1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. fapi
  4. Issues

Grant Management API error responses

Issue #376 resolved
Filip Skokan created an issue

The section only speaks of status codes, not the whole responses (i.e. actual error codes suited for the different scenarios)

Furthermore:

If the resource URL is unknown, the authorization server responds with HTTP status code 400.

We should not dictate authorization server’s behaviour when non-existent endpoints (resource URLs) are accessed. If that is what this line intends to target that is.

If the client is not authorized to perform a call, the authorization server responds with HTTP status code 403.

I can’t see a scenario where this would happen. Given that access to this API is gated by an access token it’s in the step that issues that access token that a client would get a rejection to that access token request.

If the request lacks a valid access token, the authorization server responds with HTTP status code 401.

With an error code invalid_token i assume?

Comments (7)

  1. Torsten Lodderstedt

    We should not dictate authorization server’s behaviour when non-existent endpoints (resource URLs) are accessed. If that is what this line intends to target that is.

    Isn’t that contradicting interoperability? BTW: I think 404 is better suited here.

    I can’t see a scenario where this would happen. Given that access to this API is gated by an access token it’s in the step that issues that access token that a client would get a rejection to that access token request.

    The spec states

    grant_management_query: scope value the client uses to request an access token to query the status of its grants.

    meaning a given access token represents the authorization to access the grants of a certain client. If the client tries to access grants of other clients, the AS would refuse access with HTTP status code 403.

    With an error code invalid_token i assume?

    good point. I checked RFC 6750 and was surprised to see this error code. So basically: yes. Out of curiosity: How many APIs use that error code?

  2. Filip Skokan reporter

    Isn’t that contradicting interoperability? BTW: I think 404 is better suited here.

    Of course it is better suited, which is also what triggered my creating this issue. Nevertheless, if I do not support a given endpoint, i cannot ensure it will be responded to it in a protocol-defined way, regardless of what the definition is (404 or 400). That would mean me having to define it. We can’t dictate invalid route behaviours for all authorization servers here.

    meaning a given access token represents the authorization to access the grants of a certain client. If the client tries to access grants of other clients, the AS would refuse access with HTTP status code 403.

    Fair enough, i’d rather dictate an error code (e.g. in the sense of RFC6750 use and error response handling). It could re-use insufficient_scope which also states 403 SHOULD be used and also defines a www-authenticate scope attribute for communicating the missing scope.

  3. Stuart Low

    Of course it is better suited, which is also what triggered my creating this issue. Nevertheless, if I do not support a given endpoint, i cannot ensure it will be responded to it in a protocol-defined way, regardless of what the definition is (404 or 400). That would mean me having to define it. We can’t dictate invalid route behaviours for all authorization servers here.

    Which code aside, for information disclosure reasons, the behaviour of GET /grant/xx should be the same for both non existent grants and ones for which the client does not have access.

  8. Log in to comment
Assignee
Type
bug
Priority
major
Status
resolved
Component
Grant Management
Milestone
Votes
0
Watchers
1
Jira: the preferred issue tracker for Bitbucket. Join the team!