oauth2-server
oauth2-server copied to clipboard
Response code when `Authorization` header or `client_id` is missing
AbstractGrant
throws 400 Bad Request
in case it's not able to retrieve client_id
from the request while validating client. Wouldn't it be better to return 401 Unauthorized
in case no client credentials are provided?
https://tools.ietf.org/html/rfc6749#section-5.2
invalid_client Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the "Authorization" request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code and include the "WWW-Authenticate" response header field matching the authentication scheme used by the client.
https://tools.ietf.org/html/rfc2617#section-3.2.1
If a server receives a request for an access-protected object, and an acceptable Authorization header is not sent, the server responds with a "401 Unauthorized" status code ...