https://issues.apache.org/bugzilla/show_bug.cgi?id=56555
--- Comment #4 from Brett <lee.br...@gmail.com> --- Thanks for the info, but the conflict here is the OAuth2 specification requires a status code 400 in this case. >From http://tools.ietf.org/html/rfc6749#section-5.2 : "The authorization server responds with an HTTP 400 (Bad Request) status code (unless specified otherwise)..." and goes on to list the only exception as "invalid_client" wherein "[t]he authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported." Our particular error condition in this case is "invalid_grant" which according to the spec appears to get the default 400 status code. This is how we've implemented it, and this is how our clients are expecting it :/ I am puzzled because we can't be the only ones that have encountered this issue. However, I have not found anything in the last two days online where anyone has even brought this up as an issue before. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
