Access token refresh and HTTP error code handling 400 vs 401

[Jeremy_Mason]

Hi all,

We noticed that when attempting to refresh an access token with an expired refresh token using /authorize, HTTP Status Code 400 is being returned. This is from the following code:

Code:

ExpiringOAuth2RefreshToken refreshToken = readRefreshToken(refreshTokenValue);
		if (refreshToken == null) {
			throw new InvalidGrantException("Invalid refresh token: " + refreshTokenValue);
		}

I wanted to understand why the software is not returning a 401 and the rationale for returning a 400. I'm trying to figure out if it's worth changing the behaviour to return 401.

We are still using M4.

Would really appreciate your thoughts on this.

Jeremy

[Dave Syer]

The spec is clear on this as far as I can tell - errors from the refresh grant can only be treated as invalid_grant and that doesn't give you the option for a 401. If your reading is different I would be more than happy to agree, but please upgrade to RC3 before proposing any changes.

[Jeremy_Mason]

Hey thanks very much. Section 5.2 of the spec does state invalid_grant includes refresh_token has expired so the 400 behaviour is correct. Thanks for pointing me in the right direction.