Access token refresh and HTTP error code handling 400 vs 401

Printable View

Oct 18th, 2012, 08:29 AM
Jeremy_Mason

Access token refresh and HTTP error code handling 400 vs 401

Hi all,

We noticed that when attempting to refresh an access token with an expired refresh token using /authorize, HTTP Status Code 400 is being returned. This is from the following code:

Code:

ExpiringOAuth2RefreshToken refreshToken = readRefreshToken(refreshTokenValue); if (refreshToken == null) { throw new InvalidGrantException("Invalid refresh token: " + refreshTokenValue); }

I wanted to understand why the software is not returning a 401 and the rationale for returning a 400. I'm trying to figure out if it's worth changing the behaviour to return 401.

We are still using M4.

Would really appreciate your thoughts on this.

Jeremy
Oct 18th, 2012, 10:46 AM
Dave Syer

The spec is clear on this as far as I can tell - errors from the refresh grant can only be treated as invalid_grant and that doesn't give you the option for a 401. If your reading is different I would be more than happy to agree, but please upgrade to RC3 before proposing any changes.
Oct 18th, 2012, 03:01 PM
Jeremy_Mason

Hey thanks very much. Section 5.2 of the spec does state invalid_grant includes refresh_token has expired so the 400 behaviour is correct. Thanks for pointing me in the right direction.