oembed icon indicating copy to clipboard operation
oembed copied to clipboard

Published 20 hours ago verified publisher icon iamcal

401 vs. 403

Open nb opened this issue 14 years ago • 3 comments

The spec requires that providers respond with 401 Unauthorized to private resources.

The HTTP 1.1 spec, however says:

10.4.2 401 Unauthorized

The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.47) containing a challenge applicable to the requested resource.

401 is only for when the user can authenticate to view the resource, but didn't. Like when you try to access a URL under basic auth and didn't provide username and password.

In the case of private resources, 403 Forbidden should be used, instead of 401 Unauthorized. 403's description depicts our situation very well:

10.4.4 403 Forbidden

The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated.

nb avatar Jul 15 '11 08:07 nb

would it make more sense to allow either, depending on whether authentication is possible?

iamcal avatar Jul 20 '11 01:07 iamcal

The oEmbed request is a normal HTTP request, so all HTTP error codes in the response are allowed. The only question is which ones do you choose to have a special meaning in terms of the oEmbed protocol.

I can't think of a common use case, in which HTTP authentication would be possible, so I wouldn't include 401 in the spec.

nb avatar Jul 20 '11 19:07 nb

Seems reasonable. PR the change and it'll be merged.

iamcal avatar May 27 '14 18:05 iamcal