize

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

TokenError defaults don't follow the RFC 6749

dposs-likindo opened this issue · comments

commented

According to RFC 6749 (The OAuth 2.0 Authorization Framework):

5.2. Error Response

The authorization server responds with an HTTP 400 (Bad Request)
status code (unless specified otherwise).

From https://tools.ietf.org/html/rfc6749#section-5.2

As you can see in this section of RFC, the only exception is the "invalid_client" error, when the HTTP 401 (Unauthorized) status code may be supplied.

But, looking at the TokenError, we see these status codes, which go against the RFC:

function TokenError(message, code, uri, status) {
	if (!status) {
		switch (code) {
			case 'invalid_request': status = 400; break;
			case 'invalid_client': status = 401; break;
			case 'invalid_grant': status = 403; break;
			case 'unauthorized_client': status = 403; break;
			case 'unsupported_grant_type': status = 501; break;
			case 'invalid_scope': status = 400; break;
		}
	}
	...
}