Incorrect HTTP Response Status Code for Unauthorized Access

[hqarawlus]

Hello,

I noticed an incorrect HTTP Response Status code being returned on the specification definition pages of Contract Negotiation and Transfer Process. The specifications define a return code 404 (Not Found) in case of Unauthorized Access. I am curious to why this code was chosen instead of the widely known and used 401 (Unauthorized Access)?

Here are the snippets where I found the use of 404.

Thanks in advance!

https://github.com/International-Data-Spaces-Association/ids-specification/blob/36960607a67793e3fc5089655102ac6d5b9b5445/negotiation/contract.negotiation.binding.https.md?plain=1#L80-L82

https://github.com/International-Data-Spaces-Association/ids-specification/blob/36960607a67793e3fc5089655102ac6d5b9b5445/transfer/transfer.process.binding.https.md?plain=1#L45-L47

[juliapampus]

We've discussed that in the group some weeks ago. For security reasons, it is common practice to return a 404 instead of a 401 or 403 to avoid drawing conclusions about the existence or non-existence of a resource (negotiation, transfer).

[hqarawlus]

Thanks for the response. I believe however 404 is being misused here, since it is designed to specifically indicate that an endpoint does not exist. In this scenario, a more generic code (400 - Bad Request) should be returned whenver a certain criteria is not fulfilled in order to maintain the security level. Nevertheless, since the IDSA is working outside the defined HTTP standard codes here, it would be helpful to mention in the documentation that the standard is not being followed.