It is now clearer on the status codes as well (you know it is getting serious when you see a Courier font, right?): You might have heard that the HTTP 1.1 spec has been re-written recently. Expired or malformed tokens should return a 401 – missing scopes should result in a 403. The “Bearer Token Usage” spec ( ) is pretty clear about this. expired or if it is missing the necessary scopes.
using ) will result in showing the login page again – not very intuitive. That’s fine for anonymous requests – but when a user is already authenticated, a failed authorization (e.g. In good old ASP.NET FormsAuth (well this also applies to the brand new cookie middleware in Katana) – a 401 is turned into a 302 to the login page.For years, there’s been an ongoing discussion which HTTP status code to use for “not authorized” scenario – and the original HTTP 1.1 specification wasn’t exactly crystal clear about the distinction between 401 (unauthorized) and 403 (forbidden).īut there is definitely the need to distinguish between the situation where no or invalid credentials were supplied with a request and the situation where a valid credential was supplied, but the “entity” belonging to that credential is not authorized for the operation it is trying to do.
0 kommentar(er)
