Redirect on 403 Forbidden?

61 views
Skip to first unread message

Andrew Clarke

unread,
Jun 4, 2016, 9:09:16 AM6/4/16
to API Craft
I'm new to REST - so apologies if any of this sounds dumb.


Say I have a "item representation" - for simplicity there are two items A and B - item A has a link to item B - but in some circumstances I want to make B forbidden AND I want to let the user know why item B is forbidden.

So call to Item A ...

/api/item/ITM-A

then try to follow the link to ... 

/api/item/ITM-B  (which is forbidden)

So a couple of options (bearing in mind I want to say why the representation was forbidden) ...

1. Return ITM-B with 403 and a message describing the issue

2. Return ITM-A with the 403 and a message describing the issue


Is returning ITM-B with data breaking some rule?  It's supposed to be forbidden, but I'm returning 'something' to say why it's forbidden.  I think I prefer it, but is it best to return A - which maybe suggests more that B is inaccessible?  But then the 403 on ITM-A doesn't make sense, as 403 is accessible.


Like I said at the start, apologies if this is dumb question, but some more experienced opinion would be very welcome. :)


sune jakobsson

unread,
Jun 4, 2016, 1:41:39 PM6/4/16
to api-...@googlegroups.com
Any client receiving an 4xx should interpret that as an ERROR, and kind of disregard the "result". Very few clients will actually care any more.

Sune

--
You received this message because you are subscribed to the Google Groups "API Craft" group.
To unsubscribe from this group and stop receiving emails from it, send an email to api-craft+...@googlegroups.com.
Visit this group at https://groups.google.com/group/api-craft.
For more options, visit https://groups.google.com/d/optout.

Chamal Nanayakkara

unread,
Jun 4, 2016, 2:04:57 PM6/4/16
to api-...@googlegroups.com
I think the important thing to remember here is that your API will be consumed by an application and not a human. When a client application receives a 403 response, it should immediately recognize that that particular resource is not available to it. So to indicate that your client cannot access Item B, you should return a 403 response (along with any additional details for troubleshooting if you need to) when the client asks specifically for Item B. You shouldn't depend on a client that you don't have control over to keep track of which resource they tried to access, which resource they were redirected to, and also the relationship between the two.

Andrew Clarke

unread,
Jun 5, 2016, 3:54:51 AM6/5/16
to API Craft
Ok thanks, that's helpful.  I think have been thinking too human on this as you suggested, I've been navigating the API myself trying to make it as intuitive as possible.

Andrew B

unread,
Jun 7, 2016, 8:54:53 PM6/7/16
to API Craft
Its fine to return additional information with the 403.

See RFC 7807 (https://tools.ietf.org/html/rfc7807#page-2) which explicitly mentions this and provides a mechanism for passing back error information.
Reply all
Reply to author
Forward
0 new messages