Unauthorized: supply access token request URL

36 views
Skip to first unread message

Jørn Wildt

unread,
Mar 3, 2010, 3:44:45 AM3/3/10
to OAuth WRAP WG
The WRAP spec says:

"If the Access Token has expired or is invalid, the Protected
Resource MUST return: HTTP 401 Unauthorized"

But how about informing the client about how to aquire an access
token? The response could for instance be:

401 Unauthorized
Content-Type: application/vnd.wrap-authorization-info.xml

<wrap-authorization-info>
<access-token-url>http://blahblah</access-token-url>
</wrap-authorization-info>

Thereby telling the client which end-point URL(s) it should (could)
aquire an access token from.

Is there any standard for this kind of information? It would make the
client less dependent on apriori knowledge about end-points.

Thanks, Jørn

Allen Tom

unread,
Mar 3, 2010, 4:56:49 PM3/3/10
to oauth-...@googlegroups.com
Hi Jorn,

This is an interesting idea and has been suggested a few times in the Oauth
world. This idea is very similar to how web applications issue a redirect to
the browser to the URL of the application's Login server if the user isn't
currently logged into the website.

A potential issue is that some service providers might accept credentials
from multiple auth servers. For example, a SaaS vendor might accept
credentials that are issued by any of their customers. It might not be a
good idea for the SaaS endpoint to return a list of URLs for all of their
customers.

Allen

Reply all
Reply to author
Forward
0 new messages