Unauthorized: supply access token request URL

48 views
Skip to first unread message

Jørn Wildt

unread,
Mar 3, 2010, 3:44:45 AM 3/3/10
to OAuth WRAP WG
The WRAP spec says:

"If the Access Token has expired or is invalid, the ProtectedResource MUST return: HTTP 401 Unauthorized"

But how about informing the client about how to aquire an accesstoken? The response could for instance be:

401 UnauthorizedContent-Type: application/vnd.wrap-authorization-info.xml

<wrap-authorization-info>
<access-token-url> http://blahblah </access-token-url>
</wrap-authorization-info>

Thereby telling the client which end-point URL(s) it should (could)aquire an access token from.

Is there any standard for this kind of information? It would make theclient less dependent on apriori knowledge about end-points.

Thanks, Jørn

Allen Tom

unread,
Mar 3, 2010, 4:56:49 PM 3/3/10
to oauth-...@googlegroups.com
Hi Jorn,

This is an interesting idea and has been suggested a few times in the Oauth
world. This idea is very similar to how web applications issue a redirect tothe browser to the URL of the application's Login server if the user isn't
currently logged into the website.

A potential issue is that some service providers might accept credentials
from multiple auth servers. For example, a SaaS vendor might accept
credentials that are issued by any of their customers. It might not be a
good idea for the SaaS endpoint to return a list of URLs for all of their
customers.

Allen

Reply all
Reply to author
Forward
0 new messages