OAuth 2.0 - 当资源所有者凭据无效时,为什么授权服务器返回400而不是401? [英] OAuth 2.0 - Why does the authorization server return 400 instead of 401 when the resource owner credentials are invalid?
问题描述
使用资源所有者密码授予类型时,如果由于资源所有者输入的密码不正确而无法授予访问令牌,则授权服务器似乎应响应HTTP 400(错误请求)状态代码。我根据我对RFC 6749第5.2节的理解得出了这个结论,其中说在由于invalid_grant而无法授予令牌的情况下,授权服务器以HTTP 400(错误请求)状态代码响应。为invalid_grant列出的原因包括资源所有者凭据无效。
When using a Resource Owner Password grant type, it appears that an authorization server should respond with an HTTP 400 (Bad Request) status code if an access token could not be granted due to the resource owner entering an incorrect password. I have concluded this based on my understanding of RFC 6749 Section 5.2**, which says "The authorization server responds with an HTTP 400 (Bad Request) status code" in the case where a token could not be granted due to an invalid_grant. The reasons listed for an invalid_grant include the resource owner credentials being invalid.
我的理解是否正确?如果是这样,为什么不返回HTTP 401(未授权)?使用基本身份验证时,无效密码会产生401.为什么OAuth 2.0规定要返回400?这是因为401是为无效的客户凭证保留的吗?
Is my understanding correct? If so, why isn't HTTP 401 (Unauthorized) returned instead? With basic authentication an invalid password results in a 401. Why does OAuth 2.0 stipulate that 400 be returned? Is this because 401 is reserved for invalid client credentials?
**参见 http://tools.ietf.org/html/rfc6749#section-5.2
推荐答案
我我也想知道这一点,但似乎401响应需要在响应中返回WWW-Authenticate标头,这在这个OAuth流程中没有意义。 这是规范设计人员所在线程的链接讨论这个问题。
I was wondering this as well, but it seems that a 401 response requires returning a WWW-Authenticate header in the response, which doesn't make sense in this OAuth flow. This is the link to the thread where the spec designers discuss this issue.
为了完整性(tl; dr):此处是来自OAuth团队的Eran Hammer-Lahav澄清此问题的具体消息。
And for completeness (tl;dr): here is the specific message where Eran Hammer-Lahav from the OAuth team clarifies this issue.
这篇关于OAuth 2.0 - 当资源所有者凭据无效时,为什么授权服务器返回400而不是401?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
